The Joomla! Forum ™





Post new topic Reply to topic  [ 14 posts ] 
Author Message
PostPosted: Thu Aug 10, 2006 12:23 am 
User avatar
Joomla! Apprentice
Joomla! Apprentice

Joined: Thu Mar 23, 2006 4:09 am
Posts: 36
Just an FYI that my site was hacked.

hacked by da_jackass - jong_amq@hotmail.com - #papmahackerlink #maluku-hacker #papuahacker @ dalnet - SAVE THE WORLD WITH LOVE AND PEACE - STOP WAR!!!

I simply had to replace the index.php from a back-up. All seams ok.

For reference, from a little investigation it only seams to happen to ppl using apache and linux servers

_________________
www.AussieBball.com Australian basketball forum and news


Last edited by RobS on Thu Aug 10, 2006 8:13 pm, edited 1 time in total.

Top
 Profile  
 
PostPosted: Thu Aug 10, 2006 1:05 am 
User avatar
Joomla! Apprentice
Joomla! Apprentice

Joined: Thu Mar 23, 2006 4:09 am
Posts: 36
OK another update.

It actually seams to be an issue with community builder.

You will also need to restore from back-up

administrator/components/com_comprofiler/plugin.class.php

There is a known security issue from CB please see http://www.joomlapolis.com/

But they actually seam to be down as well, but they are releasing a security patch shortly

_________________
www.AussieBball.com Australian basketball forum and news


Top
 Profile  
 
PostPosted: Thu Aug 10, 2006 5:58 am 
User avatar
Joomla! Master
Joomla! Master

Joined: Fri Aug 12, 2005 3:47 pm
Posts: 17264
Location: **Translation Matters**
Upgrade availabale: http://forge.joomla.org/sf/frs/do/viewR ... 0_1_stable

Title changed and moved to 3pd security forum

_________________
Jean-Marie Simonet / infograf · http://www.info-graf.fr
Multilanguage in 2.5: http://help.joomla.org/files/EN-GB_multilang_tutorial.pdf
---------------------------------
Joomla Translation Coordination Team • Joomla! Production Working Group


Top
 Profile  
 
PostPosted: Thu Aug 10, 2006 9:34 am 
User avatar
Joomla! Explorer
Joomla! Explorer

Joined: Sat Sep 03, 2005 1:56 am
Posts: 334
Location: Upstate New York
Okay.. so Joomlapolis recommends this setting for EVERYONE but especially for those with "weakly configured servers".
From Joomlapolis:
Quote:
Your site needs urgent update to CB 1.0.1 if ALL of these PHP settings are met:

  1. php register_globals set to ON
  2. allow_url_fopen is ON
  3. no open base directory limitations set
  4. php code directories have write permissions from web-server process

For everyones understanding (and mine...):
1. register globals can be set via the php ini file
2. allow_url_fopen - Not sure where this setting is... anyone?
3. This is a setting in a reseller whm panel under tweak settings
4. write permissions from web-server process??

_________________
Thanks!
Aaron


Top
 Profile  
 
PostPosted: Thu Aug 10, 2006 3:40 pm 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Mon Dec 05, 2005 10:17 am
Posts: 1367
Location: New Orleans, LA, USA
The first three are all PHP settings configurable in php.ini

register_globals = Off
allow_url_fopen = Off
open_basedir = /usr/local/something/like/this

The 4th is a matter of permissions.  If a file or folder is world writeable (like 666, 777) then it is writeable by the web servers user process which is a security issue but also a functionality issue.  As usual, a balancing act.  Hope that helps.

_________________
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions


Top
 Profile  
 
PostPosted: Thu Aug 10, 2006 3:57 pm 
User avatar
Joomla! Explorer
Joomla! Explorer

Joined: Sat Sep 03, 2005 1:56 am
Posts: 334
Location: Upstate New York
Thanks for the info!
I spaced it with permissions.. haha. I knew that..
(..and there are plenty of posts on how to set this..) Thanks again!

_________________
Thanks!
Aaron


Top
 Profile  
 
PostPosted: Tue Aug 15, 2006 4:24 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Sun Jul 23, 2006 3:27 am
Posts: 7
Just as a followup, someone was exploiting a vulnerability in plugin.class.php in RC2 on our site. Our host had to shut off access to our site -- http://www.thewyvernportal.com -- (on the day I was presenting it to my fellow faculty members, of course) because his servers were being flooded.
Not sure about Joomla (not familiar with that software), but the exploit
was most definitely that described in the Secunia advisory, and the exact
file being exploited was:

  /mambo/administrator/components/com_comprofiler/plugin.class.php

This morning, we had a team of our guys trying to find out what was
happening on our servers (the cpu load had skyrocketed on 4 of our
cluster servers), and it turns out about 40 processes were running
a remote UDP flood script that was downloaded and executed through
the vulnerability in that script.
The flood script was spreading "a worm that is used to launch denial
of service attacks on other sites," my host said tonight.

