What happened? All users suddenly have the username "admin"

Discussion regarding Joomla! 1.5 security issues.
Joomla! Vulnerable Extensions: http://feeds.joomla.org/JoomlaSecurityV ... Extensions

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
alexlxprod
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Tue Jul 24, 2012 8:05 am

What happened? All users suddenly have the username "admin"

Post by alexlxprod » Tue Jul 24, 2012 8:12 am

Please advice? Suddenly all users in de jos_table have the username:
admin.

Has my site been comprimised? I'm running 1.5.26 and virtuemart 1.1.8.

Should i delete all the registered users? And how can i prevent this in the future?

Please advice

User avatar
pe7er
Joomla! Master
Joomla! Master
Posts: 23533
Joined: Thu Aug 18, 2005 8:55 pm
Location: Nijmegen, Netherlands
Contact:

Re: What happened? All users suddenly have the username "adm

Post by pe7er » Tue Jul 24, 2012 8:21 am

Welcome to Joomla forum!

How would you define "Suddenly"?
Did you install any extensions, or any other admin related work (e.g. change one username yourself),
and afterwards all usernames have been changed?

Do you have access to the Apache server logs?

Do you use any other 3rd party extensions?

Your Joomla is the latest release in the 1.5.x sersies.
But your VirtueMart version is old. There are newer version available, even a security release...
Upgrading (after creating a back-up) is recommended.
Kind Regards,
Peter Martin, Global Moderator
https://db8.nl - Joomla specialist, Nijmegen, Netherlands
The best website: https://the-best-website.com

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15091
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: What happened? All users suddenly have the username "adm

Post by mandville » Tue Jul 24, 2012 8:31 am

i would say that the version of virtuemart you are using is very out of date http://virtuemart.net/downloads/
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

alexlxprod
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Tue Jul 24, 2012 8:05 am

Re: What happened? All users suddenly have the username "adm

Post by alexlxprod » Tue Jul 24, 2012 8:34 am

Hoi Peter,

I see youre dutch but i'll keep posting in English.

No with suddenly i mean, we havent changed anything in months.
In the log files i cant see anything regarding injections.
I'll try updating virtuemart.

User avatar
pe7er
Joomla! Master
Joomla! Master
Posts: 23533
Joined: Thu Aug 18, 2005 8:55 pm
Location: Nijmegen, Netherlands
Contact:

Re: What happened? All users suddenly have the username "adm

Post by pe7er » Tue Jul 24, 2012 9:39 am

alexlxprod wrote:I see youre dutch but i'll keep posting in English.
How can you see that I am Dutch? Maybe I just live there... or did I use Dutch words in my English posts again ;)
Yes, thanks for posting in English in the English forum.
No with suddenly i mean, we havent changed anything in months.
In the log files i cant see anything regarding injections.
I'll try updating virtuemart.
Updating is a good idea, but doesn't solve your problem with the "admin" usernames (and maybe with a compromised website)...
See also http://docs.joomla.org/Category:Security_Checklist

How many users do you have?

Could you check if the passwords of those accounts with username "admin" are also all the same (if the MD5 hashes look similar)?
Kind Regards,
Peter Martin, Global Moderator
https://db8.nl - Joomla specialist, Nijmegen, Netherlands
The best website: https://the-best-website.com

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15091
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: What happened? All users suddenly have the username "adm

Post by mandville » Tue Jul 24, 2012 11:46 am

[ ] Download and RUN the Forum Post Assistant / FPA Instructions available here and are also included in the download package. Post the generated results
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

nom4da
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Thu Sep 06, 2012 5:03 pm

Re: What happened? All users suddenly have the username "adm

Post by nom4da » Thu Sep 06, 2012 5:05 pm

That
alexlxprod wrote:Could you check if the passwords of those accounts with username "admin" are also all the same (if the MD5 hashes look similar)?
This did happened to me. Do you know what would be the cause?

mrelusive
Joomla! Apprentice
Joomla! Apprentice
Posts: 24
Joined: Mon Oct 10, 2011 9:11 pm

Re: What happened? All users suddenly have the username "adm

Post by mrelusive » Sat Sep 08, 2012 12:46 pm

I have a joomla 1.7.2 and today this is also happend to me. And I don't have virtuemart installed.
Does anybody have a solution for this problem, and explanation why this is happend?

User avatar
pe7er
Joomla! Master
Joomla! Master
Posts: 23533
Joined: Thu Aug 18, 2005 8:55 pm
Location: Nijmegen, Netherlands
Contact:

Re: What happened? All users suddenly have the username "adm

Post by pe7er » Sat Sep 08, 2012 4:11 pm

mrelusive wrote:I have a joomla 1.7.2
Joomla 1.7.2 is outdated. Joomla 1.6 + 1.7 were short term support versions, and are no longer supported.
Please upgrade to the latest Joomla version in the 2.5 series = long term support version (which is Joomla 2.5.6: http://www.joomla.org/download.html ).
Possible bugs might have been solved in the meantime,
and it's a waste of time trying to solve issues that are caused because of non-updated software...
Kind Regards,
Peter Martin, Global Moderator
https://db8.nl - Joomla specialist, Nijmegen, Netherlands
The best website: https://the-best-website.com

mrelusive
Joomla! Apprentice
Joomla! Apprentice
Posts: 24
Joined: Mon Oct 10, 2011 9:11 pm

Re: What happened? All users suddenly have the username "adm

Post by mrelusive » Fri Oct 05, 2012 4:32 pm

My joomla is now 2.5.7!
And today problem appeared again.

