My Joomla Web site is Hacked

Discussion regarding Joomla! 1.5 security issues.
Joomla! Vulnerable Extensions: http://feeds.joomla.org/JoomlaSecurityV ... Extensions

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
koyauni
Joomla! Apprentice
Joomla! Apprentice
Posts: 13
Joined: Fri Oct 12, 2007 11:55 am

My Joomla Web site is Hacked

Post by koyauni » Thu Aug 14, 2008 11:16 pm

I thought you may want to know this but my Joomla 1.5.3 has been hacked buy agent of Turkish State. This Cyber Crime against humanity and freedom of speech but how could this happen?

http://www.kirmashan.com

Please make your codes more secure.

User avatar
zanderp
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 155
Joined: Tue Apr 03, 2007 7:32 pm
Location: Weesp, NL
Contact:

Re: My Joomla Web site is Hacked

Post by zanderp » Thu Aug 14, 2008 11:18 pm

Please see: http://developer.joomla.org/security/ne ... ality.html
and http://www.joomla.org/announcements/rel ... eased.html

I guess that recovering your admin password will help you further, read how-to over here: http://developer.joomla.org/bug-squad-b ... sword.html

Good luck!
Sander Potjer - Joomla Community Leadership Team

http://www.aclmanager.net - Joomla! ACL simplified
http://www.perfectwebteam.nl - Perfect Web Team

User avatar
brad
Joomla! Master
Joomla! Master
Posts: 13291
Joined: Fri Aug 12, 2005 12:38 am
Location: Sydney - Australia
Contact:

Re: My Joomla Web site is Hacked

Post by brad » Fri Aug 15, 2008 12:13 am

koyauni wrote:Please make your codes more secure.
Please make sure you read and keep up with security announcements, the code was secured, hours after it was reported.
Brad Baker
https://xyzuluhosting.com
https://www.joomlatutorials.com <-- Joomla Help & Tutorials

koyauni
Joomla! Apprentice
Joomla! Apprentice
Posts: 13
Joined: Fri Oct 12, 2007 11:55 am

Re: My Joomla Web site is Hacked

Post by koyauni » Fri Aug 15, 2008 12:53 pm

The last update from my Hosting Service is that the intruder was a Cyber Criminal from the city of Izmir/Turkey using Windows OS, and FireFox, with DSL connection and Turkish Language based OS. They even have the IP but I can not reveal this at this stage.

Do you have any Turkish Citizen among your core developer?
Is there any legal action or measures that I can take at this stage?

It shows that the IP belong to governmental building.

koyauni
Joomla! Apprentice
Joomla! Apprentice
Posts: 13
Joined: Fri Oct 12, 2007 11:55 am

Re: My Joomla Web site is Hacked

Post by koyauni » Fri Aug 15, 2008 12:58 pm

Is my database damaged by this action as well?

Is it only the first index page which has been effected?

koyauni
Joomla! Apprentice
Joomla! Apprentice
Posts: 13
Joined: Fri Oct 12, 2007 11:55 am

Re: My Joomla Web site is Hacked

Post by koyauni » Fri Aug 15, 2008 3:07 pm

I managed to gain access to my web site but I can not get ride of the index page hacked to the web site.

I even deleted the index.php and uploaded a new one but it is still there. How can I fix this

http://www.kirmashan.com

User avatar
ircmaxell
Joomla! Ace
Joomla! Ace
Posts: 1926
Joined: Thu Nov 10, 2005 3:10 am
Location: New Jersey, USA
Contact:

Re: My Joomla Web site is Hacked

Post by ircmaxell » Fri Aug 15, 2008 3:16 pm

Restore your last backup before the attack...

http://forum.joomla.org/viewtopic.php?f=267&t=54006
Anthony Ferrara - Core Team - Development Coordinator - Bug Squad - JSST

http://moovum.com/ - The Bird is in the air! Get Mollom Anti-Spam on your Joomla! website with Moovur...
http://www.joomlaperformance.com For All Your Joomla Performance Needs

res_q_pilot6969
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Tue Jan 23, 2007 2:52 pm

Re: My Joomla Web site is Hacked

Post by res_q_pilot6969 » Fri Aug 15, 2008 5:30 pm

I to was hacked just last night on one of my sites. I had forgot to update that one to 1.5.6. I cant remember the name they used. They turned the site offline to show they had hacked the site. Check your global settings.

