A Quick way to trap potential hackers

Discussion regarding Joomla! 1.5 security issues.
Joomla! Vulnerable Extensions: http://feeds.joomla.org/JoomlaSecurityV ... Extensions

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
User avatar
stilero_com
Joomla! Apprentice
Joomla! Apprentice
Posts: 40
Joined: Fri Aug 15, 2008 9:55 am
Location: Sweden
Contact:

A Quick way to trap potential hackers

Post by stilero_com » Fri Aug 15, 2008 10:07 am

Hi everyone.

I just wanted to share a bit of code that I'm using to log possible hack attempts against the reset-password thing.

After upgrading to 1.5.6 locate the file components->com_user->models->reset.php

from line 115, you can see the statement "if(strlen($token) != 32) {".
After the line: $this->setError(JText::_('INVALID_TOKEN')); at 116, insert the following code just before the "return false":

Code: Select all

error_log("Possible hackattempt from: ".$_SERVER['REMOTE_ADDR']." \n\r At: ".$_SERVER['HTTP_HOST'], 1, "yourmail@example.com");
This way you will be notified by mail, when the token-length is invalid and thus may be a hack-attempt.

If You wish to log attempts in the error-log instead of mail-notifications, use the following code:

Code: Select all

error_log("Possible hackattempt from: ".$_SERVER['REMOTE_ADDR']." \n\r At: ".$_SERVER['HTTP_HOST'], 0);
NOTE: The hacker will not be able to reset your admin-password if You upgrade to 1.5.6. Although with this piece of code You'll be able to see how many "hack-attempts" there are on your site with the reset-admin exploit. And with this information you then can take legal actions against the hacker.
Last edited by stilero_com on Sat Aug 16, 2008 6:15 pm, edited 3 times in total.

Svedis
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Fri Aug 15, 2008 8:39 am
Location: Sweden

Re: Log possible hackattempts

Post by Svedis » Fri Aug 15, 2008 10:38 am

Great job

Have tested it know so it really works.
found the way how too hack my own dummy site 1.5.3 version
and the hack worked.
Then i upgraded and used your code in reset.php and got a fine message of ip and site thats trying too hack me.


I wont tell you how too hack a joomla site that has the versions before 1.5.6.
just tested on my own site just too be sure it worked.

"Two attempts too hack my site has been recorded and sent to theres ISP abuse mail."
I hope that the will be banned from that isp
So GREAT job.
Last edited by Svedis on Sat Aug 16, 2008 3:43 pm, edited 1 time in total.

User avatar
stilero_com
Joomla! Apprentice
Joomla! Apprentice
Posts: 40
Joined: Fri Aug 15, 2008 9:55 am
Location: Sweden
Contact:

Re: Log possible hackattempts

Post by stilero_com » Fri Aug 15, 2008 12:22 pm

Thanks alot, I'm glad if this could help someone.

With the IP and time logged, it could be possible to take legal actions and contact the propriate ISP, since it's a crime in most coutries.

To trace which ISP that uses a certain IP, you could a traceroute-service like:
http://network-tools.com/default.asp

With the result, You will get an url to the ISPs website. Most ISPs have a report-form for hackers and spammer, where you can report the hacker.

Since this exploit is so easy for even a newbie hacker to do, I'm sure we will see alot of attempts in the near future.

gunemalli
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Sat Aug 16, 2008 3:22 am

Re: A Quick way to trap potential hackers

Post by gunemalli » Sat Aug 16, 2008 3:37 pm

Hello,

thanks for the post in my other topic. BTW is this reset.php inside components\com_user\models\?
cos i can't find a reset.php inside components\com_user\

@stilero_com,

If you managed hack your site w/1.5.6 then you should give a full report to the dev team about it. Otherwise, some1 else w/bad intentions may cause havoc again like this.


