site hacked

Discussion regarding Joomla! 1.5 security issues.
Joomla! Vulnerable Extensions: http://feeds.joomla.org/JoomlaSecurityV ... Extensions

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
marchus
Joomla! Intern
Joomla! Intern
Posts: 78
Joined: Fri Apr 21, 2006 10:04 am

site hacked

Post by marchus » Wed Dec 19, 2007 4:42 pm

I got a messange from my hosting service that they are going to delete my site in 24 hours they say there is a script running on my site that is destroying something, i think it is the cron job to the feed manager in joomla, please help telle mee what this script is and if its joomla and any of the components thats creat this problem, here is the information they gave mee


Hello,

This is the compromise (outbound attack from your site):

found the following malicious processes and files on the server:

27045 marchus 25 0 2880 1796 1368 R 9.6 0.1 2:29 0 perl
27276 marchus 25 0 2876 2080 1368 R 9.6 0.2 2:28 0 perl
28335 marchus 25 0 2880 2100 1368 R 9.6 0.2 2:18 0 perl
3223 marchus 25 0 2872 2872 1364 R 9.6 0.2 0:28 0 perl
3543 marchus 25 0 2868 2868 1364 R 9.6 0.2 0:21 0 perl
24152 marchus 25 0 2880 1788 1368 R 8.6 0.1 3:05 0 perl
4463 marchus 25 0 2868 2868 1364 R 8.6 0.2 0:05 0 perl