Question for someone. Is there a way to scan the files on my website and compare them to unaffected joomla files? I cant find any new folders or scripts in my index.php files but they could have hidden code somewhere I am not seeing yet.

dazza_dog
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 109
Joined: Thu Jan 24, 2008 1:54 pm
Location: Staffs, UK

Re: My Joomla Web site is Hacked

Post by dazza_dog » Fri Aug 15, 2008 5:41 pm

res_q_pilot6969 wrote:Question for someone. Is there a way to scan the files on my website and compare them to unaffected joomla files? I cant find any new folders or scripts in my index.php files but they could have hidden code somewhere I am not seeing yet.
Most FTP programs allow some sort of file comparison so you could try one of these
"The answer my friend is blowing in the wind" (Bob Dylan) - not necessarily correct, but the search feature will probably find it ;-) .

elmarkitse
Joomla! Apprentice
Joomla! Apprentice
Posts: 9
Joined: Sun Jun 08, 2008 11:55 am

Re: My Joomla Web site is Hacked

Post by elmarkitse » Fri Aug 15, 2008 5:46 pm

res_q_pilot6969 wrote: Question for someone. Is there a way to scan the files on my website and compare them to unaffected joomla files? I cant find any new folders or scripts in my index.php files but they could have hidden code somewhere I am not seeing yet.
You can also do this in a quick way by looking for the date of the last modification of a file...although there are certainly a lot of them.

One thought to toss out there ... If I do a comparison between my server logs, focusing on POST events, and then go track down those specific files and replace them, should that cover the majority of whats been edited by an end user exploiting this recent security issue? I'm just going to do a fresh install of 1.5.6 and port over the DB, but I plan on moving some secondary files over as well and would prefer not to port in some junk left behind to re-open closed doors.

nthadmins
Joomla! Apprentice
Joomla! Apprentice
Posts: 8
Joined: Wed May 28, 2008 2:59 pm
Location: Massachusetts, USA

Re: My Joomla Web site is Hacked

Post by nthadmins » Fri Aug 15, 2008 6:15 pm

>:(
Please make sure you read and keep up with security announcements, the code was secured, hours after it was reported.
Please be smart about how you (Joomla.org) handle these incidents. :-\
Wouldnt it make more sense to patch it, THEN announce the security flaw?
A clever hacker watches the Joomla site for security flaw announcements too.
He just needs to be faster than the Patch makers and the Joomla CMS administrators. Until then he has a field day attacking multiple sites.
Each time this happens, the reputations of IT people around the world suffer (I wonder how many even lose their jobs)
Each time this happens some potential Joomla administrator decides to go with another CMS
It does not seem to me that the decision-makers at Joomla are as clever as the hackers and vandals. :-[

User avatar
nickn5
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 125
Joined: Fri Aug 08, 2008 9:37 pm
Location: Wales, UK

Re: My Joomla Web site is Hacked

Post by nickn5 » Fri Aug 15, 2008 6:19 pm

To be fair, at least to the forum mods anyway, I noticed one or two threads that people started about the security flaw and how to 'test it' were VERY promptly removed, until the patch came out. Can't speak about the main site as I don't tend to look at it so often... :-[

N. :)
http://www.nicspics.eu - Photo Galleries, Reviews and Articles (Site in development)

User avatar
ircmaxell
Joomla! Ace
Joomla! Ace
Posts: 1926
Joined: Thu Nov 10, 2005 3:10 am
Location: New Jersey, USA
Contact:

Re: My Joomla Web site is Hacked

Post by ircmaxell » Fri Aug 15, 2008 6:22 pm

nthadmins wrote: Please be smart about how you (Joomla.org) handle these incidents. :-\
Wouldnt it make more sense to patch it, THEN announce the security flaw?
A clever hacker watches the Joomla site for security flaw announcements too.
He just needs to be faster than the Patch makers and the Joomla CMS administrators. Until then he has a field day attacking multiple sites.
Each time this happens, the reputations of IT people around the world suffer (I wonder how many even lose their jobs)
Each time this happens some potential Joomla administrator decides to go with another CMS
It does not seem to me that the decision-makers at Joomla are as clever as the hackers and vandals.
Before you go bashing us, you should get your facts straight.

