The Joomla! Forum ™





Post new topic Reply to topic  [ 21 posts ] 
Author Message
PostPosted: Fri Jun 30, 2006 11:23 pm 
Joomla! Fledgling
Joomla! Fledgling

Joined: Fri Jun 30, 2006 10:25 pm
Posts: 3
Hi,  one of my Joomla sites has been defaced twice in the last 24hours.  The script replaces the index.php and configuration.php with a html file which says "Site hacked by Musab Cyberwar has begun"

How it works is by dropping a php and .htaccess payload into any directory that has 777 permissions (like rs_gallery's upload folder).

What the payload does is two fold: 1: the .htaccess sets the 404 page for the folder to be the php payload (which has various names - such as 'contacts.php', download.php, links.php, package.php, remote.php) 2: once the php file is triggered by the .htaccess it downloads additional copies of itself and the defaced index.php from http://user9.mshtml.ru.

I replaced the defaced files from a backup - but missed some of the payload files so I got hit again.  Very annoying.

Hopefully this post can help others root this annoying script out of their servers.

Jeremy

update:  the full list of payload files is:
common.php
configs.php
contacts.php
create.php
date.php
guest.php
include.php
includes.php
messages.php
properties.php
remote.php
time.php
system.php
layout.php
finfo.php

Which I got from here: http://freebunch.linux-labs.net/?p=35 (which has a lot of useful info on removing this exploit).

Also this exploit has been discussed here previously - sorry for the repost - http://forum.joomla.org/index.php/topic,29169.0.html


Last edited by RobS on Wed Jul 19, 2006 7:32 am, edited 1 time in total.

Top
 Profile  
 
PostPosted: Sat Jul 01, 2006 4:30 am 
User avatar
Joomla! Master
Joomla! Master

Joined: Fri Aug 12, 2005 3:47 pm
Posts: 17321
Location: **Translation Matters**
RSGallery has been updated yesterday to cope with this:
http://rsgallery2.net/

_________________
Jean-Marie Simonet / infograf · http://www.info-graf.fr
Multilanguage in 2.5: http://help.joomla.org/files/EN-GB_multilang_tutorial.pdf
---------------------------------
Joomla Translation Coordination Team • Joomla! Production Working Group


Top
 Profile  
 
PostPosted: Wed Jul 12, 2006 12:08 pm 
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Thu May 25, 2006 11:08 pm
Posts: 205
I see that their site has been hacked..

Should rsgallery be removed from our sites?


Top
 Profile  
 
PostPosted: Wed Jul 12, 2006 12:23 pm 
User avatar
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Thu Aug 18, 2005 8:08 am
Posts: 157
Location: The Netherlands
Personally I say YES! as should com_Joomlaboard and com_extcalendar which are also not safe at the moment.


Top
 Profile  
 
PostPosted: Wed Jul 12, 2006 12:26 pm 
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Thu May 25, 2006 11:08 pm
Posts: 205
O poo.

Do we know if anyone is working on getting these up to scratch cause they are very popular components.


Top
 Profile  
 
PostPosted: Wed Jul 12, 2006 12:39 pm 
User avatar
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Thu Aug 18, 2005 8:08 am
Posts: 157
Location: The Netherlands
Check out the sites of the developers of those components, this situation is exactly why i started this;

http://forum.joomla.org/index.php/topic ... #msg391443

topic, I wish more people would join that discussion, maybe this new defacing/hacking spree will motivate more people though I would rather see it would motivate people without the need to.

Personally I think users of the mentioned components are in trouble if they want to keep using them for a.f.a.i.k. none of them are actively supported, even Joomlaboards development is very slow, well at least that's how I see it.


Top
 Profile  
 
PostPosted: Wed Jul 12, 2006 12:40 pm 
Joomla! Explorer
Joomla! Explorer

Joined: Mon Sep 05, 2005 3:50 pm
Posts: 251
To be clear - JoomlaBoard is not affected by the recent security problems.

SimpleBoard does have a security issue and I believe the developers are working on an update (though if you are running Joomla!, you really should update to JoomlaBoard).

Extcalendar is not currently under development but we may be able to pull a patch together shortly.

david


Top
 Profile  
 
PostPosted: Wed Jul 12, 2006 12:41 pm 
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Thu May 25, 2006 11:08 pm
Posts: 205
the people who make joomlaboard cant even get their site working  ???

Is there a way to go over to another board with out losing everything?


