The Joomla! Forum ™



Forum rules


Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.



Post new topic This topic is locked, you cannot edit posts or make further replies.  [ 11 posts ] 
Author Message
 Post subject: delete file structure
PostPosted: Wed Apr 28, 2010 1:37 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Sat Nov 07, 2009 2:07 am
Posts: 22
There is another use with post "hacked again" which is closed. Originally I had my posted -- posted there. However, that one is closed and I do not believe this is a closed item.

On the same day as that original post 4/24 -- i had a similar problem which is described below.

I had this problem with a site that has been up for months. Started Sat. 4/24 the entire, or almost entire site was gone ... deleted ... all that remained was a portion of the administration panel ... We restored from a backup and encountered the same problem -- apparently the malicious code was backed up along with the site ... so we restored from an older version and restored our database and everything was fine. Database was not touched -- just the deleted file structure -- looks like something like "rm *" was the problem, but I can't say for sure because there wasn't anything left to look at.

I am hosting with hostmonster and I'm sure that it had nothing to do with them.

I changed all passwords, but I do not believe that they were directly connecting with the site and hostmonster I believed checked also.

However, i did change the passwords and I scanned my hard [drive] -- because it was making me nuts -- and I became paranoid -- which isn't really that hard to do to me ... laffs -- but the hard [drive] was clean.

anyway, i am using joomla version 1.5.15 and we have not installed any new components in months ... very stable until 4/24 ...

I will re-read the security recommendations of course and have taken several other measure, but again ... not clear yet what exactly caused this ...

shirley


Report this post -- not sure were this came from, but I am only attempting to warn others of a possible problem so I'm going with the re-post under a non-closed topic.


Top
 Profile  
 
PostPosted: Wed Apr 28, 2010 4:09 am 
User avatar
Joomla! Exemplar
Joomla! Exemplar

Joined: Sun Oct 22, 2006 4:42 am
Posts: 9352
Location: Sunshine Coast, Queensland, Australia
@Shirley
Effectively, we don't "close" posts in this forum, they can be made read only, if the post has been open for a long time with no response from the original poster. So I don't understand your statements about your previous post having been "closed"

[edit] Having now reviewed the other post mentioned, and determined that it was created by another user and that this user decided that the issue was solved, the post had been marked as [SOLVED] accordingly. Posts are marked solved by the user or at the users request, so I am guessing this is what you mean by "closed". On a similar note, but to one side, this does nto look to be the same type of issue, plus hijacking of other users posts is technically, not good for the forum and problem resolution finding and is against forum rules. You need to open your own post for you own issues.


As for this post, well, to be honest you don't provide enough information to determine whether this is anything new, old or a misconfiguration.

The duration that a site has been running is no indication of whether it is (or has been for a while ) vulnerable or not.

If somehow the rm -Rf command was issued to the shell, it would be easy enough for the host to trace back through logs or most likely "bash history". If it had been possible to execute this command, then the host server configuration and security measures must be considered suspect, as well as your site potentially having a vulnerable extension and/or elevated permissions in the first place.

_________________
Joomla! on the fabulous Sunshine Coast...
hotmango, web & print http://www.hotmango.me/
Network SMARTS, Systems Engineering http://www.networksmarts.com.au/


Top
 Profile  
 
PostPosted: Wed Apr 28, 2010 8:05 am 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Mar 20, 2006 1:56 am
Posts: 12411
Location: The Girly Side of Joomla in Sussex
we have started locking posts that are apparently abandoned by the original poster within this security forum see viewtopic.php?f=432&t=509319
as RussW states, if a bash command as issues, you should start badgering your host as to why and how and/or use a backup

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}


Top
 Profile  
 
PostPosted: Wed Apr 28, 2010 1:28 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Sat Nov 07, 2009 2:07 am
Posts: 22
Okay, I guess I didn't make myself clear enough. I'm not sure how it was done because there wasn't anything left to look at as everything was deleted.

However, because we restored from a backup done the night before and it happened again very soon after. I think it is safe to assume that the one of the scripts was modified that included some form of the "remove" command, but again I am assuming this since there wasn't any left to look at.

The hosting company (hostmmonster.com) didn't look and did not find any information in the logs that could explain this and I am sure that they did investigate.

Since the site had been up and running for months and we had not installed or modification any configuration and/or software in months. I do not believe it was a misconfiguration except that apparently my security isn't as tight as it should have be. So I'm not complaining here, but rather stating a fact somehoe my site was infected with some code that deleted the entire file structure.