root@p14 [~># lsof -p 27045 | more
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
perl 27045 marchus cwd DIR 3,3 4096 2 /
perl 27045 marchus rtd DIR 3,3 4096 2 /
perl 27045 marchus txt REG 3,3 942729 1131675 /usr/bin/perl
perl 27045 marchus 4u IPv4 10846087 TCP
p14.ich-15.com:33679->206.114.192.46:9999 (ESTABLISHED)
root@p14 [~># ps aux | grep marchus
marchus 6011 0.0 0.4 23216 5088 ? S Dec12 0:00 /usr/bin/php index.php
marchus 6417 0.0 0.4 23204 4436 ? S Dec12 0:00 /usr/bin/php index.php
marchus 10881 0.0 0.4 23212 4428 ? S Dec12 0:00 /usr/bin/php index.php
marchus 12368 0.0 0.9 23200 10072 ? S Dec12 0:00 /usr/bin/php index.php
marchus 12569 0.0 1.0 23196 10236 ? S Dec12 0:00 /usr/bin/php index.php
marchus 14348 0.0 1.0 23204 10276 ? S Dec12 0:00 /usr/bin/php index.php
marchus 20098 0.0 0.8 23200 8504 ? S Dec12 0:00 /usr/bin/php index.php
marchus 20173 0.0 0.6 23204 6892 ? S Dec12 0:00 /usr/bin/php index.php
marchus 4213 0.0 0.9 23216 9440 ? S Dec12 0:00 /usr/bin/php index.php
marchus 4981 0.0 0.8 23200 8904 ? S Dec12 0:00 /usr/bin/php index.php
marchus 10096 0.0 0.7 23200 7796 ? S 00:20 0:00 /usr/bin/php index.php
marchus 11010 0.0 0.5 23204 5960 ? S 00:24 0:00 /usr/bin/php index.php
marchus 12966 0.0 0.4 23200 4860 ? S 00:35 0:00 /usr/bin/php index.php
marchus 13312 0.0 0.6 23200 6508 ? S 00:37 0:00 /usr/bin/php index.php
marchus 17000 0.0 0.8 23200 9012 ? S 00:52 0:00 /usr/bin/php index.php
marchus 24142 0.0 0.0 0 0 ? Z 01:24 0:00 [sh >
marchus 24152 5.1 0.1 4212 1788 ? R 01:24 3:14 /usr/sbin/httpd
marchus 25299 0.0 0.0 0 0 ? Z 01:29 0:00 [sh >
marchus 25306 5.2 0.1 4196 1824 ? R 01:29 3:01 /usr/sbin/httpd
marchus 25899 0.0 0.0 0 0 ? Z 01:31 0:00 [sh >
marchus 25921 5.1 0.1 4212 1796 ? R 01:31 2:54 /usr/sbin/httpd
marchus 26042 0.0 0.0 0 0 ? Z 01:32 0:00 [sh >
marchus 26056 5.2 0.1 4188 1796 ? R 01:32 2:52 /usr/sbin/httpd
marchus 27039 0.0 0.0 0 0 ? Z 01:35 0:00 [sh >
marchus 27045 5.1 0.1 4200 1796 ? R 01:35 2:39 /usr/sbin/httpd
marchus 27235 0.0 0.0 0 0 ? Z 01:35 0:00 [sh >
marchus 27276 5.1 0.2 4212 2080 ? R 01:36 2:38 /usr/sbin/httpd
marchus 28279 0.0 0.0 0 0 ? Z 01:38 0:00 [sh >
marchus 28335 5.0 0.2 4208 2100 ? R 01:39 2:27 /usr/sbin/httpd
marchus 30329 0.0 0.0 0 0 ? Z 01:49 0:00 [sh >
marchus 30337 4.9 0.2 4196 2348 ? R 01:49 1:54 /usr/sbin/httpd
marchus 30780 0.0 0.0 0 0 ? Z 01:51 0:00 [sh >
marchus 30804 5.0 0.2 4200 2876 ? R 01:51 1:48 /usr/sbin/httpd
marchus 31283 0.0 0.0 0 0 ? Z 01:54 0:00 [sh >
marchus 31296 4.9 0.2 4212 2516 ? R 01:54 1:37 /usr/sbin/httpd
marchus 31476 0.0 0.0 0 0 ? Z 01:55 0:00 [sh >
marchus 31493 4.9 0.2 4204 2864 ? R 01:55 1:35 /usr/sbin/httpd
marchus 596 0.0 0.0 0 0 ? Z 02:01 0:00 [sh >
marchus 671 4.8 0.2 4196 2868 ? R 02:02 1:12 /usr/sbin/httpd
marchus 3205 0.0 0.0 0 0 ? Z 02:16 0:00 [sh >
marchus 3223 5.6 0.2 4208 2876 ? R 02:16 0:37 /usr/sbin/httpd
marchus 3519 0.0 0.0 0 0 ? Z 02:17 0:00 [sh >
marchus 3543 5.6 0.2 4200 2872 ? R 02:18 0:31 /usr/sbin/httpd
marchus 4401 0.0 0.0 0 0 ? Z 02:22 0:00 [sh >
marchus 4463 5.4 0.2 4216 2876 ? R 02:22 0:14 /usr/sbin/httpd
marchus 5061 0.4 0.2 4356 2340 ? S 02:26 0:00 /usr/sbin/httpd
marchus 5063 0.5 0.2 4360 2308 ? S 02:26 0:00 /usr/sbin/httpd
marchus 5065 0.5 0.2 4356 2112 ? S 02:26 0:00 /usr/sbin/httpd
marchus 5068 0.9 0.2 4356 2112 ? S 02:26 0:00 /usr/sbin/httpd
marchus 5070 1.0 0.2 4356 2656 ? S 02:26 0:00 /usr/sbin/httpd
marchus 5072 1.1 0.2 4344 2528 ? S 02:26 0:00 /usr/sbin/httpd
marchus 5074 0.4 0.2 4344 2152 ? S 02:26 0:00 /usr/sbin/httpd
marchus 5078 1.1 0.2 4336 2116 ? S 02:26 0:00 /usr/sbin/httpd
marchus 5080 1.0 0.2 4352 2996 ? S 02:26 0:00 /usr/sbin/httpd
marchus 5082 0.5 0.2 4344 3000 ? S 02:26 0:00 /usr/sbin/httpd
marchus 5084 1.0 0.2 4344 3004 ? S 02:26 0:00 /usr/sbin/httpd
marchus 5087 0.8 0.2 4360 3004 ? S 02:26 0:00 /usr/sbin/httpd
marchus 5091 0.6 0.2 4344 3000 ? S 02:26 0:00 /usr/sbin/httpd
marchus 5094 0.3 0.2 4352 3004 ? S 02:26 0:00 /usr/sbin/httpd
marchus 5096 1.0 0.2 4348 2116 ? S 02:26 0:00 /usr/sbin/httpd

We can do this, allow access to site for 24 h, you back the data and
then we will terminate the acccount and recreate it and you can uplaod
data again.

