Hacked through SMF

For all Non-Joomla! security issues. ie 3pd Components etc.

Moderator: General Support Moderators

oMama
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 116
Joined: Thu Aug 18, 2005 10:18 pm
Location: USA

Hacked through SMF

Postby oMama » Mon Jul 17, 2006 3:34 pm

My site was hacked by ENO7 this morning and it seems he got in through VIRTUEMART.  All of the .php files from this component lacked the line of code below, once added - my site is back online.

Code: Select all

defined( '_VALID_MOS' ) or die( 'Restricted access' );


I post this in a new thread to alert other users of this component in particular.

Thank you and good luck
Last edited by oMama on Tue Jul 18, 2006 6:11 pm, edited 1 time in total.
----------------------------
Corinne
"Experience is not what happens to a man;  it is what a man does with what happens to him."  -Aldous Huxley

gws
Joomla! Hero
Joomla! Hero
Posts: 2474
Joined: Tue Aug 23, 2005 1:56 pm
Location: Kent / Sussex / Surrey border UK
Contact:

Re: Virtuemart Vunerability

Postby gws » Mon Jul 17, 2006 3:56 pm

Having read your post I hurriedly went and checked my virtuemart, however my files have the defined( '_VALID_MOS' ) or die( 'Restricted access' );  what version of virtuemart are you running?

oMama
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 116
Joined: Thu Aug 18, 2005 10:18 pm
Location: USA

Re: Hacked through SMF

Postby oMama » Mon Jul 17, 2006 4:01 pm

EEK!  I am outdated.  I am running 1.0.1, and updating now.

Thanks for making me look.
C
Last edited by oMama on Tue Jul 18, 2006 6:28 pm, edited 1 time in total.
----------------------------
Corinne
"Experience is not what happens to a man;  it is what a man does with what happens to him."  -Aldous Huxley

User avatar
soeren
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 111
Joined: Mon Aug 29, 2005 10:58 am
Location: Germany
Contact:

Re: Virtuemart Vunerability

Postby soeren » Tue Jul 18, 2006 10:22 am

Hello,

how did you come to the conclusion that "[...] it seems he got in through VIRTUEMART[...]" ?

I'm the author of this software and would like to know, which file you have found to not to include this "defined('_VALID_MOS' )..." line.

To clarify the information about this line: it is NOT needed in any file. If you have a PHP file that only contains a class and nothing more, no code is executed. That means that you can include the _VALID_MOS line, but it is no security hole if it's not there.

ciao, Soeren

mauri
Joomla! Intern
Joomla! Intern
Posts: 64
Joined: Mon Aug 22, 2005 6:47 pm

Re: Virtuemart Vunerability

Postby mauri » Tue Jul 18, 2006 10:55 am

oMama
If you find in your server logs that ' he got in ' 
PM to robs with details (and to soeren)
http://forum.joomla.org/index.php?actio ... le;u=14243
http://forum.joomla.org/index.php?action=profile;u=2572

I think Your server host can search logs too.

User avatar
Joo
Joomla! Intern
Joomla! Intern
Posts: 67
Joined: Fri Nov 25, 2005 2:49 pm

Hacked through SMF

Postby Joo » Tue Jul 18, 2006 2:28 pm

Just one day after I set up SMF, my site was hacked. My host told me that I had several dirs chmoded to 777. All were in SMF directory. I found several files that the hacker put in there. I've deleted everything, reinstalled and changed permissions.
Today I was going to setup Gallery2. It asked me to chmod the images storing directory to 777! I don't want to that and the setup won't proceed without it. What should I do? Thanks.
http://www.webdesigngold.com
Web Design Resources

oMama
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 116
Joined: Thu Aug 18, 2005 10:18 pm
Location: USA

Hacked through SMF

Postby oMama » Tue Jul 18, 2006 2:29 pm

Soren,

I am running VM 1.0.1 and when I looked at each of my components' .php files, I saw that the valid_mos line was not included in any of them with VM. So, to answer your question, all of the .php files included with the component lacked this line of code.  I added that line of code in the .php files associated to VM as directed in another thread. The problem of the site hack went away, my site was restored, and so I have to think the issue had to do with the line of code that I changed - as I made no other changes.

To clarify the information about this line: it is NOT needed in any file. If you have a PHP file that only contains a class and nothing more, no code is executed. That means that you can include the _VALID_MOS line, but it is no security hole if it's not there.


