The Joomla! Forum ™



Forum rules


Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.



Post new topic This topic is locked, you cannot edit posts or make further replies.  [ 41 posts ]  Go to page Previous  1, 2
Author Message
PostPosted: Fri Aug 05, 2011 2:23 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Sat Apr 05, 2008 9:58 pm
Posts: 25851
Location: @Webdongle
PhilD wrote:
c99, c57, c100, and other variants are all server root kit shells.

They enable the hacker in most cases to browse the entire server without any passwords required as if it were a hard [drive] on his computer. ...
Yes but methinks the OP is trying to establish how the files were placed on the server. Rather than the fact they allow server access like legitimate files do.


PhilD wrote:
...
Log files are mostly useless if the person knows how to use the shell as the times and entries can be altered....
Yes but many hackers just know how to use scripts to insert the the files and then use the corresponding software on their PC to connect to the file(s). So it is perhaps worth a look at the logs ?

_________________
'When I'm right nobody remembers when I'm wrong nobody forgets.'

http://weblinksonline.co.uk/joomla-faq.html
http://www.weblinksonline.co.uk/updating-joomla.html


Top
 Profile  
 
PostPosted: Fri Aug 05, 2011 3:06 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Fri May 27, 2011 8:26 pm
Posts: 24
about logs, we had a few tentatives to reach folder with the hack script. Few entries from google bots and others IP we checking.

But this script not seem the one they used.


Top
 Profile  
 
PostPosted: Sun Aug 07, 2011 12:46 am 
User avatar
Joomla! Hero
Joomla! Hero

Joined: Sat Oct 21, 2006 10:20 pm
Posts: 2727
Location: Wisconsin USA
The OP still has not after repeated requests provided any information on the server environment or the Joomla environment by the JTS-Post Tool. As Webdongle has said, the tool will work on a Joomla site that is offline. PHP does have to be active on the server though.


Entry can be any one of these
SQLi - SQL injection

LFI - Local File Inclusion

RFI - Remote file inclusion

DT - Directory Traversal (incl 777 folders)

ID = Information Disclosure: account information or sensitive information publicly viewable, or passed to 3rd party without knowledge

Full information is available for most of these above methods on wikipedia.

Any one of the above can provide an entry point and any one of the above can be found in outdated, insecure, poorly written website software. This includes but is not limited to Joomla and Joomla extensions and templates. Web Software such as OsCommerce, Wordpress, other CMS systems, forums, etc. all have vulnerabilities that can allow a hacker to gain access to a site, domain, and/or server. Once a c99, c57 or one of their variant scripts is placed on a domain, then you have complete server access (in many cases) at the fingertips of the hacker. There are also non free scripts that are extremely good at getting into sites unnoticed, though they still require at least one of the above ways of entry.

One can also watch on [youtube] video of c99 etc. in action.

I suggest that whoever the host company is (stated as rodajr) hire a competent server administrator that is versed in proper server security to clean up the mess, secure their servers and to help prevent the issue again. If that is not affordable then changing to a fully managed server where hopefully proper secure server management can be had is the best option.

The client should also find a new webmaster that knows the basics of site management and site security if the clients website is still offline at this point in time.

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator


Top
 Profile  
 
PostPosted: Mon Aug 08, 2011 2:40 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Fri May 27, 2011 8:26 pm
Posts: 24
Hellos guys,

Yesterday our server was down again. Spams going out still happen. Our client IP is

Quote:
I suggest that whoever the host company is (stated as rodajr) hire a competent server administrator that is versed in proper server security to clean up the mess, secure their servers and to help prevent the issue again. If that is not affordable then changing to a fully managed server where hopefully proper secure server management can be had is the best option.

The client should also find a new webmaster that knows the basics of site management and site security if the clients website is still offline at this point in time.


Yes. Well our server administrator is facing for the first time this kinda of problem, actually we are facing for the first time.
One big problem was the webmaster wasnt accepting the hack point in the website, so we lost a lot time to understand the thread, we should work together since the beginning, but...
We are working "alone" on this, anyway.

Ah and if is a best thing to close this thread, I'll do. But this conversation, discussion that I what like and look forward to learn and help others.
All you guys are helping me.

Wish I could tell you the real names /infos and to make this not so evasive.
But for sure, when we get a conclusion. I'll post it with details, what we found, what we did ... (I'll do my best).

I will update this soon, is going to be a long monday.