Top
 Profile  
 
PostPosted: Wed Jul 12, 2006 12:45 pm 
User avatar
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Thu Aug 18, 2005 8:08 am
Posts: 157
Location: The Netherlands
davidrrm wrote:
To be clear - JoomlaBoard is not affected by the recent security problems.

SimpleBoard does have a security issue and I believe the developers are working on an update (though if you are running Joomla!, you really should update to JoomlaBoard).

Extcalendar is not currently under development but we may be able to pull a patch together shortly.

david



I do not agree with that, I had Joomlaboard installed and it looks very likely they used that and extcallendar to hack and deface one of my sites, a friends site was hacked and defaced via simpleboard.


Top
 Profile  
 
PostPosted: Wed Jul 12, 2006 12:52 pm 
Joomla! Explorer
Joomla! Explorer

Joined: Mon Sep 05, 2005 3:50 pm
Posts: 251
hvanleeuwen wrote:
davidrrm wrote:
To be clear - JoomlaBoard is not affected by the recent security problems.

SimpleBoard does have a security issue and I believe the developers are working on an update (though if you are running Joomla!, you really should update to JoomlaBoard).

Extcalendar is not currently under development but we may be able to pull a patch together shortly.

david



I do not agree with that, I had Joomlaboard installed and it looks very likely they used that and extcallendar to hack and deface one of my sites, a friends site was hacked and defaced via simpleboard.


If you have ExtCalendar on your site, it would be hard to know whether or not JoomlaBoard had a vulnerability since we know ExtCalendar has a problem. Do you have the logfile from the attack? I'd be interested in looking at it as would the JoomlaBoard developers I'm sure. PM me if you have it.

We also know there is a simpleboard vulnerabilty which is not in JoomlaBoard.

The joomlaboard site is http://www.tsmf.net. It seems to be running fine right now.

david


Top
 Profile  
 
PostPosted: Wed Jul 12, 2006 12:53 pm 
Joomla! Explorer
Joomla! Explorer

Joined: Thu Aug 18, 2005 8:54 pm
Posts: 374
hvanleeuwen wrote:
Personally I say YES! as should com_Joomlaboard and com_extcalendar which are also not safe at the moment.


The simpleboard and extcalendar vulnerabilities are confirmed.

At same time investigations were done if joomlaboard is also affected, and it turned out not to be so. If you have real information such as a server log for proof that there is another exploit affecting joomlaboard, please make it available by PM so it can be reviewed.


Top
 Profile  
 
PostPosted: Wed Jul 12, 2006 12:54 pm 
User avatar
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Thu Aug 18, 2005 8:08 am
Posts: 157
Location: The Netherlands
jasonrhl wrote:
the people who make joomlaboard cant even get their site working  ???

Is there a way to go over to another board with out losing everything?


I haven't seen a forum that supports import of joomlaboard data, but there could be one of course.

Personally I decided to go for a more generic and more well known forum and am trying http://www.simplemachines.org now. There is a bridge to have it integrated with Joomla that works just fine.

My theory behind this choice is that a forum is a much used item and should be safe and full of features. If in a worse case scenario when for instance the bridge is broken or no longer developed I can always wrap the forum until there is a better solution. If that better solution turns out to be that I should switch to another forum, I would like it if my forum is well known enough that it is possible to import my data into the new forum via some kind of conversion system.

I think Simplemachines might just be the right choice for me.


Top
 Profile  
 
PostPosted: Wed Jul 12, 2006 12:56 pm 
User avatar
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Thu Aug 18, 2005 8:08 am
Posts: 157
Location: The Netherlands
All my log files have already been sent to Joomla security yesterday.

Peter Koch wrote:
hvanleeuwen wrote:
Personally I say YES! as should com_Joomlaboard and com_extcalendar which are also not safe at the moment.


The simpleboard and extcalendar vulnerabilities are confirmed.

At same time investigations were done if joomlaboard is also affected, and it turned out not to be so. If you have real information such as a server log for proof that there is another exploit affecting joomlaboard, please make it available by PM so it can be reviewed.


Top
 Profile  
 
PostPosted: Wed Jul 12, 2006 12:56 pm 
User avatar
Joomla! Guru
Joomla! Guru

Joined: Wed Aug 17, 2005 11:26 pm
Posts: 903
Whether you agree with it or not hvanleeuwen, David's comment just happens to be true. I have run the current exploits against Joomlaboard and failed to get in. (Before you ask, yes, I do know how to use the exploits).

RSGallery2 1.11.4 has been out for two weeks and there were security announcements on many sites to alert users of the need to upgrade. RSG found the vulnerabilities before they became exploits, so acted quickly and responsibly. Sure, their site has been hacked, but nobody should be jumping to any conclusions about how it was hacked.