We had released 1.5.6 before we officially (publically) aknowledged a flaw. Infact, we kept the forums clean of anything that stated a vulnerability while we were working on 1.5.6. What they are refering to, is another site whom origionally announced the vulnerability BEFORE we even knew about it (that's how we found out).

http://developer.joomla.org/coordinator ... about.html

Now, If it was a misunderstanding, that's fine... If you really have a problem with how we handled it, I suggest you try to find another software vender (open source, or not) of half the size of Joomla who has anywhere NEAR such a fast response time... We bust our rear ends to keep this product as good as we possibly can. Most times, yes there is SIGNIFICANT room for improvement. However, in this case, given the circumstances we were operating under, I think to expect anything "better" is lunacy...
Anthony Ferrara - Core Team - Development Coordinator - Bug Squad - JSST

http://moovum.com/ - The Bird is in the air! Get Mollom Anti-Spam on your Joomla! website with Moovur...
http://www.joomlaperformance.com For All Your Joomla Performance Needs

nthadmins
Joomla! Apprentice
Joomla! Apprentice
Posts: 8
Joined: Wed May 28, 2008 2:59 pm
Location: Massachusetts, USA

Re: My Joomla Web site is Hacked

Post by nthadmins » Fri Aug 15, 2008 6:40 pm

Before Joomla apologists complain that I am bashing Joomla please read (and quote) my entire post .
You conveniently left out what I was responding to:
Please make sure you read and keep up with security announcements, the code was secured, hours after it was reported.
This was written by a member of the Joomla! Core Team, Sites & Infrastructure.
I had no idea what he was referring to when he said
hours after it was reported
?

I thought his tone was obnoxious and what he said, if understood the way it was said, shows great lack of judgement on the part of the Joomla Core Team. :laugh:
Last edited by nthadmins on Fri Aug 15, 2008 6:49 pm, edited 1 time in total.

User avatar
ircmaxell
Joomla! Ace
Joomla! Ace
Posts: 1926
Joined: Thu Nov 10, 2005 3:10 am
Location: New Jersey, USA
Contact:

Re: My Joomla Web site is Hacked

Post by ircmaxell » Fri Aug 15, 2008 6:47 pm

nthadmins wrote:
Please make sure you read and keep up with security announcements, the code was secured, hours after it was reported.
This was written by a member of the Joomla! Core Team, Sites & Infrastructure.
Is he lying?
I think you are mis-reading that quote... basically, imagine after "reported" the words "to us"... so
"the code was secured, hours after it was reported to us"... We didn't report the vulnerability until after we fixed it...
Anthony Ferrara - Core Team - Development Coordinator - Bug Squad - JSST

http://moovum.com/ - The Bird is in the air! Get Mollom Anti-Spam on your Joomla! website with Moovur...
http://www.joomlaperformance.com For All Your Joomla Performance Needs

nthadmins
Joomla! Apprentice
Joomla! Apprentice
Posts: 8
Joined: Wed May 28, 2008 2:59 pm
Location: Massachusetts, USA

Re: My Joomla Web site is Hacked

Post by nthadmins » Fri Aug 15, 2008 6:56 pm

Youŕe right, ircmaxell, I misunderstood his quote.
I have no plans of leaving Joomla but Joomla might be leaving me.The thing about losing a job was mentioned to me this week as a possibility by my supervisor. In addition to keeping vigilant about patches, I am going to try to go over and above Joomla to server and network security to cut down the odds of this happening again. ;)
I apologise to the Joomla Team for what I said.