Top
 Profile  
 
PostPosted: Mon Aug 08, 2011 5:04 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Fri May 27, 2011 8:26 pm
Posts: 24
Guys, I just found this on the error_log file in the website root folder:
Quote:
08-Ago-2011 11:29:53] PHP Fatal error: Class 'HsConfigController../../../../../../../../../../../../../../../../../../../../../../../..//proc/self/environ' not found in /home/*******/public_html/components/com_hsconfig/hsconfig.php on line 20
[08-Ago-2011 11:30:04] PHP Fatal error: Class 'HsConfigController../../../../../../../../../../../../../../../../../../../../../../../..//proc/self/environ' not found in /home/*******/public_html/components/com_hsconfig/hsconfig.php on line 20
[08-Ago-2011 11:30:05] PHP Fatal error: Class 'HsConfigController../../../../../../../../../../../../../../../../../../../../../../../..//proc/self/environ' not found in /home/*******/public_html/components/com_hsconfig/hsconfig.php on line 20
[08-Ago-2011 11:30:13] PHP Fatal error: Class 'HsConfigController../../../../../../../../../../../../../../../../../../../../../../../..//proc/self/environ' not found in /home/*******/public_html/components/com_hsconfig/hsconfig.php on line 20
[08-Ago-2011 11:34:00] PHP Fatal error: Class 'HsConfigController../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ' not found in /home/*******/public_html/components/com_hsconfig/hsconfig.php on line 20
[08-Ago-2011 11:38:52] PHP Fatal error: Class 'HsConfigController../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ' not found in /home/*******/public_html/components/com_hsconfig/hsconfig.php on line 20
[08-Ago-2011 11:39:06] PHP Fatal error: Class 'HsConfigController../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ' not found in /home/*******/public_html/components/com_hsconfig/hsconfig.php on line 20
[08-Ago-2011 11:39:39] PHP Fatal error: Class 'HsConfigController../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ' not found in /home/*******/public_html/components/com_hsconfig/hsconfig.php on line 20
[08-Ago-2011 11:39:53] PHP Fatal error: Class 'HsConfigController../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ' not found in /home/*******/public_html/components/com_hsconfig/hsconfig.php on line 20
[08-Ago-2011 11:40:04] PHP Fatal error: Class 'HsConfigController../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ' not found in /home/*******/public_html/components/com_hsconfig/hsconfig.php on line 20
[08-Ago-2011 11:44:49] PHP Fatal error: Class 'HsConfigController../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ' not found in /home/*******/public_html/components/com_hsconfig/hsconfig.php on line 20
[08-Ago-2011 11:45:03] PHP Fatal error: Class 'HsConfigController../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ' not found in /home/*******/public_html/components/com_hsconfig/hsconfig.php on line 20


What you guys say about this?

I found 2-3 more hack files in the root folder. Diferent code than the other from last week.


Top
 Profile  
 
PostPosted: Mon Aug 08, 2011 5:14 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Mar 20, 2006 1:56 am
Posts: 12515
Location: The Girly Side of Joomla in Sussex
Highslide JS Local File Inclusion Vulnerability April 06 2010April 06 2010
any more suprises?
also there is a htaccess code to cut down on proc environ vulnerabilities

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}


Top
 Profile  
 
PostPosted: Mon Aug 08, 2011 5:19 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Fri May 27, 2011 8:26 pm
Posts: 24
hmmmm

Thanks mandville.


Top
 Profile  
 
PostPosted: Mon Aug 08, 2011 5:45 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Fri May 27, 2011 8:26 pm
Posts: 24
Ok, technically, we had our 2nd attack.

Diferent code, already reading, but the code is using or pointing to IRC chat. There is a channel name, port, etc...
I found that entry on the log (post before) and the server log.
So, the first attack open a door. Someone found the vulnerability and the door open and attacked.
Not same code, probably the same person(s) to exploit.

and So?!
Last weekend we did our best to solve a few vulnerabilites issues on our server, we asked to the webmaster a "clean" website and he did. Same joomla but clean. hehehe
Now my boss will do another "approach".
Can I really say this is some kinda of proof? One of the entry points was found?
If we take it off (component) will prevent other attack?


Top
 Profile  
 
PostPosted: Mon Aug 08, 2011 6:09 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Mar 20, 2006 1:56 am
Posts: 12515
Location: The Girly Side of Joomla in Sussex
ok. been to the park and played on the roundabouts

1. delete the entire account, boot your client off for causing you so much hassle and putting the entire server and other customers at risk
2. delete the entire account, recreate it with a brand new set up of joomla that you unzipped into the host space - no back ups, no old extensions.
3. get your client to prove to you that all the extensions are the latest versions (you do have a "compromise" and "uptodate" clause in your hosting t&c dont you????
4. i prefer point 1.

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}


Top
 Profile  
 
PostPosted: Mon Aug 08, 2011 6:39 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Fri May 27, 2011 8:26 pm
Posts: 24
Totally number 1.
:D


Top
 Profile  
 
PostPosted: Wed Aug 10, 2011 5:47 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Fri May 27, 2011 8:26 pm
Posts: 24
First, thank you, for all the replies and this whole thread. I learned something new.

I can't say "Ok, we solve the problem", too soon. But I will close this thread.

We followed the checklists, tips and suggestion posted in this thread by moderators and experienced users.
Our server had the security majors re-check and set a new ones. E.g.: Brute force protection.
We did a htaccess file with parameters to provent future "tries" of php injection.
The website was deleted and upload a clean vesion, yet not a updated one, because this is the webmaster responsability.
The Joomla version is old, such the components on it. This was the door for the attack, file injection.
So, wasnt a new thing. Same of the same thing , like we say here.

Again, thanks guys.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic This topic is locked, you cannot edit posts or make further replies.  [ 41 posts ]  Go to page Previous  1, 2



Who is online

Users browsing this forum: No registered users and 16 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group