I don't know enough to debate the finer points about the code language... but my experience tells me that the hacker problem was solved once I made this change.

I think VM is terrific and did not mean to offend you by sharing my experience.  I know the distress I felt when I found that my beautiful site was hacked was incredible, and I wanted to do my part to share my "fix" with the community.

Sincerely,
Corinne
Last edited by oMama on Tue Jul 18, 2006 6:28 pm, edited 1 time in total.
----------------------------
Corinne
"Experience is not what happens to a man;  it is what a man does with what happens to him."  -Aldous Huxley

gws
Joomla! Hero
Joomla! Hero
Posts: 2474
Joined: Tue Aug 23, 2005 1:56 pm
Location: Kent / Sussex / Surrey border UK
Contact:

Re: Hacked through SMF

Postby gws » Tue Jul 18, 2006 2:54 pm

Unfortunately for people to upload images the directory has to be write enabled, if you are not going to allow uploads accept the 777 while you install and then change it afterwards.

User avatar
anna.y
Joomla! Intern
Joomla! Intern
Posts: 57
Joined: Fri Sep 09, 2005 5:28 am
Contact:

Re: Virtuemart Vunerability

Postby anna.y » Tue Jul 18, 2006 3:03 pm

I also do not understand the validity of that particular line.  However, I was hacked yesterday by the same idiot through another component.  I promptly added 'that' line as recommended, restored the site and since that time I had numerous attempts of hacking (as seen in the log files), but somehow that particular line solved the problem and is restricting the access.

Perhaps this is a band-aid solution and there is another more elegant fix, but if it works for now and I'm not in the position to argue.

By the way, thank you to everyone that helped with restoring my site.

Anna
Anna
Toronto German Shepherd Dog Rescue
http://www.torontogsdrescue.org

User avatar
Joo
Joomla! Intern
Joomla! Intern
Posts: 67
Joined: Fri Nov 25, 2005 2:49 pm

Re: Hacked through SMF

Postby Joo » Tue Jul 18, 2006 4:13 pm

Thanks gws. I've done as you said. The problem now is that users won't be able to upload images.
This security issue makes me wonder.. aren't the developers fo SMF and G2 aware of this? There're people who've encountered the same problem as I did. I've posted a reply in a thread about this at SMF's forums.
http://www.webdesigngold.com
Web Design Resources

oMama
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 116
Joined: Thu Aug 18, 2005 10:18 pm
Location: USA

Re: Hacked through SMF

Postby oMama » Tue Jul 18, 2006 6:11 pm

Well... i found my logs and it seems that I am incorrect in thinking it was a virtuemart problem.  It looks like I too was a victim through SMF.  :-[

I can't explain why it was only after the VM .php files were edited and put back up to the server that my site was fixed, but I do understand that I owe Soeren an apology for raising the alarm about VirtueMart.  My log shows that this hacker didn't go near VirtueMart, but in fact only com_smf/smf.php

Soeren, my apologies... I am editing the title of this thread so it no longer states the vunerability as a fact.

I hope you can accept my apology.
Sincerely,
Corinne
----------------------------
Corinne
"Experience is not what happens to a man;  it is what a man does with what happens to him."  -Aldous Huxley

mauri
Joomla! Intern
Joomla! Intern
Posts: 64
Joined: Mon Aug 22, 2005 6:47 pm

Re: Hacked through SMF

Postby mauri » Tue Jul 18, 2006 6:20 pm

oMama, O mama  ;D
Great news from you. We all VM users thanks to you ,that you find the real hacking reason.

Ask your host (ISP) if they changes register_globals = OFF

oMama
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 116
Joined: Thu Aug 18, 2005 10:18 pm
Location: USA

Re: Hacked through SMF

Postby oMama » Tue Jul 18, 2006 6:25 pm

Can you explain that another way?  Should register globals be set to off or on?

I recently upgraded to joomla 1.10 and noticed that all of the global settings are the old default and have to go change them.  I don't know a lot about how this is all related, so if you would educate me on the purpose of "register globals" I would really appreciate that.

