[UPGRADE AVAIL.] ExtCalendar Vulnerability

For all Non-Joomla! security issues. ie 3pd Components etc.

Moderator: General Support Moderators

Forum rules
Locked
Floranett
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 160
Joined: Sun Mar 12, 2006 7:11 pm

Re: ExtCalendar

Post by Floranett » Thu Jul 13, 2006 11:10 pm

Elpie wrote: That vulnerability has already been fixed in the upgrade that we should have out soon.
We are in the final testing stages now.
Thats great news Elpie :D

 
User avatar
Gregorius
Joomla! Apprentice
Joomla! Apprentice
Posts: 34
Joined: Sun Aug 21, 2005 4:34 am
Location: Melbourne, Australia
Contact:

Re: ExtCalendar

Post by Gregorius » Fri Jul 14, 2006 8:28 am

Great news indeed.. thank you for your efforts guys... its muchly appreciated.
DoofCentral - Your Psychedelic Universe
http://www.doofcentral.com
- Trying to upgrade to Joomla, but that brick wall is starting to win the battle. :(

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20214
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: ExtCalendar

Post by leolam » Fri Jul 14, 2006 8:47 am

Client of mine also hacked...nothing wrong with configuration.php but the index.php was replaced......
waiting for the patch.....
cheers
Leo
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
#Joomla Webmaster Services: gws-webmaster.services

User avatar
Elpie
Joomla! Guru
Joomla! Guru
Posts: 903
Joined: Wed Aug 17, 2005 11:26 pm
Contact:

Re: ExtCalendar

Post by Elpie » Fri Jul 14, 2006 11:08 am

Testing is well underway Leo - hope to have it available for you soon.
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20214
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: ExtCalendar

Post by leolam » Fri Jul 14, 2006 11:11 am

Elpie wrote: Testing is well underway Leo - hope to have it available for you soon.
need testing and hack-attempt assistance?
cheers
Leo
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
#Joomla Webmaster Services: gws-webmaster.services

User avatar
RobinH
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 177
Joined: Mon Sep 19, 2005 6:29 pm
Location: Lake Norman, North Carolina, USA

Re: ExtCalendar

Post by RobinH » Fri Jul 14, 2006 1:07 pm

leolam wrote:
Elpie wrote: Testing is well underway Leo - hope to have it available for you soon.
need testing and hack-attempt assistance?
cheers
Leo
Ditto here.  I'm on a VPS and haven't had any hack attempts since moving to it, but would be willing to do testing with you.

lboccia
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 125
Joined: Thu Oct 06, 2005 2:07 pm

Re: ExtCalendar

Post by lboccia » Fri Jul 14, 2006 1:17 pm

I dashur Albi,
  can you confirm that using the Calendar version you suggested there are no known security issues?

Të fala (Regards),
Luigi

User avatar
svenl
Joomla! Ace
Joomla! Ace
Posts: 1032
Joined: Mon Oct 17, 2005 1:50 pm
Location: Närke, Sweden
Contact:

Re: ExtCalendar

Post by svenl » Fri Jul 14, 2006 1:21 pm

Elpie wrote: Testing is well underway Leo - hope to have it available for you soon.
Thanks for this.

Even if it still are a "beta" and in testing mode, is it possible to have "hands on it" and start implement ExCalendar again.

Is it anybody that also will start to develop this component futher??

/Sven
8)
-
Sanningen finns där ute, har du sökt efter ditt svar?
var svaret bra och löste ditt problem? Glöm då inte att ändra ditt första inlägg till löst (Solved)

User avatar
Elpie
Joomla! Guru
Joomla! Guru
Posts: 903
Joined: Wed Aug 17, 2005 11:26 pm
Contact:

Re: ExtCalendar

Post by Elpie » Fri Jul 14, 2006 1:50 pm

We are not releasing it until it has been thoroughly tested.  The reason for this is that we need to be certain that it works as intended without causing problems. When we looked into the code we found that there was a lot more to do to fix security issues than just preventing direct access and we had to write the update so it would install the new version and completely remove the old one.

Do NOT uninstall the ExtCalendar you have now, through the Joomla backend admin, unless you have a backup or are prepared to lose all your events. The current version deletes all its data tables when it is uninstalled.

