Site hacked through extcalendar component

For all Non-Joomla! security issues. ie 3pd Components etc.

Moderator: General Support Moderators

User avatar
tfuller
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 218
Joined: Tue Sep 20, 2005 11:30 pm
Location: Oregon
Contact:

Site hacked through extcalendar component

Postby tfuller » Fri Jul 21, 2006 11:24 pm

For no apparent reason our site was hacked. After consulting this forum I determined that the hacker got in through the extCalendar component - which had disappeared off the Joomla Extensions pages and for good reason - it apparently didn't have the required security in it that checks for a valid MOS.

The hacker was able to replace our configuration.php file - and that enabled him/her to redirect the site to their own. Once I replaced the file with one from a backup the site was restored. I then got rid of extCalendar.

Here is the code used in case anyone is interested in stopping attacks like this in the future:









[MOD EDIT: Script Kiddie reference removed. We prefer not to promote script kiddie egoboo]">

[MOD EDIT: Script Kiddie reference removed. We prefer not to promote script kiddie egoboo]">





<span style="color: red">[MOD EDIT: Script Kiddie reference removed. We prefer not to promote script kiddie egoboo]</span>











 

   

     

   

 


     



     


     


           

           

            by




           

            [MOD EDIT: Script Kiddie reference removed. We prefer not to promote script kiddie egoboo]


           


           




[MOD EDIT: Script Kiddie reference removed. We prefer not to promote script kiddie egoboo]








iskorpitx

|

eno7

|

[MOD EDIT: Script Kiddie reference removed. We prefer not to promote script kiddie egoboo]

|

[MOD EDIT: Script Kiddie reference removed. We prefer not to promote script kiddie egoboo]

|

[MOD EDIT: Script Kiddie reference removed. We prefer not to promote script kiddie egoboo]

| [MOD EDIT: Script Kiddie reference removed. We prefer not to promote script kiddie egoboo]

| [MOD EDIT: Script Kiddie reference removed. We prefer not to promote script kiddie egoboo]


ata1944|

[MOD EDIT: Script Kiddie reference removed. We prefer not to promote script kiddie egoboo]

|

[MOD EDIT: Script Kiddie reference removed. We prefer not to promote script kiddie egoboo]

|

[MOD EDIT: Script Kiddie reference removed. We prefer not to promote script kiddie egoboo]

|


      [MOD EDIT: Script Kiddie reference removed. We prefer not to promote script kiddie egoboo]


















 











Mod Edit: Links removed. -RobS
Last edited by rliskey on Sun Dec 31, 2006 1:41 am, edited 1 time in total.
Author of component Joomla Bible Study:
http://www.JoomlaBibleStudy.org

User avatar
Jenny
Joomla! Champion
Joomla! Champion
Posts: 6238
Joined: Sun Aug 21, 2005 2:25 pm
Contact:

Re: Site hacked through extcalendar component

Postby Jenny » Sat Jul 22, 2006 1:45 am

Please read through the various postings http://forum.joomla.org/index.php/board ... tml.&nbsp; A number of extensions are insecure.  Please update any extensions you have on your site, either install a clean installation of Joomla with updated extensions and then restore your data from your database, or go through each and every folder and file in your current installation to make sure there are no hidden files buried in your current installation before making it live again.

Best practices for security are to subscribe to the Announcement forum regarding updates to Joomla!, but more importantly also keep an eye by subscribing (if available) to any annoucements from the extensions that you use.  Keep track of your versions to make sure you are running the most current and secure version of any of your extensions.

BACK UP your files and your database on a regular basis so that recovering from sudden problems isn't a heartache and a headache.  If you have good clean backups the restore and update process can be quite a lot less painful.

Make sure your hosting company is following best practices for security on their servers and more can be read about that in various posts throughout the security forum.

Permissions on your files should be 644 or for folders 755.  If you need to change or add anything, you can make both writable for the short period you are updating/changing - then set permissions back to unwritable.

There is no surefire way to be protected from all security issues, due to the fact that as a security issue is solved, the people that wish to crack/hack find ways around the fixes to do what they want to do.  Using good basic security practices will help protect you.

  • Back up regularly and keep a local copy of your site on your local machine
  • Make sure your permissions are the most secure you can make them
  • Update any and all programs or extensions you may use to create your site, keep informed of security issues and update immediately
  • [*:[spam] log files for any suspicious activity or useage at your site
Co-author of the Official Joomla! Book http://officialjoomlabook.com
Marpo Multimedia http://marpomultimedia.com

davidrrm
Joomla! Explorer
Joomla! Explorer
Posts: 251
Joined: Mon Sep 05, 2005 3:50 pm

Re: Site hacked through extcalendar component

Postby davidrrm » Sat Jul 22, 2006 10:29 am

There is a new release of ExtCalendar that fixes the security problems -

Information about that is here - http://forum.mamboguru.com/showthread.php?t=318.

david

amb_shah
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Tue Nov 08, 2005 10:49 am

Re: Site hacked through extcalendar component

Postby amb_shah » Sat Jul 22, 2006 6:57 pm

one of my sites was hacked too,
i just noticed it when someone overwrote the configuration file.
when i went through the logs i found that the attack had started on June 30 and continued till date.
thanks to the party that overwrote the configuration file i was able to notice it.

the culprit was the extcalendar component...
also i found a file called proxy.tgz i can neither delete it or rename it
so i downloaded it and extracted the contents it contains a folder
"pro "
and two files
prox
xh
these are executables (my cpanel says so )

i think this has something to do with a sleeper program waiting to obey its masters command.
have notified my hosting provider.

User avatar
rliskey
Joomla! Guru
Joomla! Guru
Posts: 828
Joined: Tue Jun 06, 2006 7:41 am
Location: California, Germany, Norway
Contact:

Re: Site hacked through extcalendar component

Postby rliskey » Tue Jul 25, 2006 7:24 am

Found trojan horse in the com_extcalendar directory: PHP.RSTBackdoor
Exposes files, and allows db dumps.

More info: http://www.symantec.com/security_respon ... 99&tabid=3
Last edited by rliskey on Sun Dec 31, 2006 1:40 am, edited 1 time in total.


Return to “3rd Party/Non Joomla! Security Issues”

Who is online

Users browsing this forum: No registered users and 2 guests