Thanks evry1

User avatar
stilero_com
Joomla! Apprentice
Joomla! Apprentice
Posts: 40
Joined: Fri Aug 15, 2008 9:55 am
Location: Sweden
Contact:

Re: A Quick way to trap potential hackers

Post by stilero_com » Sat Aug 16, 2008 6:08 pm

s for the post in my other topic. BTW is this reset.php inside components\com_user\models\?
cos i can't find a reset.php inside components\com_user\
Yes, it is. I just saw that i've missed this in my description (will change it at once)

User avatar
nickn5
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 125
Joined: Fri Aug 08, 2008 9:37 pm
Location: Wales, UK

Re: A Quick way to trap potential hackers

Post by nickn5 » Sun Aug 24, 2008 1:12 pm

Well I used this code in my site, and sure enough it alerted me today to someone trying this trick... from Morocco, [mod edit...unnecessary comment]
N. :)
http://www.nicspics.eu - Photo Galleries, Reviews and Articles (Site in development)

User avatar
OrangeCreative
Joomla! Guru
Joomla! Guru
Posts: 546
Joined: Tue Jan 08, 2008 2:56 pm
Contact:

Re: A Quick way to trap potential hackers

Post by OrangeCreative » Sun Aug 24, 2008 7:24 pm

Great one! Thanks for sharing!

User avatar
crow
Joomla! Explorer
Joomla! Explorer
Posts: 304
Joined: Mon Aug 29, 2005 5:17 pm
Location: Austria
Contact:

Re: A Quick way to trap potential hackers

Post by crow » Wed Aug 27, 2008 6:11 am

I tried this today, but no email or error log entry dont know why.. I checked fev time the code ist same as posted here.. Maybe some php settings or something?
Thnx
BosanskoHercegovacki Chat Komjuniti
http://www.chat.ba

User avatar
stilero_com
Joomla! Apprentice
Joomla! Apprentice
Posts: 40
Joined: Fri Aug 15, 2008 9:55 am
Location: Sweden
Contact:

Re: A Quick way to trap potential hackers

Post by stilero_com » Wed Aug 27, 2008 7:50 am

Crow: Have You changed the e-mail adress to your own adress, and checked that it doesn't get stopped by spam-filters?
Next thing is to try another mail-adress. I had problems with one of my mailservers that stopped the message as spam.

It could also be a mis-configuration on your server that prevents you from sending mails.

Also, to see the result, you have to use the exploit on your own site. For security-reasons, I cannot show you how to do it.

To just try your error-log configuration:
create an php-file with the error_log line of code. The function returns true och success and false on failure. This way you can see if it's just a mis-configuration.

User avatar
M4rc0
Joomla! Explorer
Joomla! Explorer
Posts: 311
Joined: Wed Sep 27, 2006 1:47 pm
Contact:

Re: A Quick way to trap potential hackers

Post by M4rc0 » Wed Aug 27, 2008 8:34 am

Great tip! Thanks for sharing :D

I just wish i wouldn't have to copy/paste this everytime i make a new joomla site :-\

User avatar
OrangeCreative
Joomla! Guru
Joomla! Guru
Posts: 546
Joined: Tue Jan 08, 2008 2:56 pm
Contact:

Re: A Quick way to trap potential hackers

Post by OrangeCreative » Wed Aug 27, 2008 4:10 pm

Come on! Don't be lazy! :D All you have to do is over-write this one file!

User avatar
M4rc0
Joomla! Explorer
Joomla! Explorer
Posts: 311
Joined: Wed Sep 27, 2006 1:47 pm
Contact:

Re: A Quick way to trap potential hackers

Post by M4rc0 » Wed Aug 27, 2008 4:52 pm

Armored wrote:Come on! Don't be lazy! :D All you have to do is over-write this one file!
Haha yea! but there are other files i've changed too :D

So i'd have to copy and paste many things in many locations.

Is there a way to make this accessible by a template overwrite? like template/html/com_user/ ?
Not possible right? overwrites are only for views?

Not going off topic here since this is a great tip and it would be even better as a overwrite (copy and paste only on one place!)

Or maybe I'll make my own joomla version here, with files like this one there by default, but then the problem would be the joomla updates.. Oh well, it worths i try!