Please advise if you want us to proceed with this.

247-Host Support Team
Last edited by infograf768 on Wed Dec 19, 2007 5:02 pm, edited 1 time in total.

User avatar
infograf768
Joomla! Master
Joomla! Master
Posts: 18870
Joined: Fri Aug 12, 2005 3:47 pm
Location: **Translation Matters**

Re: help help help

Post by infograf768 » Wed Dec 19, 2007 5:01 pm

Whether it is a 1.5 site or a 1.0.13, please follow the stickies here
RussW wrote: The Security Forums and several  Sticky Posts cover a huge amount of information regarding Security Issues and Potential Resolutions, please refer;

  Security Announcements
  Security Forum
  Joomla! Admin's Security Guide
  Security FAQ's Index
  3rd Party Security Forum

Security concerns or bugs may also be reported within the Quality and Testing Work Group Forum, in the event that a major or serious security issue is found by developers or end-users, they may also reach the "Security Response Team" via the Developer SiteReporting Security Issues.

In addition to the above information, you may also find the following tools of interest;

Joomla! Diagnostics by WebSmurf
  This tool will compare your existing installation against a known good file list of Joomla! and highlight any missing, potentially corrupt or modified files, as well as providing some security related tests.
  Joomla! Diagnostics Home
  Joomla! Diagnostic discussion

Joomla! Tools Suite by the JTS Team
JTS provides a host of Joomla! site and server security configuration advice (based on HISA), embedded version of Joomla! Diagnostics,  including several maintenance tools such as Permissions, installed Extensions and DB optimisation.
Joomla! HISA
HISA is a single script, StandAlone Joomla! Pre- and Post- Installation Health, Installation and Security Audit tool.
  Joomla! Tools Suite Home
  Joomla! HISA Home
  JTS and HISA Discussion
 
  Several other tools may also be found on the Joomla! Extensions site in the "Tools" section.

As far as I am aware, at this current time, there are no known Security flaws within the Joomla! v1.0.13 release. I hope the above information will ease any Security concerns that you may have and provides you with access to relevant and useful information and tools.

If it is a 1.5, which version did you run?
What you posted does not give any idea of what happened.
Jean-Marie Simonet / infograf · http://www.info-graf.fr
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group

marchus
Joomla! Intern
Joomla! Intern
Posts: 78
Joined: Fri Apr 21, 2006 10:04 am

Re: site hacked

Post by marchus » Wed Dec 19, 2007 5:29 pm

this is all that they gave mee. I dont know what to ask fore because they say there is something wrong and that they have to close the accounf and start over. What should i ask fore ?


found the following malicious processes and files on the server:

27045 marchus 25 0 2880 1796 1368 R 9.6 0.1 2:29 0 perl
27276 marchus 25 0 2876 2080 1368 R 9.6 0.2 2:28 0 perl
28335 marchus 25 0 2880 2100 1368 R 9.6 0.2 2:18 0 perl
3223 marchus 25 0 2872 2872 1364 R 9.6 0.2 0:28 0 perl
3543 marchus 25 0 2868 2868 1364 R 9.6 0.2 0:21 0 perl
24152 marchus 25 0 2880 1788 1368 R 8.6 0.1 3:05 0 perl
4463 marchus 25 0 2868 2868 1364 R 8.6 0.2 0:05 0 perl