I appreciate your concern over what you feel are discontinued extensions, however, this is open source and all code is developed and given to the community voluntarily. What may appear to someone as an abandoned extension may be some developers contribution that just has to take a step into the background while real life goes on. One sure way to guarantee that it becomes abandonware is if the projects are removed from the forge because no dev is going to bother coming back to work on something that has been thrown away.

_________________
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info


Top
 Profile  
 
PostPosted: Wed Jul 12, 2006 1:03 pm 
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Thu May 25, 2006 11:08 pm
Posts: 205
Thanks for everyones responses. It has put me at ease for now. I hope to see what the problem was with the rsgallery site and that they get on their feet again.

Thankyou


Top
 Profile  
 
PostPosted: Wed Jul 12, 2006 1:05 pm 
User avatar
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Thu Aug 18, 2005 8:08 am
Posts: 157
Location: The Netherlands
I have no intention to question your capabilaties Elpie, I am not hostile.

I am fully aware that developers have a life and thank god for that hehehe I don't want to go into the discontinued discussion here for I started that discussion with another forum topic already a while back.

I decided to remove Joomlaboard not only on the basis of this exploit only, if I happen to be wrong about Joomlaboards safety I truly apologize, at the moment I simply don't trust it and will only keep it running on two of my sites that are very low profile.

Elpie wrote:
Whether you agree with it or not hvanleeuwen, David's comment just happens to be true. I have run the current exploits against Joomlaboard and failed to get in. (Before you ask, yes, I do know how to use the exploits).

RSGallery2 1.11.4 has been out for two weeks and there were security announcements on many sites to alert users of the need to upgrade. RSG found the vulnerabilities before they became exploits, so acted quickly and responsibly. Sure, their site has been hacked, but nobody should be jumping to any conclusions about how it was hacked.

I appreciate your concern over what you feel are discontinued extensions, however, this is open source and all code is developed and given to the community voluntarily. What may appear to someone as an abandoned extension may be some developers contribution that just has to take a step into the background while real life goes on. One sure way to guarantee that it becomes abandonware is if the projects are removed from the forge because no dev is going to bother coming back to work on something that has been thrown away.


Top
 Profile  
 
PostPosted: Thu Jul 20, 2006 10:17 am 
User avatar
Joomla! Apprentice
Joomla! Apprentice

Joined: Fri Aug 19, 2005 4:48 pm
Posts: 12
Location: Portugal
Letterman has same problem. My site was hacked using same exploid in letterman component


Top
 Profile  
 
PostPosted: Thu Jul 20, 2006 11:54 am 
User avatar
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Thu Aug 18, 2005 8:08 am
Posts: 157
Location: The Netherlands
Letterman has good suport, i'm sure the developer will help you out, you should at least tell him about it.

I am still getting hack attempts on extcalendar but they are useless because I have removed that component and am looking for a good replacement.

The other attempts I get are on com_pollxt, but they won't work since the developer already updated his component to deal with this exploit, praise for him!!

I have now switched the Register Globals off and applied the htaccess rules as explained in the security section of this forum, and have a strong feeling that so far I have done everything I can to prevent easy script kiddy defacements.


Top
 Profile  
 
PostPosted: Thu Jul 20, 2006 6:01 pm 
User avatar
Joomla! Apprentice
Joomla! Apprentice

Joined: Fri Aug 19, 2005 4:48 pm
Posts: 12
Location: Portugal
After a better look I'm not sure if was by letterman.
I've found the .htacess files on letterman, JCE, mambots (on jce editor related folders) , and flash rotator (witch needs 777 CMOD on images folder)
So might be hard to find where this starts.

Any way ... Huston we got a problem


Top
 Profile  
 
PostPosted: Thu Dec 20, 2007 4:41 pm 
I've been banned!

Joined: Wed Dec 19, 2007 10:36 pm
Posts: 21
how do hacker know this stuff? its astonishing.

_________________
smile


Top
 Profile  
 
PostPosted: Mon Mar 31, 2008 1:54 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Sun Mar 30, 2008 2:59 pm
Posts: 33
Location: egypt
hello ..

I Read All Replies ,, But I Do Not Understand Somethings..

My Site hacked Last Week :'( .. And I have Rs gallery 2 Com ...

I Do Not Know How TO Update It ? And Is It Not Secure Or Not ?

I Can Not Open My Site Again :'( .. The Hacker Cause Many Problems To My site .. I Do NOt Know What To DO


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 21 posts ] 



Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group