The Joomla! Forum ™





Post new topic Reply to topic  [ 21 posts ] 
Author Message
 Post subject: Hacked through SMF
PostPosted: Mon Jul 17, 2006 3:34 pm 
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Thu Aug 18, 2005 10:18 pm
Posts: 116
Location: USA
My site was hacked by ENO7 this morning and it seems he got in through VIRTUEMART.  All of the .php files from this component lacked the line of code below, once added - my site is back online.

Code:
defined( '_VALID_MOS' ) or die( 'Restricted access' );


I post this in a new thread to alert other users of this component in particular.

Thank you and good luck

_________________
----------------------------
Corinne
"Experience is not what happens to a man;  it is what a man does with what happens to him."  -Aldous Huxley


Last edited by oMama on Tue Jul 18, 2006 6:11 pm, edited 1 time in total.

Top
 Profile  
 
PostPosted: Mon Jul 17, 2006 3:56 pm 
Joomla! Hero
Joomla! Hero

Joined: Tue Aug 23, 2005 1:56 pm
Posts: 2391
Location: Kent / Sussex / Surrey border UK
Having read your post I hurriedly went and checked my virtuemart, however my files have the defined( '_VALID_MOS' ) or die( 'Restricted access' );  what version of virtuemart are you running?

_________________
http://www.gadsolutions.biz Electrical services
http://www.electrical-testing-safety.co.uk Testing services


Top
 Profile  
 
 Post subject: Re: Hacked through SMF
PostPosted: Mon Jul 17, 2006 4:01 pm 
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Thu Aug 18, 2005 10:18 pm
Posts: 116
Location: USA
EEK!  I am outdated.  I am running 1.0.1, and updating now.

Thanks for making me look.
C

_________________
----------------------------
Corinne
"Experience is not what happens to a man;  it is what a man does with what happens to him."  -Aldous Huxley


Last edited by oMama on Tue Jul 18, 2006 6:28 pm, edited 1 time in total.

Top
 Profile  
 
PostPosted: Tue Jul 18, 2006 10:22 am 
User avatar
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Mon Aug 29, 2005 10:58 am
Posts: 111
Location: Germany
Hello,

how did you come to the conclusion that "[...] it seems he got in through VIRTUEMART[...]" ?

I'm the author of this software and would like to know, which file you have found to not to include this "defined('_VALID_MOS' )..." line.

To clarify the information about this line: it is NOT needed in any file. If you have a PHP file that only contains a class and nothing more, no code is executed. That means that you can include the _VALID_MOS line, but it is no security hole if it's not there.

ciao, Soeren

_________________
http://extplorer.net


Top
 Profile  
 
PostPosted: Tue Jul 18, 2006 10:55 am 
Joomla! Intern
Joomla! Intern

Joined: Mon Aug 22, 2005 6:47 pm
Posts: 64
oMama
If you find in your server logs that ' he got in ' 
PM to robs with details (and to soeren)
http://forum.joomla.org/index.php?actio ... le;u=14243
http://forum.joomla.org/index.php?action=profile;u=2572

I think Your server host can search logs too.


Top
 Profile  
 
 Post subject: Hacked through SMF
PostPosted: Tue Jul 18, 2006 2:28 pm 
User avatar
Joomla! Intern
Joomla! Intern

Joined: Fri Nov 25, 2005 2:49 pm
Posts: 67
Just one day after I set up SMF, my site was hacked. My host told me that I had several dirs chmoded to 777. All were in SMF directory. I found several files that the hacker put in there. I've deleted everything, reinstalled and changed permissions.
Today I was going to setup Gallery2. It asked me to chmod the images storing directory to 777! I don't want to that and the setup won't proceed without it. What should I do? Thanks.

_________________
http://www.webdesigngold.com
Web Design Resources


Top
 Profile  
 
 Post subject: Hacked through SMF
PostPosted: Tue Jul 18, 2006 2:29 pm 
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Thu Aug 18, 2005 10:18 pm
Posts: 116
Location: USA
Soren,

I am running VM 1.0.1 and when I looked at each of my components' .php files, I saw that the valid_mos line was not included in any of them with VM. So, to answer your question, all of the .php files included with the component lacked this line of code.  I added that line of code in the .php files associated to VM as directed in another thread. The problem of the site hack went away, my site was restored, and so I have to think the issue had to do with the line of code that I changed - as I made no other changes.

Quote:
To clarify the information about this line: it is NOT needed in any file. If you have a PHP file that only contains a class and nothing more, no code is executed. That means that you can include the _VALID_MOS line, but it is no security hole if it's not there.