root@p14 [~># lsof -p 27045 | more
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
perl 27045 marchus cwd DIR 3,3 4096 2 /
perl 27045 marchus rtd DIR 3,3 4096 2 /
perl 27045 marchus txt REG 3,3 942729 1131675 /usr/bin/perl
perl 27045 marchus 4u IPv4 10846087 TCP p14.ich-15.com:33679->206.114.192.46:9999 (ESTABLISHED)
root@p14 [~># ps aux | grep marchus
marchus 6011 0.0 0.4 23216 5088 ? S Dec12 0:00 /usr/bin/php index.php
marchus 6417 0.0 0.4 23204 4436 ? S Dec12 0:00 /usr/bin/php index.php
marchus 10881 0.0 0.4 23212 4428 ? S Dec12 0:00 /usr/bin/php index.php
marchus 12368 0.0 0.9 23200 10072 ? S Dec12 0:00 /usr/bin/php index.php
marchus 12569 0.0 1.0 23196 10236 ? S Dec12 0:00 /usr/bin/php index.php
marchus 14348 0.0 1.0 23204 10276 ? S Dec12 0:00 /usr/bin/php index.php
marchus 20098 0.0 0.8 23200 8504 ? S Dec12 0:00 /usr/bin/php index.php
marchus 20173 0.0 0.6 23204 6892 ? S Dec12 0:00 /usr/bin/php index.php
marchus 4213 0.0 0.9 23216 9440 ? S Dec12 0:00 /usr/bin/php index.php
marchus 4981 0.0 0.8 23200 8904 ? S Dec12 0:00 /usr/bin/php index.php
marchus 10096 0.0 0.7 23200 7796 ? S 00:20 0:00 /usr/bin/php index.php
marchus 11010 0.0 0.5 23204 5960 ? S 00:24 0:00 /usr/bin/php index.php
marchus 12966 0.0 0.4 23200 4860 ? S 00:35 0:00 /usr/bin/php index.php
marchus 13312 0.0 0.6 23200 6508 ? S 00:37 0:00 /usr/bin/php index.php
marchus 17000 0.0 0.8 23200 9012 ? S 00:52 0:00 /usr/bin/php index.php
marchus 24142 0.0 0.0 0 0 ? Z 01:24 0:00 [sh >
marchus 24152 5.1 0.1 4212 1788 ? R 01:24 3:14 /usr/sbin/httpd
marchus 25299 0.0 0.0 0 0 ? Z 01:29 0:00 [sh >
marchus 25306 5.2 0.1 4196 1824 ? R 01:29 3:01 /usr/sbin/httpd
marchus 25899 0.0 0.0 0 0 ? Z 01:31 0:00 [sh >
marchus 25921 5.1 0.1 4212 1796 ? R 01:31 2:54 /usr/sbin/httpd
marchus 26042 0.0 0.0 0 0 ? Z 01:32 0:00 [sh >
marchus 26056 5.2 0.1 4188 1796 ? R 01:32 2:52 /usr/sbin/httpd
marchus 27039 0.0 0.0 0 0 ? Z 01:35 0:00 [sh >
marchus 27045 5.1 0.1 4200 1796 ? R 01:35 2:39 /usr/sbin/httpd
marchus 27235 0.0 0.0 0 0 ? Z 01:35 0:00 [sh >
marchus 27276 5.1 0.2 4212 2080 ? R 01:36 2:38 /usr/sbin/httpd
marchus 28279 0.0 0.0 0 0 ? Z 01:38 0:00 [sh >
marchus 28335 5.0 0.2 4208 2100 ? R 01:39 2:27 /usr/sbin/httpd
marchus 30329 0.0 0.0 0 0 ? Z 01:49 0:00 [sh >
marchus 30337 4.9 0.2 4196 2348 ? R 01:49 1:54 /usr/sbin/httpd
marchus 30780 0.0 0.0 0 0 ? Z 01:51 0:00 [sh >
marchus 30804 5.0 0.2 4200 2876 ? R 01:51 1:48 /usr/sbin/httpd
marchus 31283 0.0 0.0 0 0 ? Z 01:54 0:00 [sh >
marchus 31296 4.9 0.2 4212 2516 ? R 01:54 1:37 /usr/sbin/httpd
marchus 31476 0.0 0.0 0 0 ? Z 01:55 0:00 [sh >
marchus 31493 4.9 0.2 4204 2864 ? R 01:55 1:35 /usr/sbin/httpd
marchus 596 0.0 0.0 0 0 ? Z 02:01 0:00 [sh >
marchus 671 4.8 0.2 4196 2868 ? R 02:02 1:12 /usr/sbin/httpd
marchus 3205 0.0 0.0 0 0 ? Z 02:16 0:00 [sh >