And, don't worry, ExtCalendar is not an orphan project any more. We will be looking after it :)
Last edited by Elpie on Fri Jul 14, 2006 2:00 pm, edited 1 time in total.
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info

User avatar
PhilTaylor-Prazgod
Joomla! Ace
Joomla! Ace
Posts: 1218
Joined: Sat Aug 20, 2005 12:32 pm
Location: Jersey, Channel Islands
Contact:

Re: ExtCalendar

Post by PhilTaylor-Prazgod » Fri Jul 14, 2006 1:53 pm

Elpie wrote:Do NOT uninstall the ExtCalendar you have now
Misleading advice.

Possibly reword like this:

"Do not use the Joomla Uninstall method in Joomla ADmin for uninstalling extCalendar right now as the would remove your events and they would be lost for ever - HOWEVER YOU MUST remove manually using FTP or SSH the /components/com_extcalandar/ folder and all files below in order to prevent your site getting hacked."


:-)~ :-)
Phil Taylor
Founder, Lead Developer
- https://mySites.guru - Manage Multiple Joomla/WordPress Sites In One Dashboard for Security, Audits, Backups and more....
- https://www.phil-taylor.com/ - My Twitter Streams

User avatar
Elpie
Joomla! Guru
Joomla! Guru
Posts: 903
Joined: Wed Aug 17, 2005 11:26 pm
Contact:

Re: ExtCalendar

Post by Elpie » Fri Jul 14, 2006 2:04 pm

Agreed, I missed a couple of words ;)  Fixed that now.
All going well, the release should only be a matter of hours away.
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info

User avatar
RobinH
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 177
Joined: Mon Sep 19, 2005 6:29 pm
Location: Lake Norman, North Carolina, USA

Re: ExtCalendar

Post by RobinH » Fri Jul 14, 2006 2:13 pm

Actually I don't think that removing the component, regardless of the method used, is a 'must'.  If your site is secure, and in my case on your own server, the odds of a hacking event are somewhat mitigated.

I don't think we should state that just because there's an issue, users should remove the product.  And how long will we have to wait for the fix?  I doubt we have to wait much longer, as these guys seem to really have pride in their product and my feel is they'll be providing us a very good solution in very little time. 

I just would hate to "stampede the cattle" by shouting 'fire, fire, fire' when some of us may be at risk, but not been hacked, but the hack-proof solution is soon to come.  Most of us get that knee-jerk reaction when we start hearing about these hacker events, but there are enough suggestions floating around to where I believe one could secure their site well enough until the solution is provided.

Anyway, that's my thought on this.  I'm waiting patiently for that update myself, as I feel that this product is now an integral part of my site and I definitely don't want to lose it.

User avatar
PhilTaylor-Prazgod
Joomla! Ace
Joomla! Ace
Posts: 1218
Joined: Sat Aug 20, 2005 12:32 pm
Location: Jersey, Channel Islands
Contact:

Re: ExtCalendar

Post by PhilTaylor-Prazgod » Fri Jul 14, 2006 2:23 pm

If your site is secure, and in my case on your own server, 
Exactly how many Joomla Users have that though???? And even if they do - do they have the knowledge to make a server secure - probably not.

Try telling that the the people that got hacked - to the 50+ people that have employed my company to fix their sites after the hackers.... Some of which were dedicated servers!

I'm not yelling fire fire fire - Im being real and serious about a real and expanding threat to hacking of 3PD
Last edited by PhilTaylor-Prazgod on Fri Jul 14, 2006 2:29 pm, edited 1 time in total.
Phil Taylor
Founder, Lead Developer
- https://mySites.guru - Manage Multiple Joomla/WordPress Sites In One Dashboard for Security, Audits, Backups and more....
- https://www.phil-taylor.com/ - My Twitter Streams

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20214
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: ExtCalendar

Post by leolam » Fri Jul 14, 2006 2:33 pm

PhilTaylor-Prazgod wrote:
Misleading advice.
Possibly reword like this:
"Do not use the Joomla Uninstall method in Joomla ADmin for uninstalling extCalendar right now as the would remove your events and they would be lost for ever - HOWEVER YOU MUST remove manually using FTP or SSH the /components/com_extcalandar/ folder and all files below in order to prevent your site getting hacked."
Incorrect wording and confusing for newbies and people who do not have YOUR knowledge!

Please realise that we (more experienced people) are here to help and protect the users of this fantastic Joomla-product and that we are not in this to play games and use the situation to promote!