User avatar
ircmaxell
Joomla! Ace
Joomla! Ace
Posts: 1926
Joined: Thu Nov 10, 2005 3:10 am
Location: New Jersey, USA
Contact:

Re: My Joomla Web site is Hacked

Post by ircmaxell » Fri Aug 15, 2008 7:10 pm

nthadmins wrote:I apologise to the Joomla Team for what I said.
It's not a problem. I just don't want people getting the wrong idea about how things are handled... ;-)
Anthony Ferrara - Core Team - Development Coordinator - Bug Squad - JSST

http://moovum.com/ - The Bird is in the air! Get Mollom Anti-Spam on your Joomla! website with Moovur...
http://www.joomlaperformance.com For All Your Joomla Performance Needs

bugfixed
Joomla! Apprentice
Joomla! Apprentice
Posts: 27
Joined: Mon Oct 02, 2006 7:15 pm
Location: Turkey
Contact:

Re: My Joomla Web site is Hacked

Post by bugfixed » Fri Aug 15, 2008 9:54 pm

Joomla is have horrible codes. :eek:

User avatar
brad
Joomla! Master
Joomla! Master
Posts: 13291
Joined: Fri Aug 12, 2005 12:38 am
Location: Sydney - Australia
Contact:

Re: My Joomla Web site is Hacked

Post by brad » Fri Aug 15, 2008 10:14 pm

bugfixed wrote:Joomla is have horrible codes. :eek:
So does any other CMS, operating system, other php scripts, programs.. etc etc.. they all have security updates that are released at times.

It's crazy that this exploit was fixed 3 hours after it was discovered and yet you are still unhappy.
Brad Baker
https://xyzuluhosting.com
https://www.joomlatutorials.com <-- Joomla Help & Tutorials

bugfixed
Joomla! Apprentice
Joomla! Apprentice
Posts: 27
Joined: Mon Oct 02, 2006 7:15 pm
Location: Turkey
Contact:

Re: My Joomla Web site is Hacked

Post by bugfixed » Sat Aug 16, 2008 10:16 am

A lot of..(cms ...) But this much not security risk... Joomla to disgust to me... my all joomla sites deleted today. >:( sorry but; joomla develepor and admins: to be dead on one's feet... thousands of sites hacked! check updates or patch everyday not follow, it is not possible!!!

sorry my english not enough.

User avatar
nickn5
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 125
Joined: Fri Aug 08, 2008 9:37 pm
Location: Wales, UK

Re: My Joomla Web site is Hacked

Post by nickn5 » Sat Aug 16, 2008 10:34 am

Sorry to hear it, but in reality, for example:

If a reputable (let's say, Xyz Corporation) hard drive fails suddenly in your server / computer, do you then tell everyone how rubbish Xyz Corporation is, or do you accept that things like this can happen, find your backup, buy a new drive and get on with things again?

No-one or no-thing can be perfect, you may be fed up that a Joomla flaw has caused problems, perfectly understandable, but to me the fact a patch came out so quickly gives me much more reassurance that it's much less likely to happen again (no-one likes egg on their face, even volunteers!). Whereas I could think, right, I'm going to use Drupal now, because I am fed up... what's to stop that CMS having a severe security flaw in the future, or any other CMS? Look at the billions and billions spent by Micro$oft on R&D, and they still get things wrong.

Regular backups are the answer to most of the problems caused by hardware and software... I have found.

N. :)
http://www.nicspics.eu - Photo Galleries, Reviews and Articles (Site in development)

koyauni
Joomla! Apprentice
Joomla! Apprentice
Posts: 13
Joined: Fri Oct 12, 2007 11:55 am

Re: My Joomla Web site is Hacked

Post by koyauni » Sun Aug 17, 2008 2:00 am

I already know who and how my Joomla site was hacked.

The Hacker title "==References removed==" stands for the most notorious State Sponsored Hacker Agency of our time. ==References removed== is sponsored by ==References removed== state to criminalize the WWW with their activities that classified and unclassified suppositely damaging the image of ==References removed== state. The ==References removed== state sponsors these sort of Cyber Criminal activities and undermine the free world.

Hacker groups ==References removed== are all part of the ==References removed== hacker trademark. They will hack a site and modify the html code to display that the site was hacked by the ==References removed==. It attacks hundreds of web pages on daily bases and leave behind enough traces to be bale to bring them to justice by those who values freedom of speech. ==References removed== is new age Criminal e-gang group employed and paid by Turkish State.