I don't know enough to debate the finer points about the code language... but my experience tells me that the hacker problem was solved once I made this change.

I think VM is terrific and did not mean to offend you by sharing my experience.  I know the distress I felt when I found that my beautiful site was hacked was incredible, and I wanted to do my part to share my "fix" with the community.

Sincerely,
Corinne

_________________
----------------------------
Corinne
"Experience is not what happens to a man;  it is what a man does with what happens to him."  -Aldous Huxley


Last edited by oMama on Tue Jul 18, 2006 6:28 pm, edited 1 time in total.

Top
 Profile  
 
 Post subject: Re: Hacked through SMF
PostPosted: Tue Jul 18, 2006 2:54 pm 
Joomla! Hero
Joomla! Hero

Joined: Tue Aug 23, 2005 1:56 pm
Posts: 2391
Location: Kent / Sussex / Surrey border UK
Unfortunately for people to upload images the directory has to be write enabled, if you are not going to allow uploads accept the 777 while you install and then change it afterwards.

_________________
http://www.gadsolutions.biz Electrical services
http://www.electrical-testing-safety.co.uk Testing services


Top
 Profile  
 
PostPosted: Tue Jul 18, 2006 3:03 pm 
User avatar
Joomla! Intern
Joomla! Intern

Joined: Fri Sep 09, 2005 5:28 am
Posts: 57
I also do not understand the validity of that particular line.  However, I was hacked yesterday by the same idiot through another component.  I promptly added 'that' line as recommended, restored the site and since that time I had numerous attempts of hacking (as seen in the log files), but somehow that particular line solved the problem and is restricting the access.

Perhaps this is a band-aid solution and there is another more elegant fix, but if it works for now and I'm not in the position to argue.

By the way, thank you to everyone that helped with restoring my site.

Anna

_________________
Anna
Toronto German Shepherd Dog Rescue
http://www.torontogsdrescue.org


Top
 Profile  
 
 Post subject: Re: Hacked through SMF
PostPosted: Tue Jul 18, 2006 4:13 pm 
User avatar
Joomla! Intern
Joomla! Intern

Joined: Fri Nov 25, 2005 2:49 pm
Posts: 67
Thanks gws. I've done as you said. The problem now is that users won't be able to upload images.
This security issue makes me wonder.. aren't the developers fo SMF and G2 aware of this? There're people who've encountered the same problem as I did. I've posted a reply in a thread about this at SMF's forums.

_________________
http://www.webdesigngold.com
Web Design Resources


Top
 Profile  
 
 Post subject: Re: Hacked through SMF
PostPosted: Tue Jul 18, 2006 6:11 pm 
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Thu Aug 18, 2005 10:18 pm
Posts: 116
Location: USA
Well... i found my logs and it seems that I am incorrect in thinking it was a virtuemart problem.  It looks like I too was a victim through SMF.  :-[

I can't explain why it was only after the VM .php files were edited and put back up to the server that my site was fixed, but I do understand that I owe Soeren an apology for raising the alarm about VirtueMart.  My log shows that this hacker didn't go near VirtueMart, but in fact only com_smf/smf.php

Soeren, my apologies... I am editing the title of this thread so it no longer states the vunerability as a fact.

I hope you can accept my apology.
Sincerely,
Corinne

_________________
----------------------------
Corinne
"Experience is not what happens to a man;  it is what a man does with what happens to him."  -Aldous Huxley


Top
 Profile  
 
 Post subject: Re: Hacked through SMF
PostPosted: Tue Jul 18, 2006 6:20 pm 
Joomla! Intern
Joomla! Intern

Joined: Mon Aug 22, 2005 6:47 pm
Posts: 64
oMama, O mama  ;D
Great news from you. We all VM users thanks to you ,that you find the real hacking reason.

Ask your host (ISP) if they changes register_globals = OFF


Top
 Profile  
 
 Post subject: Re: Hacked through SMF
PostPosted: Tue Jul 18, 2006 6:25 pm 
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Thu Aug 18, 2005 10:18 pm
Posts: 116
Location: USA
Can you explain that another way?  Should register globals be set to off or on?

I recently upgraded to joomla 1.10 and noticed that all of the global settings are the old default and have to go change them.  I don't know a lot about how this is all related, so if you would educate me on the purpose of "register globals" I would really appreciate that.