The secunia advisory was one for mambo 4.5.2: http://secunia.com/advisories/14337

I am not sure if it applies to Joomla 1.0.10 and CB RC2, but my host's staff says it does. I have applied the 1.0.1 update, so I hope it fixes the problem.


Top
 Profile  
 
PostPosted: Tue Aug 15, 2006 6:30 am 
User avatar
Joomla! Master
Joomla! Master

Joined: Fri Aug 12, 2005 3:47 pm
Posts: 17264
Location: **Translation Matters**
1.0.1 and the above php settings should do it.

_________________
Jean-Marie Simonet / infograf · http://www.info-graf.fr
Multilanguage in 2.5: http://help.joomla.org/files/EN-GB_multilang_tutorial.pdf
---------------------------------
Joomla Translation Coordination Team • Joomla! Production Working Group


Top
 Profile  
 
PostPosted: Tue Aug 15, 2006 6:36 am 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Mon Dec 05, 2005 10:17 am
Posts: 1367
Location: New Orleans, LA, USA
Keep in mind that allow_url_fopen = Off will break some site functionality, if you search for discussion regarding that setting you will find more detailed information about which site functionality will be broken.

_________________
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions


Top
 Profile  
 
PostPosted: Tue Aug 15, 2006 2:45 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Sun Jul 23, 2006 3:27 am
Posts: 7
It worked. No complaints from my host.

BTW, some of us do not have access to php.ini or to Apache settings. Component coders need to take these facts into consideration.


Top
 Profile  
 
PostPosted: Wed Aug 16, 2006 11:09 pm 
User avatar
Joomla! Guru
Joomla! Guru

Joined: Thu Aug 18, 2005 8:53 am
Posts: 830
Location: Switzerland
Just noticed this thread...  ;)

As updated also on http://www.joomlapolis.com :

setting register_globals to OFF is *not sufficient* to put it OFF ! :(

Joomla 1.0.10 still emulates that to ON in globals.php even when it is set to OFF in php.ini !!!

See here howto put it off for sure:

http://forum.joomla.org/index.php/topic ... w.html#new

N.b. updating to Community Builder 1.0.1 is enough to close the known vulnerability (independantly of register_globals).

_________________
Beat 8)
www.joomlapolis.com <= Community Builder + CBSubs Joomla membership payment system - team
hosting.joomlapolis.com <= Joomla! Hosting, by the CB Team


Top
 Profile  
 
PostPosted: Thu Aug 17, 2006 2:08 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Sun Jul 23, 2006 3:27 am
Posts: 7
How would changing this setting affect things if your host has register_globals ON? Mine uses Sun Solaris and Apache. 


Top
 Profile  
 
PostPosted: Thu Aug 17, 2006 6:08 am 
User avatar
Joomla! Master
Joomla! Master

Joined: Fri Aug 12, 2005 3:47 pm
Posts: 17264
Location: **Translation Matters**
Although it can't replace a global setting of RegisterGlobals off for the server, it does emulate that setting for the Joomla install itself.

_________________
Jean-Marie Simonet / infograf · http://www.info-graf.fr
Multilanguage in 2.5: http://help.joomla.org/files/EN-GB_multilang_tutorial.pdf
---------------------------------
Joomla Translation Coordination Team • Joomla! Production Working Group


Top
 Profile  
 
PostPosted: Fri May 02, 2008 2:54 pm 
User avatar
Joomla! Guru
Joomla! Guru

Joined: Thu Aug 18, 2005 8:53 am
Posts: 830
Location: Switzerland
Please note that a new exploit (blind SQL injection) got published in hacker sites for CB 1.0.0 and 1.0.1, please upgrade to CB 1.0.2 at very least, and preferably to CB 1.1, as those two releases are not affected by that vulnerability. CB 1.0.2 is released since over 1 year and was a security release...

The vulnerability requires PHP magic_quotes_gpc to be OFF to succeed, and Joomla version to be below Joomla 1.0.12 to be of high level.

Best is to stay up to date with security releases...

I don't have edit rights at help.joomla.org here:
http://help.joomla.org/component/option ... temid,268/

Please could someone of the help team change "<= 1.0.0" ---> "<= 1.0.1" and "1.0.1" to "1.0.2 or 1.1" on that page ?

Thanks.

_________________
Beat 8)
www.joomlapolis.com <= Community Builder + CBSubs Joomla membership payment system - team
hosting.joomlapolis.com <= Joomla! Hosting, by the CB Team


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 14 posts ] 



Who is online

Users browsing this forum: No registered users and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group