Off: You have a nice portfolio

User avatar
OrangeCreative
Joomla! Guru
Joomla! Guru
Posts: 546
Joined: Tue Jan 08, 2008 2:56 pm
Contact:

Re: A Quick way to trap potential hackers

Post by OrangeCreative » Wed Aug 27, 2008 5:13 pm

M4rc0 wrote:Off: You have a nice portfolio
Thanks! :)

Not trying to get off topic either, just wanted to mention this... I have two methods to deal with this kind of situations. One would be to have a zip file replicating the exact folder structure but only containing the files that need to be changed (of course, you won't include the empty folders). When I need the updated files, simply unzip the archive over the original files. I use this when there are just few files to update (less than 10).

The second method is for large number of files and is using the component called JoomlaPack: http://extensions.joomla.org/component/ ... Itemid,35/

Install Joomla!, configure it to your needs, add components/modules/plug-ins you use very often then finally pack the site and database content in an installable archive using the great component above (I'm not the author but it' still great :D ). When you need a clean install, simply unpack the archive to your server and point your browser to the root of this new install. This starts a four step installer very similar to the original Joomla! installer. When you're finished you have the fully configured site in place.

User avatar
M4rc0
Joomla! Explorer
Joomla! Explorer
Posts: 311
Joined: Wed Sep 27, 2006 1:47 pm
Contact:

Re: A Quick way to trap potential hackers

Post by M4rc0 » Wed Aug 27, 2008 5:38 pm

Armored wrote:
M4rc0 wrote:Off: You have a nice portfolio
The second method is for large number of files and is using the component called JoomlaPack: http://extensions.joomla.org/component/ ... Itemid,35/

Install Joomla!, configure it to your needs, add components/modules/plug-ins you use very often then finally pack the site and database content in an installable archive using the great component above (I'm not the author but it' still great :D ). When you need a clean install, simply unpack the archive to your server and point your browser to the root of this new install. This starts a four step installer very similar to the original Joomla! installer. When you're finished you have the fully configured site in place.
Now that's what i'm talking about!

Thank you very much! :D

Will do a custom install on my localserver and pack it up 8)

Makes me feel like browsing the forum for more tweaks now! :geek:

Minnie Mouse
Joomla! Intern
Joomla! Intern
Posts: 89
Joined: Fri Mar 23, 2007 6:28 pm

Re: A Quick way to trap potential hackers

Post by Minnie Mouse » Thu Aug 28, 2008 7:59 pm

i installed it yesterday on my cleaned up after hacking site... today i got an email of a possible hack. my question is... i dont understand the whole string length and token thing that it is checking for. If i get an email is it definitely a hack attempt? also, where is the hack attempt occurring? maybe a stupid question but i am just trying to get my brain around this topic. are they trying to get in through the admin login? because on many of my sites that is the only user input available...

sorry for being such a newbie to security...
thanks for replying in advance!!
MM

technopuzzle
Joomla! Ace
Joomla! Ace
Posts: 1958
Joined: Thu Aug 18, 2005 5:53 pm
Location: Washington D.C. & Baltimore, MD Metro
Contact:

Re: A Quick way to trap potential hackers

Post by technopuzzle » Thu Aug 28, 2008 8:52 pm

You may want to submit this hack to the Joomla! dev. team to see if it could be included into the core in an upcoming version.

Also, please remember that any hacks will get overwritten when you perform an upgrade unless you remember to migrate the hacks to the newer files.
Thanks,
Roger Raymond
Techno Puzzle

User avatar
OrangeCreative
Joomla! Guru
Joomla! Guru
Posts: 546
Joined: Tue Jan 08, 2008 2:56 pm
Contact:

Re: A Quick way to trap potential hackers

Post by OrangeCreative » Fri Aug 29, 2008 5:39 pm

unixboymd wrote:You may want to submit this hack to the Joomla! dev. team to see if it could be included into the core in an upcoming version.
Now this is a great idea! It might even be expanded with each new security release to capture the hacks going through the discovered "hole".