Most likely rewording so people with less KB understand this as well!:

"Do NOT uninstall the ExtCalendar you have now, through the Joomla backend admin, because you will loose all your events.  The current version deletes all its data tables where the events are stored when it is uninstalled through the uninstaller of the admin backend." If you want to maintain your events which are stored in the database-tables while waiting for the new EXT Calendar patch you should strongly consider to remove manually (using FTP or your cPanel-filemanager or equivalent panel) the /components/com_extcalandar/ folder and all files below. This will secure for now your system from being hacked through this component and keeps your events in the database for future use when the new files and folders are available whch will be soon."

next@ Phil...You promote on your website a hack for download solving this issue... Your rewording above is though contradiction to the "patch" on your site since it advises to remove the folders instead of applying the patch as you promote on your site? Can you please clarify this to avoid misunderstanding?
PhilTaylor-Prazgod wrote: Try telling that the the people that got hacked - to the 50+ people that have employed my company to fix their sites after the hackers....
I'm not yelling fire fire fire - Im being real and serious about a real and expanding threat to hacking of 3PD
I am simply asking how your rewording from above fits this message. The people who are currently working on this new patch are addressing serious sql-issues and others related to EXT Calendar as well.....Could you shine your light on this as well because it seems that a little bit more is present than you have addressed in your patch if i understand this correct? Please advise becasue i would love to know if i can use your patch you have installed with your 50 or so users or should i uninstall as you suggest in your rewording? Is your patch safe and does it solves the issue?

thanks
Cheers
Leo
Last edited by leolam on Fri Jul 14, 2006 2:38 pm, edited 1 time in total.
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
#Joomla Webmaster Services: gws-webmaster.services

User avatar
PhilTaylor-Prazgod
Joomla! Ace
Joomla! Ace
Posts: 1218
Joined: Sat Aug 20, 2005 12:32 pm
Location: Jersey, Channel Islands
Contact:

Re: ExtCalendar

Post by PhilTaylor-Prazgod » Fri Jul 14, 2006 2:40 pm


leolam wrote: Client of mine also hacked...nothing wrong with configuration.php but the index.php was replaced......
waiting for the patch.....
cheers
Leo
Maybe if the "more experienced" had advised his customer correctly he would not hack got hacked !!
Maybe if the "more experienced" had the experience he could patch or help his customer right away?

Please realise that we (more experienced people) are here to help and protect the users of this fantastic Joomla-product and that we are not in this to play games and use the situation to promote!
Not sure if you are counting your self more experienced then me or that you think I am trying to promote my services ? or both.  Infact I do this for a living is a fact - I cant change that - and yes I do charge and yes I do make money - get over it - thats my job! - it also means that I am very experienced.

At the end of the day if users leave excalendar.php or file_upload.php or image_upload.php on their server they seriously risk getting hacked. Even if they are leaving it there waiting for a new release to be made.

Two choices:
1) remove the files - dont get hacked
2) leave the files - risk getting hacked.

I personally was involved in one of the first hacks of this wave last friday - and since then I have spend 12 hours of every day - along with two staff members fixing hacked sites around the world.  I am experienced in the hackers methods and entry points and know I personally can protect a server from hacking.
Last edited by PhilTaylor-Prazgod on Fri Jul 14, 2006 3:12 pm, edited 1 time in total.
Phil Taylor
Founder, Lead Developer
- https://mySites.guru - Manage Multiple Joomla/WordPress Sites In One Dashboard for Security, Audits, Backups and more....
- https://www.phil-taylor.com/ - My Twitter Streams

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20214
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: ExtCalendar

Post by leolam » Fri Jul 14, 2006 3:00 pm

PhilTaylor-Prazgod wrote: @leo
Im not interested in your nit picking personal flaming thread posts - go and find some one else to troll and I'll simply get on with doing what I was doing before you decided to popin.
may i object to this flame and abuse? I ask you a very descent question, one which is not flaming and one which is very fair question? I asked you if your thread was solving the issue and i made a clarification on the remark. What is wrong with asking if your solution solves it? OPlease advise  why you need to be aggresive and abusive?
leolam wrote: Client of mine also hacked...nothing wrong with configuration.php but the index.php was replaced......
waiting for the patch.....
cheers
Leo
Maybe if the "more experienced" had advised his customer correctly he would not hack got hacked !!
thanks you for that...I could reply very easy with a remark that i read somewhere that you just helped 50 of your customers but i won't becasue i just asked a descent question on which i have not yet got an answer. Does your patch solves the issue was the question? If so I am happy and we will apply ity to the customer's site!!

Please note that i do not understand your aggression and or your frustration. I even posted a thank you message on your blog at http://blog.phil-taylor.com for sharing your solution with us...I read now that we have other developments (Elpie's posts) and possible other hacks or releases and i ask a question......the answer is insults? May I be displeased with that approach?