I am glad that I was wrong... I only regret that I sounded the alarm without all the facts.
Corinne

_________________
----------------------------
Corinne
"Experience is not what happens to a man;  it is what a man does with what happens to him."  -Aldous Huxley


Top
 Profile  
 
 Post subject: Re: Hacked through SMF
PostPosted: Tue Jul 18, 2006 7:00 pm 
Joomla! Intern
Joomla! Intern

Joined: Mon Aug 22, 2005 6:47 pm
Posts: 64
register_globals is in PHP(server). Don´t edit Joomla 1.0.10 files !
You can check you server PHP settings - Login Joomla backend(administrator) - go system -> system info.
There  is row Register Globals:    .If it´s OFF , all is OK,
but if there is ON You may ask to you ISP (server host) to put  Register Globals:  OFF .


Top
 Profile  
 
 Post subject: Re: Hacked through SMF
PostPosted: Tue Jul 18, 2006 8:03 pm 
User avatar
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Mon Aug 29, 2005 10:58 am
Posts: 111
Location: Germany
Hi,

The vulnerability has been confirmed: http://secunia.com/advisories/21079/

This is really crazy. Please, all SMF Bridge users: secure your smf.php.

If this file is missing this line, please add it:

Code:
<?php
defined( '_VALID_MOS' ) or die( 'Restricted access' );


at the very beginning of the file

/components/com_smf/smf.php

I hope this storm of exploits is over soon.

ciao, Soeren

_________________
http://extplorer.net


Last edited by soeren on Tue Jul 18, 2006 8:42 pm, edited 1 time in total.

Top
 Profile  
 
 Post subject: Re: Hacked through SMF
PostPosted: Tue Jul 18, 2006 8:33 pm 
User avatar
Joomla! Intern
Joomla! Intern

Joined: Fri Nov 25, 2005 2:49 pm
Posts: 67
My copy of smf.php did already have that line:
Code:
defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.' );


The problem was related to permissions (777).

_________________
http://www.webdesigngold.com
Web Design Resources


Top
 Profile  
 
 Post subject: Re: Hacked through SMF
PostPosted: Tue Jul 18, 2006 11:54 pm 
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Thu Aug 18, 2005 10:18 pm
Posts: 116
Location: USA
Would my site have been safer if I did not have the forum registration bridge in place?  Or was it doomed no matter what?

Curious.
Corinne

_________________
----------------------------
Corinne
"Experience is not what happens to a man;  it is what a man does with what happens to him."  -Aldous Huxley


Top
 Profile  
 
 Post subject: Re: Hacked through SMF
PostPosted: Wed Jul 19, 2006 1:17 pm 
Joomla! Intern
Joomla! Intern

Joined: Mon Aug 22, 2005 6:47 pm
Posts: 64
oMama wrote:
Would my site have been safer if I did not have the forum registration bridge in place?  Or was it doomed no matter what?

Curious.
Corinne

Maybe , maybe not. That's the question

Be sure you have updated all your components.
I think you should ask to your ISP if they lookup the server and outgoing transfer, if there are something illegal.
And ones again , register globals OFF  ;)


Top
 Profile  
 
 Post subject: Re: Hacked through SMF
PostPosted: Wed Jul 19, 2006 1:44 pm 
User avatar
Joomla! Intern
Joomla! Intern

Joined: Fri Nov 25, 2005 2:49 pm
Posts: 67
Strange things happening here. Yesterday, I saw there was a thread that had the same title as the one I started. Although it wasen't there when I posted mine. I figured it out that Omama had renamed her thread to have the same name as mine.. Now the threads got merged together althoug it's not the same issue they talked about.. Now my problem got lost and I still didn't get the response I was hoping for. No reactions at all about this (new?) vulnerability which is the exploit of directories chmoded to 777 by hackers.

_________________
http://www.webdesigngold.com
Web Design Resources


Top
 Profile  
 
 Post subject: Re: Hacked through SMF
PostPosted: Wed Jul 19, 2006 2:02 pm 
Joomla! Intern
Joomla! Intern

Joined: Mon Aug 22, 2005 6:47 pm
Posts: 64
I was wondering that too  :o How they can post middle of topic.

Start new thread * *****


Last edited by mauri on Wed Jul 19, 2006 3:00 pm, edited 1 time in total.

Top
 Profile  
 
 Post subject: Re: Hacked through SMF
PostPosted: Wed Jul 19, 2006 2:08 pm 
User avatar
Joomla! Intern
Joomla! Intern

Joined: Fri Nov 25, 2005 2:49 pm
Posts: 67
He he.. well, it's ok. I'm going to start a new thread after all. I think I'm being under attack again or something.

_________________
http://www.webdesigngold.com
Web Design Resources


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 21 posts ] 



Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group