User avatar
ircmaxell
Joomla! Ace
Joomla! Ace
Posts: 1926
Joined: Thu Nov 10, 2005 3:10 am
Location: New Jersey, USA
Contact:

Re: A Quick way to trap potential hackers

Post by ircmaxell » Fri Aug 29, 2008 11:10 pm

What's the point of it? Why log "would be attacks", that are not trying to exploit NEW, NON-Fixed exploits?
Anthony Ferrara - Core Team - Development Coordinator - Bug Squad - JSST

http://moovum.com/ - The Bird is in the air! Get Mollom Anti-Spam on your Joomla! website with Moovur...
http://www.joomlaperformance.com For All Your Joomla Performance Needs

User avatar
dizzi
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3136
Joined: Fri Dec 21, 2007 9:36 pm
Location: Yorkshire, UK

Re: A Quick way to trap potential hackers

Post by dizzi » Sat Aug 30, 2008 1:36 am

ircmaxell wrote:What's the point of it? Why log "would be attacks", that are not trying to exploit NEW, NON-Fixed exploits?
Ok, even after the the 1.5.6 patch fixed the password reset issue, users here are still reporting cracking attempts. This suggests that those lowlives are still crawling around hoping to compromise vulnerable sites. If we have a means of turning the tables by getting a few of them banned by their ISP (I know, I know, they can just register elsewhere, use a friend's PC, a public pc etc etc :) ) , the minutes, hours, days etc that these few are out of commission, may just save Mr. Muppet who only then heeded all those calls to upgrade.

In my view, this makes it quite worthy indeed :) . Thanks for sharing it m8.

Cheers
Last edited by dizzi on Sat Aug 30, 2008 7:21 pm, edited 1 time in total.
Freedom of expression ... some may try to suppress it but they can never take it away ...
There is no problem a good miracle can't fix.

User avatar
stilero_com
Joomla! Apprentice
Joomla! Apprentice
Posts: 40
Joined: Fri Aug 15, 2008 9:55 am
Location: Sweden
Contact:

Re: A Quick way to trap potential hackers

Post by stilero_com » Sat Aug 30, 2008 4:22 pm

What's the point of it? Why log "would be attacks", that are not trying to exploit NEW, NON-Fixed exploits?
Those lowlives that are attacking sites with old exploits, are also likely those that will attack sites with new non-fixed exploits (and believe me, there will be more exploits in the future). With information about the hacker, you could take a number of actions to prevent further attacks. An easy way is for example to block the IP from visiting your site is by using .htaccess .

Even if you had the safest house on the planet, I'm sure you would want to know if someone was trying to break into your house.

Minnie Mouse
Joomla! Intern
Joomla! Intern
Posts: 89
Joined: Fri Mar 23, 2007 6:28 pm

Re: A Quick way to trap potential hackers

Post by Minnie Mouse » Wed Sep 10, 2008 5:41 pm

it appears that in the 1.5.6 to 1.5.7 update reset.php is eliminated... or did i miss something??

User avatar
ircmaxell
Joomla! Ace
Joomla! Ace
Posts: 1926
Joined: Thu Nov 10, 2005 3:10 am
Location: New Jersey, USA
Contact:

Re: A Quick way to trap potential hackers

Post by ircmaxell » Wed Sep 10, 2008 5:52 pm

Minnie Mouse wrote:it appears that in the 1.5.6 to 1.5.7 update reset.php is eliminated... or did i miss something??
It should still be there... There was a change in that file from 1.5.6 to 1.5.7...
Anthony Ferrara - Core Team - Development Coordinator - Bug Squad - JSST

http://moovum.com/ - The Bird is in the air! Get Mollom Anti-Spam on your Joomla! website with Moovur...
http://www.joomlaperformance.com For All Your Joomla Performance Needs

dazza_dog
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 109
Joined: Thu Jan 24, 2008 1:54 pm
Location: Staffs, UK

Re: A Quick way to trap potential hackers

Post by dazza_dog » Wed Sep 10, 2008 5:56 pm

Minnie Mouse wrote:it appears that in the 1.5.6 to 1.5.7 update reset.php is eliminated... or did i miss something??
Yep it's still there

oops bit late but I had to find it, ircmaxell probably knows things like this off the top of his head :D
"The answer my friend is blowing in the wind" (Bob Dylan) - not necessarily correct, but the search feature will probably find it ;-) .


Locked

Return to “Security in Joomla! 1.5”