Cheers
Leo
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
#Joomla Webmaster Services: gws-webmaster.services

User avatar
PhilTaylor-Prazgod
Joomla! Ace
Joomla! Ace
Posts: 1218
Joined: Sat Aug 20, 2005 12:32 pm
Location: Jersey, Channel Islands
Contact:

Re: ExtCalendar

Post by PhilTaylor-Prazgod » Fri Jul 14, 2006 3:03 pm

just helped 50 of your customers
Actually they were not customers of mine  - but they are now cause they knew where to turn when they were let down by other so called "more experienced"

The fact is, and this thread proves, that there is a lot of people thinking they are qualified to give advice.  Even bad advice. 

Your posts have done nothing for this thread.

I conclude (on topic)

If you have files extcalendar.php, file_upload.php, image_upload.php (or perForms) on your site then you are liable to be hacked if have not taken action to remove, patch, or protect yourself agains a string of automated, self replicating attacks.  You are also vunerable if you have taken action based on some incorrect advice (like modifing htaccess files I read somewhere)

You have been warned.
Last edited by PhilTaylor-Prazgod on Fri Jul 14, 2006 3:09 pm, edited 1 time in total.
Phil Taylor
Founder, Lead Developer
- https://mySites.guru - Manage Multiple Joomla/WordPress Sites In One Dashboard for Security, Audits, Backups and more....
- https://www.phil-taylor.com/ - My Twitter Streams

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20214
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: ExtCalendar

Post by leolam » Fri Jul 14, 2006 3:16 pm

PhilTaylor-Prazgod wrote: The fact is, and this thread proves, that there is a lot of people thinking they are qualified to give advice.  Even bad advice. 
completely agree without doubt!
If you have files extcalendar.php, file_upload.php, image_upload.php (or perForms) on your site then you are liable to be hacked if have not taken action to remove, patch, or protect yourself agains a string of automated, self replicating attacks.  You are also vunerable if you have taken action based on some incorrect advice (like modifing htaccess files I read somewhere)
You have been warned.
which is without doubt an excellent advise! but:

Phil,
once again I ask you if your patch which is downloadable from your site solves indefinitely this vulnarability which has been discovered recently? Is it too much asked to give a straight answer to that question which is a fair request? On the bad advise i do concur by the way. the .htaccess remarks are not applicable in this situation and does not solve anything. So in other words if i understand you correct that if I would apply your patch I do not have to fear anymore and i cannot get hacked through the ext.calendar vulnerability any longer?  :)
Cheers
Leo
Last edited by leolam on Fri Jul 14, 2006 3:22 pm, edited 1 time in total.
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
#Joomla Webmaster Services: gws-webmaster.services

User avatar
albi
Joomla! Explorer
Joomla! Explorer
Posts: 273
Joined: Fri Aug 19, 2005 12:47 pm
Contact:

Re: ExtCalendar

Post by albi » Fri Jul 14, 2006 3:21 pm

lboccia wrote: I dashur Albi,
  can you confirm that using the Calendar version you suggested there are no known security issues?

Të fala (Regards),
Luigi
Pershendetje miku im

No known security issues till now for this calendar

http://extensions.joomla.org/component/ ... Itemid,35/

Regards
dimitri
Demetris Dimarelis
http://www.e-orama.com, Web Services & Internet Marketing in Greece & Albania

User avatar
PhilTaylor-Prazgod
Joomla! Ace
Joomla! Ace
Posts: 1218
Joined: Sat Aug 20, 2005 12:32 pm
Location: Jersey, Channel Islands
Contact:

Re: ExtCalendar

Post by PhilTaylor-Prazgod » Fri Jul 14, 2006 3:24 pm

Phil,
once again I ask you if your patch which is downloadable from your site solves indefinitely this vulnarability which has been discovered recently? Is it too much asked to give a straight answer to that question which is a fair request? On the bad advise i do concur by the way. the .htaccess remarks are not applicable in this situation and does not solve anything. So in other words if i understand you correct that if I would apply your patch I do not have to fear anymore and i cannot get hacked through the ext.calendar vulnerability any longer?  Smiley
Cheers
Simple answer.  The patch on my blog has been removed in favour of the pending combined developers re-release of ExtCalendar which I have been aware of for some time. The patch that was available on my site was developed inhouse at speed for a particular customer and fixed all file include vunerabilities in that single file. Since that time other SQL injection and string manipulatiuon issues have been found and the patch removed from my site.

