The Joomla! Forum ™





Post new topic Reply to topic  [ 5 posts ] 
Author Message
PostPosted: Fri Jul 21, 2006 11:24 pm 
User avatar
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Tue Sep 20, 2005 11:30 pm
Posts: 218
Location: Oregon
For no apparent reason our site was hacked. After consulting this forum I determined that the hacker got in through the extCalendar component - which had disappeared off the Joomla Extensions pages and for good reason - it apparently didn't have the required security in it that checks for a valid MOS.

The hacker was able to replace our configuration.php file - and that enabled him/her to redirect the site to their own. Once I replaced the file with one from a backup the site was restored. I then got rid of extCalendar.

Here is the code used in case anyone is interested in stopping attacks like this in the future:









[MOD EDIT: Script Kiddie reference removed. We prefer not to promote script kiddie egoboo]">

[MOD EDIT: Script Kiddie reference removed. We prefer not to promote script kiddie egoboo]">





<span style="color: red">[MOD EDIT: Script Kiddie reference removed. We prefer not to promote script kiddie egoboo]</span>











 

   

     

   

 


     



     


     


           

           

            by




           

            [MOD EDIT: Script Kiddie reference removed. We prefer not to promote script kiddie egoboo]


           


           




[MOD EDIT: Script Kiddie reference removed. We prefer not to promote script kiddie egoboo]








iskorpitx

|

eno7

|

[MOD EDIT: Script Kiddie reference removed. We prefer not to promote script kiddie egoboo]

|

[MOD EDIT: Script Kiddie reference removed. We prefer not to promote script kiddie egoboo]

|

[MOD EDIT: Script Kiddie reference removed. We prefer not to promote script kiddie egoboo]

| [MOD EDIT: Script Kiddie reference removed. We prefer not to promote script kiddie egoboo]

| [MOD EDIT: Script Kiddie reference removed. We prefer not to promote script kiddie egoboo]


ata1944|

[MOD EDIT: Script Kiddie reference removed. We prefer not to promote script kiddie egoboo]

|

[MOD EDIT: Script Kiddie reference removed. We prefer not to promote script kiddie egoboo]

|

[MOD EDIT: Script Kiddie reference removed. We prefer not to promote script kiddie egoboo]

|


      [MOD EDIT: Script Kiddie reference removed. We prefer not to promote script kiddie egoboo]


















 











Mod Edit: Links removed. -RobS

_________________
Author of component Joomla Bible Study:
http://www.JoomlaBibleStudy.org


Last edited by rliskey on Sun Dec 31, 2006 1:41 am, edited 1 time in total.

Top
 Profile  
 
PostPosted: Sat Jul 22, 2006 1:45 am 
User avatar
Joomla! Champion
Joomla! Champion

Joined: Sun Aug 21, 2005 2:25 pm
Posts: 6217
Please read through the various postings http://forum.joomla.org/index.php/board ... tml.&nbsp; A number of extensions are insecure.  Please update any extensions you have on your site, either install a clean installation of Joomla with updated extensions and then restore your data from your database, or go through each and every folder and file in your current installation to make sure there are no hidden files buried in your current installation before making it live again.

Best practices for security are to subscribe to the Announcement forum regarding updates to Joomla!, but more importantly also keep an eye by subscribing (if available) to any annoucements from the extensions that you use.  Keep track of your versions to make sure you are running the most current and secure version of any of your extensions.

BACK UP your files and your database on a regular basis so that recovering from sudden problems isn't a heartache and a headache.  If you have good clean backups the restore and update process can be quite a lot less painful.

Make sure your hosting company is following best practices for security on their servers and more can be read about that in various posts throughout the security forum.

Permissions on your files should be 644 or for folders 755.  If you need to change or add anything, you can make both writable for the short period you are updating/changing - then set permissions back to unwritable.

There is no surefire way to be protected from all security issues, due to the fact that as a security issue is solved, the people that wish to crack/hack find ways around the fixes to do what they want to do.  Using good basic security practices will help protect you.

  • Back up regularly and keep a local copy of your site on your local machine
  • Make sure your permissions are the most secure you can make them
  • Update any and all programs or extensions you may use to create your site, keep informed of security issues and update immediately
  • [*:[spam] log files for any suspicious activity or useage at your site

_________________
Co-author of the Official Joomla! Book http://officialjoomlabook.com
Marpo Multimedia http://marpomultimedia.com


Top
 Profile  
 
PostPosted: Sat Jul 22, 2006 10:29 am 
Joomla! Explorer
Joomla! Explorer

Joined: Mon Sep 05, 2005 3:50 pm
Posts: 251
There is a new release of ExtCalendar that fixes the security problems -

Information about that is here - http://forum.mamboguru.com/showthread.php?t=318.

david


Top
 Profile  
 
PostPosted: Sat Jul 22, 2006 6:57 pm 
Joomla! Fledgling
Joomla! Fledgling

Joined: Tue Nov 08, 2005 10:49 am
Posts: 4
one of my sites was hacked too,
i just noticed it when someone overwrote the configuration file.
when i went through the logs i found that the attack had started on June 30 and continued till date.
thanks to the party that overwrote the configuration file i was able to notice it.

the culprit was the extcalendar component...
also i found a file called proxy.tgz i can neither delete it or rename it
so i downloaded it and extracted the contents it contains a folder
"pro "
and two files
prox
xh
these are executables (my cpanel says so )

i think this has something to do with a sleeper program waiting to obey its masters command.
have notified my hosting provider.


Top
 Profile  
 
PostPosted: Tue Jul 25, 2006 7:24 am 
User avatar
Joomla! Guru
Joomla! Guru

Joined: Tue Jun 06, 2006 7:41 am
Posts: 828
Location: California, Germany, Norway
Found trojan horse in the com_extcalendar directory: PHP.RSTBackdoor
Exposes files, and allows db dumps.

More info: http://www.symantec.com/security_respon ... 99&tabid=3

_________________
Home: http://www.ronliskey.com
Business http://www.communitygrove.com


Last edited by rliskey on Sun Dec 31, 2006 1:40 am, edited 1 time in total.

Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 



Who is online

Users browsing this forum: No registered users and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group