Read more on the weblog which I have created for this Criminal act

==References removed==

The question is whether all the core developer community are in trusted circle? Are you sure the information does not leak for any reasons?

beachgeek
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Sun Aug 17, 2008 4:49 am

Re: My Joomla Web site is Hacked

Post by beachgeek » Sun Aug 17, 2008 5:03 am

All software that connects to the internet can be hacked and are on a daily basis.
Windows, apache, linux, joomla, ecommrce software like CRE Loaded, OScommerce and others are all vulnerable to being hacked at any time whether it is a security hole in the software or poor practices by the admin of the site or just plain good hacking (or bad depending on how you look at it).

Joomla has good code and is very well organized and furthermore if you had site deleted and do not have backed up copies of each then that is poor administration on your part but not the fault of Joomla by any stretch.

My only complaint is that I would like to have seen an email notification of this from Joomla. Normal software updates are one thing but a major security flaw is another and should have warranted an email to all registered Joomla users and affiliates of Joomla.

My site was hacked and was put into maintenance mode with the site title and maintenance message changed to something goofy and obscene about no more war and f*** Russia by someone in turkey with an msn email address. Small inconvenience for me and maybe lost a few onlookers today but hopefully not much business??

So in short Joomla is great software and a security hole is unfortunate but it was dealt with quickly so I have no complaints other than my previous mentioning that there should have been a high priority email sent to all registered users and the affiliates who would have notified their users too.

Remember the first rule to Information Technology; BACKUP, BACKUP, BACKUP and then BACKUP again :-)

User avatar
brad
Joomla! Master
Joomla! Master
Posts: 13291
Joined: Fri Aug 12, 2005 12:38 am
Location: Sydney - Australia
Contact:

Re: My Joomla Web site is Hacked

Post by brad » Sun Aug 17, 2008 5:34 am

If you had subscribed to the security announcement forum you would have received an email. That being said, we have a better solution we should be able to announce this week.
Brad Baker
https://xyzuluhosting.com
https://www.joomlatutorials.com <-- Joomla Help & Tutorials

beachgeek
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Sun Aug 17, 2008 4:49 am

Re: My Joomla Web site is Hacked

Post by beachgeek » Sun Aug 17, 2008 7:21 am

Didn't know that but nice to know now and it should be for any user not just those in the security forums besides I was defending you not putting you down...

koyauni
Joomla! Apprentice
Joomla! Apprentice
Posts: 13
Joined: Fri Oct 12, 2007 11:55 am

Re: My Joomla Web site is Hacked

Post by koyauni » Sat Aug 30, 2008 7:00 pm

Why would someone remove the reference to the hacking of site

http://kirmansha.[URL banned].com/

What kind of harm this might do to your community to let people know what sort of criminal activities is out there.

I think all vulnerable software as such should work toward auto updating technology where Super Admin of the site accept remote critical updating from Joomla server. This way you will be able to secure the system and there is no need for announcement.

Chris B
Joomla! Explorer
Joomla! Explorer
Posts: 356
Joined: Tue Jun 13, 2006 4:50 am

Re: My Joomla Web site is Hacked

Post by Chris B » Sat Aug 30, 2008 7:25 pm

I found myself getting more and more annoyed as I read this thread. Who do some people think they are!?

Joomla staff and moderators have a reason to watch how they speak to people on here...I dont. If you have a problem with Joomla and you "think" its unsecure, simple answer. P*ss off and use something else. The developers of joomla have spent years developing it and distributing it to people for free, and because people dont maintain their own site, they come on Joomlas forum and suggest that they are to blame!

I visit joomlas website on a daily basis to check for updates, because I AM responsible for the keeping my site secure, and the Joomla team are kind hearted and dedicated enough to issue security updates when they are required.

If you dont look after your own website you are a fool, and you have zero reason to even mention on this forum that your website was hacked, let alone demand things from people!

koyauni
Joomla! Apprentice
Joomla! Apprentice
Posts: 13
Joined: Fri Oct 12, 2007 11:55 am

Re: My Joomla Web site is Hacked

Post by koyauni » Sat Aug 30, 2008 9:38 pm

Chris
Most of open source work is done by dedication of developer and the right attitude in interaction with users. I am not so sure why you should be P**s off by feedback you get on this occasion. No one say you have done a bad job, but people have the right to question things. Your tune of anger create more frustration in this case and does not help anyone.