I have been in almost daily touch with Martin Brampton (Ex Mambo Core Lead Developer) and he has been working with the team on securing ExtCalendar.  I have offered to promote the official release he and the team of developers will make available soon to my mailing list of over 10,000 Joomla users worldwide (The same list I announced the issues to at the beginning of this week).
Phil Taylor
Founder, Lead Developer
- https://mySites.guru - Manage Multiple Joomla/WordPress Sites In One Dashboard for Security, Audits, Backups and more....
- https://www.phil-taylor.com/ - My Twitter Streams

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20214
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: ExtCalendar

Post by leolam » Fri Jul 14, 2006 3:31 pm

PhilTaylor-Prazgod wrote:
Phil,
once again I ask you if your patch which is downloadable from your site solves indefinitely this vulnarability which has been discovered recently? Is it too much asked to give a straight answer to that question which is a fair request? On the bad advise i do concur by the way. the .htaccess remarks are not applicable in this situation and does not solve anything. So in other words if i understand you correct that if I would apply your patch I do not have to fear anymore and i cannot get hacked through the ext.calendar vulnerability any longer?  Smiley
Cheers
Simple answer.  The patch on my blog has been removed in favour of the pending combined developers re-release of ExtCalendar which I have been aware of for some time. The patch that was available on my site was developed inhouse at speed for a particular customer and fixed all file include vunerabilities in that single file. Since that time other SQL injection and string manipulatiuon issues have been found and the patch removed from my site.

I have been in almost daily touch with Martin Brampton (Ex Mambo Core Lead Developer) and he has been working with the team on securing ExtCalendar.  I have offered to promote the official release he and the team of developers will make available soon to my mailing list of over 10,000 Joomla users worldwide (The same list I announced the issues to at the beginning of this week).
Thank you for your reply....that was all i asked for in my initial post. On the remainder i will post in private to the known channels. As usual it was my pleasure  :-\

Cheers
Leo
Last edited by leolam on Fri Jul 14, 2006 3:56 pm, edited 1 time in total.
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
#Joomla Webmaster Services: gws-webmaster.services

User avatar
RobinH
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 177
Joined: Mon Sep 19, 2005 6:29 pm
Location: Lake Norman, North Carolina, USA

Re: ExtCalendar

Post by RobinH » Fri Jul 14, 2006 3:54 pm

Weeeeeeeeeeeeeeeeea hah.... sometimes these forums can be oh so much fun!!!  :laugh:

This is what I meant in an earlier post about developers not wanting to hear anything bad said about their "babies".  You gotta love developers, they are such lonely people, working hard on their computers all in a world of their making, designing and creating wonderful products for lame butts like me....

Warning to all visitors to these forums - never get a developer angry at you - the have a very long memory, and tons of RAM to store it in!!!

:laugh: :D ;)

donaldwheaton
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Tue Jul 11, 2006 4:25 pm

Rootkit Installed

Post by donaldwheaton » Fri Jul 14, 2006 3:58 pm

I have a website that was defaced through the security hole in the ExtCalendar component and previously with RSGallery.  In both defacements, not only did the home page get replaced, but the hacker installed a rootkit.  My other security measures limited the rootkit's usefulness, but standard installations would be compromised and most likely be relays for spam or slaves for a DDOS attack.  If you have been hacked, or even before you have been hacked, and you're running a *NIX system, I would recommend to install and run a rootkit scanner like chkrootkit or rkhunter and a log analysis program like logwatch.  Here are their web site addresses:
http://www.chkrootkit.org/
http://www.rootkit.nl/
http://www.logwatch.org/

User avatar
RobinH
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 177
Joined: Mon Sep 19, 2005 6:29 pm
Location: Lake Norman, North Carolina, USA

Re: Rootkit Installed

Post by RobinH » Fri Jul 14, 2006 4:00 pm

donaldwheaton wrote: I have a website that was defaced through the security hole in the ExtCalendar component and previously with RSGallery.  In both defacements, not only did the home page get replaced, but the hacker installed a rootkit.  My other security measures limited the rootkit's usefulness, but standard installations would be compromised and most likely be relays for spam or slaves for a DDOS attack.  If you have been hacked, or even before you have been hacked, and you're running a *NIX system, I would recommend to install and run a rootkit scanner like chkrootkit or rkhunter and a log analysis program like logwatch.  Here are their web site addresses:
Please pardon my ignorance (well, why should you?  My wife doesn't). What is a *NIX system???