Additionally, the other post was on the same day, with the exact problem. Two different sites, two different hosting companies -- it doesn't seem to me that this was just a coincidence, but i guess it might be possible.

We did have a backup and we were able to restore thet site. In fact this event wasn't more than pain, but that isn't the point either, or the reason I posted. I would like to help the community with any information that might help support everyone. If I can give you more specific information, please ask and I will try and answering any questions.

Shirley


Top
 Profile  
 
PostPosted: Wed Apr 28, 2010 8:02 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Mar 20, 2006 1:56 am
Posts: 12411
Location: The Girly Side of Joomla in Sussex
if you can run the extended forum post security tool, and compare it with the VEL and post here . that may help sort out any clues.

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}


Top
 Profile  
 
PostPosted: Thu Apr 29, 2010 10:10 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Sat Nov 07, 2009 2:07 am
Posts: 22
oaky ... i will do that. Please give a few days I have an extremely heavy work load.

Thanks
Shirley


Top
 Profile  
 
PostPosted: Thu Apr 29, 2010 10:31 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Fri Aug 12, 2005 7:19 am
Posts: 10487
Location: Leeds, UK
Just a couple of notes

1. Its certainly possible that your site was exploited with a malicious script a long time ago and the script only executed recently

2. There are many hacker tools that will let someone perform a "rm -rf" and leave no trace in the logs so you cannot rely on logs.

_________________
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/


Top
 Profile  
 
PostPosted: Fri Apr 30, 2010 12:25 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Sat Nov 07, 2009 2:07 am
Posts: 22
very much agree. apparently that was the case here ... and i certainly will take very step that i can to prevent it from occurring in the future ... just an FYI to the community -- and hopefully it is taken like that ...


Top
 Profile  
 
PostPosted: Fri Apr 30, 2010 12:55 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Sat Nov 07, 2009 2:07 am
Posts: 22
I guess this is what you need....


JTS-post Diagnostic Information wrote:
Joomla! Version: Joomla! 1.5.15 Stable [ Wojmamni Ama Mamni ] 05-November-2009 04:00 GMT
configuration.php: Not Writable (Mode: 444 ) | Architecture/Platform: Linux 2.6.28-10.21.intel.E1000E.BHsmp ( x86_64) | Web Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8l DAV/2 mod_auth_passthrough/2.1 FrontPage/5.0.2.2635 | PHP Version: 5.2.11
PHP Requirements: register_globals: Disabled | magic_quotes_gpc: Enabled | safe_mode: Disabled | MySQL Support: Yes | XML Support: Yes | zlib Support: Yes
mbstring Support (1.5 or above): Yes | iconv Support (1.5 or above): Yes | save.session_path: Not Writable | Max.Execution Time: 30 seconds | File Uploads: Enabled
MySQL Version: 5.1.45-log ( Localhost via UNIX socket )



I'm going back thru and remove whatever can be removed and locking down what I can .... but so far it's been very stable again ...


Top
 Profile  
 
PostPosted: Fri Apr 30, 2010 3:37 pm 
User avatar
Joomla! Hero
Joomla! Hero

Joined: Sat Oct 21, 2006 10:20 pm
Posts: 2726
Location: Wisconsin USA
In addition to what your currently doing also take a look at the following:

[ ] Ensure you have the latest version of Joomla. Download the latest full version of Joomla and use it to replace the core files. Only by replacing all files in the installation (including extensions and templates) can you be sure to remove the backdoors inserted and hidden in files.[/b]

[ ] Review Vulnerable Extensions List and update or remove (if no update is available and vulnerable extensions.

[ ] Review and action Security Checklist checklist 7 make sure you've gone through all of the steps, not just the easy ones!!

[ ] Change all passwords and if possible user names for the website host control panel and your Joomla site.

[ ] Use proper permissions on files and directories. They should never be 777, but ideal is 644 and 755

[ ] For the malicious code topic

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator


Top
 Profile  
 
PostPosted: Mon May 17, 2010 6:38 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Mar 20, 2006 1:56 am
Posts: 12411
Location: The Girly Side of Joomla in Sussex
topic locked due to no response from original poster and age/changed code of topic - see viewtopic.php?f=432&t=509319

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic This topic is locked, you cannot edit posts or make further replies.  [ 11 posts ] 



Who is online

Users browsing this forum: No registered users and 26 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group