I run 9 different projects and I had only one on Joomla. The rest is based on Drupal. Since the day my only Joomla site was hacked I decided to move the site to Drupal. I think the Open Source community contribute a great deal to humanity around the world, Whether it is Linux, Obunto, Joomla, Durpal or etc. This shows the love of people with right attitude and dedication to sophisticated goals in their life, and people like me thank them to be around to help me reach my audience. But non of this means that I should not have suggestion, and constructive feedback.

You are right your work is free and but you are wrong in thinking people should take it or leave it. It is hard to believe that this is kind of message you want to send to millions of peoples depending on your technology.

GOOD LUCK with your hard work

karimlo
Joomla! Apprentice
Joomla! Apprentice
Posts: 24
Joined: Sun Mar 23, 2008 4:28 pm

Re: My Joomla Web site is Hacked

Post by karimlo » Sat Aug 30, 2008 11:49 pm

Hi, I want to share with you some pieces of info since I have about 8 sites running Joomla. Some 1.5.6, but some still await upgrade.
All the websites running Joomla have been hacked as early as even 2 weeks after being setup...
that is not good news, but since I love Joomla and since I am stuck with it for some websites anyways - because of my host not willing to interveen in anyways in this issue (Joomla Third party song track...) - I figured out some things.

I just identfied the folder that my most annoying attack (joomla 1.5.6) has been targeting. The "component/com_jce/"
these guys installed some backdoor files and took it easy by attacking anytime they want even after, me, going in that cpanel changing my passwords 12 times in less than 7 days...
Anyways.. Here is the description of the issue I found on some website.
---------------------------------------------------------------------------
Synopsis : The remote web server contains a PHP script that is affected by multiple local file include issues. Description : The installation of Joomla on the remote host includes a third-party component, the JCE Admin component, that fails to sanitize input to the 'plugin' and 'file' parameters before using it in the 'components/com_jce/jce.php' script to include PHP code. Regardless of PHP's 'register_globals' setting, an unauthenticated attacker may be able to leverage these issues to view arbitrary files or to execute arbitrary PHP code on the remote host, subject to the privileges of the web server user id. In addition, the component is also reportedly affected by multiple cross-site scripting vulnerabilities involving other parameters to the same script. Solution : Unknown at this time. Risk factor : High / CVSS Base Score : 7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
---------------------------------------------------------------------------
I am planning on deleting these files the guy posted and I will restore them, but what is com_jce ?
I also have th files in case someone wants to preview them, but it has to be the security team or something, I don't want to release these files knowing that they may harm somebody...

Guys how do we secure our sites, this is becoming very serious since as webmasters we rely on your system and components to make things happen. I am now reluctant in running Joomla for serious projects. Guys from Drupal are not having these issues...

Thanks

beachgeek
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Sun Aug 17, 2008 4:49 am

Re: My Joomla Web site is Hacked

Post by beachgeek » Sun Aug 31, 2008 4:21 am

Hey Chris,

I wasn't complaining about Joomla but defended Joomla..

I run a lot of sites and don't have time to check every day to see if there are security fixes for the software. When there is a known exploit I expect and depend on the software company to be responsible and send out a notice to all registered users of their software with the link to the patch or to notify of the issue(s).
That goes for any software whether open source or otherwise and having been on the other side of it all it can and is done and should be done.

If you take anything here personally then you need to get a reality check and some perspective and grow up a little because nothing here is meant to anyone personally at all.

The software business is a serious business and important especially when it is internet related and I am sure Joomla can handle any criticism it might receive and hopefully improve based on any real constructive criticism and suggestion that come their way. They probably expect it too and are not one of the number one OS projects because they are big babies and whine when someone criticizes their methods or some part of their organization.

So lighten up a bit and if you disagree then respond accordingly with some constructive criticism or suggestions or solutions of your own.

Take care,

C


Locked

Return to “Security in Joomla! 1.5”