User avatar
PhilTaylor-Prazgod
Joomla! Ace
Joomla! Ace
Posts: 1218
Joined: Sat Aug 20, 2005 12:32 pm
Location: Jersey, Channel Islands
Contact:

Re: Rootkit Installed

Post by PhilTaylor-Prazgod » Fri Jul 14, 2006 4:02 pm

donaldwheaton wrote: I have a website that was defaced through the security hole in the ExtCalendar component and previously with RSGallery.  In both defacements, not only did the home page get replaced, but the hacker installed a rootkit.  My other security measures limited the rootkit's usefulness, but standard installations would be compromised and most likely be relays for spam or slaves for a DDOS attack.  If you have been hacked, or even before you have been hacked, and you're running a *NIX system, I would recommend to install and run a rootkit scanner like chkrootkit or rkhunter and a log analysis program like logwatch.  Here are their web site addresses:
http://www.chkrootkit.org/
http://www.rootkit.nl/
http://www.logwatch.org/

For clarification:
You can only run these tools if you have ssh/telnet access to your server and correct permissions and priviledges to do so.  Most normal web hosting accounts will not have this level of access to the servers operating system and scanning for rootkits should only be done by those with full access and permission to the OS files. (After all if you run a rootkit check and find a problem you need the experience or knowledge to know what to do next :-) )

For the regular Joomla user the use of rootkit scanning would not apply.

A *nix ssystem is one based on UNIX or Linux code (redhat, centos, etc...)
Phil Taylor
Founder, Lead Developer
- https://mySites.guru - Manage Multiple Joomla/WordPress Sites In One Dashboard for Security, Audits, Backups and more....
- https://www.phil-taylor.com/ - My Twitter Streams

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20214
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: ExtCalendar

Post by leolam » Fri Jul 14, 2006 4:04 pm

RobinH wrote: Warning to all visitors to these forums - never get a developer angry at you - the have a very long memory, and tons of RAM to store it in!!!
:laugh: :D ;)
Hack their memory and remove
// no direct access
defined( '_VALID_MOS' ) or die( 'Restricted access' );
from what they consider to be a brain :)

cheers
Leo
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
#Joomla Webmaster Services: gws-webmaster.services

User avatar
RobinH
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 177
Joined: Mon Sep 19, 2005 6:29 pm
Location: Lake Norman, North Carolina, USA

Re: Rootkit Installed

Post by RobinH » Fri Jul 14, 2006 4:10 pm

PhilTaylor-Prazgod wrote: For clarification:
You can only run these tools if you have ssh/telnet access to your server and correct permissions and priviledges to do so.  Most normal web hosting accounts will not have this level of access to the servers operating system and scanning for rootkits should only be done by those with full access and permission to the OS files. (After all if you run a rootkit check and find a problem you need the experience or knowledge to know what to do next :-) )

For the regular Joomla user the use of rootkit scanning would not apply.

A *nix ssystem is one based on UNIX or Linux code (redhat, centos, etc...)
Thanks, appreciate the info.  I'm on VPS with full admin authority on the server, running Centos.  Will go investigate that rootkit scanner.

User avatar
Buster
Joomla! Guru
Joomla! Guru
Posts: 619
Joined: Mon Nov 28, 2005 10:29 am
Location: England

Re: ExtCalendar

Post by Buster » Fri Jul 14, 2006 4:10 pm

Any news on any re-releases?
Last edited by Buster on Fri Jul 14, 2006 4:12 pm, edited 1 time in total.
A true Panspermian........aren't we all?

User avatar
RobinH
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 177
Joined: Mon Sep 19, 2005 6:29 pm
Location: Lake Norman, North Carolina, USA

Re: ExtCalendar

Post by RobinH » Fri Jul 14, 2006 4:14 pm

Buster wrote: Any news on any re-releases?
Coming soon to a theater near you!!!
Last edited by RobinH on Fri Jul 14, 2006 4:39 pm, edited 1 time in total.

User avatar
Buster
Joomla! Guru
Joomla! Guru
Posts: 619
Joined: Mon Nov 28, 2005 10:29 am
Location: England

Re: ExtCalendar

Post by Buster » Fri Jul 14, 2006 4:16 pm

That's strange, the last e-mail I got from the developer it was a HE not SHE and his name is David.  Has he had surgery? :)
A true Panspermian........aren't we all?

 

Locked

Return to “3rd Party/Non Joomla! Security Issues”