I am glad that I was wrong... I only regret that I sounded the alarm without all the facts.
Corinne
----------------------------
Corinne
"Experience is not what happens to a man;  it is what a man does with what happens to him."  -Aldous Huxley

mauri
Joomla! Intern
Joomla! Intern
Posts: 64
Joined: Mon Aug 22, 2005 6:47 pm

Re: Hacked through SMF

Postby mauri » Tue Jul 18, 2006 7:00 pm

register_globals is in PHP(server). Don´t edit Joomla 1.0.10 files !
You can check you server PHP settings - Login Joomla backend(administrator) - go system -> system info.
There  is row Register Globals:    .If it´s OFF , all is OK,
but if there is ON You may ask to you ISP (server host) to put  Register Globals:  OFF .

User avatar
soeren
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 111
Joined: Mon Aug 29, 2005 10:58 am
Location: Germany
Contact:

Re: Hacked through SMF

Postby soeren » Tue Jul 18, 2006 8:03 pm

Hi,

The vulnerability has been confirmed: http://secunia.com/advisories/21079/

This is really crazy. Please, all SMF Bridge users: secure your smf.php.

If this file is missing this line, please add it:

Code: Select all

<?php
defined( '_VALID_MOS' ) or die( 'Restricted access' );


at the very beginning of the file

/components/com_smf/smf.php

I hope this storm of exploits is over soon.

ciao, Soeren
Last edited by soeren on Tue Jul 18, 2006 8:42 pm, edited 1 time in total.

User avatar
Joo
Joomla! Intern
Joomla! Intern
Posts: 67
Joined: Fri Nov 25, 2005 2:49 pm

Re: Hacked through SMF

Postby Joo » Tue Jul 18, 2006 8:33 pm

My copy of smf.php did already have that line:

Code: Select all

defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.' );


The problem was related to permissions (777).
http://www.webdesigngold.com
Web Design Resources

oMama
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 116
Joined: Thu Aug 18, 2005 10:18 pm
Location: USA

Re: Hacked through SMF

Postby oMama » Tue Jul 18, 2006 11:54 pm

Would my site have been safer if I did not have the forum registration bridge in place?  Or was it doomed no matter what?

Curious.
Corinne
----------------------------
Corinne
"Experience is not what happens to a man;  it is what a man does with what happens to him."  -Aldous Huxley

mauri
Joomla! Intern
Joomla! Intern
Posts: 64
Joined: Mon Aug 22, 2005 6:47 pm

Re: Hacked through SMF

Postby mauri » Wed Jul 19, 2006 1:17 pm

oMama wrote:Would my site have been safer if I did not have the forum registration bridge in place?  Or was it doomed no matter what?

Curious.
Corinne

Maybe , maybe not. That's the question

Be sure you have updated all your components.
I think you should ask to your ISP if they lookup the server and outgoing transfer, if there are something illegal.
And ones again , register globals OFF  ;)

User avatar
Joo
Joomla! Intern
Joomla! Intern
Posts: 67
Joined: Fri Nov 25, 2005 2:49 pm

Re: Hacked through SMF

Postby Joo » Wed Jul 19, 2006 1:44 pm

Strange things happening here. Yesterday, I saw there was a thread that had the same title as the one I started. Although it wasen't there when I posted mine. I figured it out that Omama had renamed her thread to have the same name as mine.. Now the threads got merged together althoug it's not the same issue they talked about.. Now my problem got lost and I still didn't get the response I was hoping for. No reactions at all about this (new?) vulnerability which is the exploit of directories chmoded to 777 by hackers.
http://www.webdesigngold.com
Web Design Resources

mauri
Joomla! Intern
Joomla! Intern
Posts: 64
Joined: Mon Aug 22, 2005 6:47 pm

Re: Hacked through SMF

Postby mauri » Wed Jul 19, 2006 2:02 pm

I was wondering that too  :o How they can post middle of topic.

Start new thread * *****
Last edited by mauri on Wed Jul 19, 2006 3:00 pm, edited 1 time in total.

User avatar
Joo
Joomla! Intern
Joomla! Intern
Posts: 67
Joined: Fri Nov 25, 2005 2:49 pm

Re: Hacked through SMF

Postby Joo » Wed Jul 19, 2006 2:08 pm

He he.. well, it's ok. I'm going to start a new thread after all. I think I'm being under attack again or something.
http://www.webdesigngold.com
Web Design Resources


Return to “3rd Party/Non Joomla! Security Issues”

Who is online

Users browsing this forum: No registered users and 3 guests