marchus 3223 5.6 0.2 4208 2876 ? R 02:16 0:37 /usr/sbin/httpd
marchus 3519 0.0 0.0 0 0 ? Z 02:17 0:00 [sh >
marchus 3543 5.6 0.2 4200 2872 ? R 02:18 0:31 /usr/sbin/httpd
marchus 4401 0.0 0.0 0 0 ? Z 02:22 0:00 [sh >
marchus 4463 5.4 0.2 4216 2876 ? R 02:22 0:14 /usr/sbin/httpd
marchus 5061 0.4 0.2 4356 2340 ? S 02:26 0:00 /usr/sbin/httpd
marchus 5063 0.5 0.2 4360 2308 ? S 02:26 0:00 /usr/sbin/httpd
marchus 5065 0.5 0.2 4356 2112 ? S 02:26 0:00 /usr/sbin/httpd
marchus 5068 0.9 0.2 4356 2112 ? S 02:26 0:00 /usr/sbin/httpd
marchus 5070 1.0 0.2 4356 2656 ? S 02:26 0:00 /usr/sbin/httpd
marchus 5072 1.1 0.2 4344 2528 ? S 02:26 0:00 /usr/sbin/httpd
marchus 5074 0.4 0.2 4344 2152 ? S 02:26 0:00 /usr/sbin/httpd
marchus 5078 1.1 0.2 4336 2116 ? S 02:26 0:00 /usr/sbin/httpd
marchus 5080 1.0 0.2 4352 2996 ? S 02:26 0:00 /usr/sbin/httpd
marchus 5082 0.5 0.2 4344 3000 ? S 02:26 0:00 /usr/sbin/httpd
marchus 5084 1.0 0.2 4344 3004 ? S 02:26 0:00 /usr/sbin/httpd
marchus 5087 0.8 0.2 4360 3004 ? S 02:26 0:00 /usr/sbin/httpd
marchus 5091 0.6 0.2 4344 3000 ? S 02:26 0:00 /usr/sbin/httpd
marchus 5094 0.3 0.2 4352 3004 ? S 02:26 0:00 /usr/sbin/httpd
marchus 5096 1.0 0.2 4348 2116 ? S 02:26 0:00 /usr/sbin/httpd

The account is compromised and we would have to terminate and recreate it if you want to host it with us. If we do this, you will need to re-uplaod data and you will have to make sure that this type of activity does not happen again by securing your site/scripts.

User avatar
RussW
Joomla! Exemplar
Joomla! Exemplar
Posts: 9352
Joined: Sun Oct 22, 2006 4:42 am
Location: Sunshine Coast, Queensland, Australia
Contact:

Re: site hacked

Post by RussW » Thu Dec 20, 2007 5:13 am

It would look as if you have had an exploit dump a perl bot in your account, the best practice now would be to recreate and have your host try and review previous logs to find out how the account was compromised.

Depending on how long ago, this might not be feasible due to the work invovled in chasing down the exploit. It would also be better to recreate your site from scratch, or a known good backup, as the exploit may have been backed up in recent times and will only be reinstalled if you recover from an infected backup.

Prior to the hosting account account being recreeated, your host shuld perform a complete security audit on the server to ensure that it was not exploited internally or cross account, once the hosting account is recreated,  and your site re-built, then again another complete security audit of the server and account should be initiated, including checking of all intended exensions.
Joomla! on the fabulous Sunshine Coast...
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/


Locked

Return to “Security in Joomla! 1.5”