First time every user god username: admin
Now every user got username: sec-w.com

So, the problem is not solved with updating.

Anyone with solutin, how to back users, and what is the cause?

User avatar
PhilD
Joomla! Hero
Joomla! Hero
Posts: 2734
Joined: Sat Oct 21, 2006 10:20 pm
Location: Wisconsin USA
Contact:

Re: What happened? All users suddenly have the username "adm

Post by PhilD » Mon Oct 08, 2012 6:07 am

Lacking is a posting of the generated results of the FPA script.

Also, the site issues posted are very likely to be from a hack that enables a bot or script to make these changes, or enables someone to access to make these changes.

Follow all of the info below to clean and repair these sites properly.
PhilD wrote:
Before you post your security/been hacked topic, it is suggested to do all of the following. Failure to follow the suggestions below may leave your site vulnerable to being hacked again in the future.


You must state what version of Joomla you were using when when the site first became hacked. This can make a difference as to how we approach your individual situation.

[ ] Download and RUN the Forum Post Assistant / FPA Instructions available here and are also included in the download package. Post the generated results in your security/been hacked topic. Use these links to download the FPA:
Download .tar.gz version or Download the .zip version NOTE: Do not download the FPA from any other website or links found on the Internet.

[ ] Ensure you have the latest version of Joomla for your 1.5 or 2.5 version of Joomla. Delete all files in your Joomla installation, saving a copy of the configuration.php file.

[ ] Review Vulnerable Extensions List to make sure any 3rd party extensions versions used appear on the vulnerable list.

[ ] Review and action Security Checklist 7 Make sure you've gone through all of the steps.

[ ] Scan all machines with FTP, Joomla super admin, and Joomla admin access for malware, virus, trojans, spyware, etc. Checklist 7 contains a list or recommended scanners.

[ ] Change all passwords and if possible user names for the website host control panel. Change the Joomla database user name and password.

[ ] Use proper permissions on files and directories. They should never be 777, ideal is 644 for files and 755 for directories. The configuration file can be set to 444 which is read only.

[ ] Check your htaccess for for any odd code (i.e. code which is not in the standard htaccess supplied as part of the Joomla installation).

[ ] Check the crontab or Task Scheduler for unexpected jobs/tasks.

[ ] Ensure you do not have anonymous ftp enabled.

[ ] Verify individually that any non-Joomla file such as but not limited to that will be placed back on the website such as images, pdf files, files for download, and other documents and files are valid and are supposed to be part of your website.

[ ] Replace the deleted files with fresh copies of a current full version of Joomla (minus the installation directory) you downloaded earlier. Install freshly downloaded copies of any extensions and templates used on the site. If the Joomla database user name and password were changed earlier, then make the necessary changes to the configuration.php file and upload a copy to the website. Upload any non-Joomla files that are necessary for your website. Only by replacing all files in the installation (including extensions and templates) can you be sure to remove the backdoors inserted and hidden in various files and directories More detailed information can be found in the security Checklist 7 link below.

Note: The forum post tool will work with all versions of Joomla. The FPA is written and maintained by the Joomla Security forum moderators.
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

sinkarna
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Thu Mar 17, 2011 5:50 pm

Re: What happened? All users suddenly have the username "adm

Post by sinkarna » Mon Nov 26, 2012 5:55 pm

Same problem, 3 of my sites have had the same hack. All running 1.526

Here's the FPA result of one of them:
Last PHP Error(s) Reported :: Forum Post Assistant (v1.2.3) : 26th November 2012 wrote:[20-Jun-2011 03:40:11] PHP Warning: PHP Startup: Unable to load dynamic library \'/usr/local/lib/php/extensions/no-debug-non-zts-20090626/suhosin.so\' - /usr/local/lib/php/extensions/no-debug-non-zts-20090626/suhosin.so: cannot open shared object file: No such file or directory in Unknown on line 0
Forum Post Assistant (v1.2.3) : 26th November 2012 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 1.5.26-Stable (senu takaa ama busani) 27-March-2012
Joomla! Configured :: Yes | Read-Only (440) | Owner: curio610 (uid: 1/gid: 1) | Group: curio610 (gid: 1) | Valid For: 1.5
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 1 | SEF ReWrite: 1 | .htaccess/web.config: Yes | GZip: 0 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: -1 | Site Debug: 0 | Language Debug: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.18-274.17.1.el5 | Technology: x86_64 | Web Server: Apache | Encoding: gzip, deflate | Doc Root: /home/curio610/public_html | System TMP Writable: Yes

PHP Configuration :: Version: 5.3.10 | PHP API: cgi-fcgi | Session Path Writable: Unknown | Display Errors: 1 | Error Reporting: 6135 | Log Errors To: error_log | Last Known Error: 20th June 2011 03:40:11. | Register Globals: 0 | Magic Quotes: 1 | Safe Mode: 0 | Open Base: | Uploads: 1 | Max. Upload Size: 64M | Max. POST Size: 64M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 64M

MySQL Configuration :: Version: 5.1.65-cll (Client:5.1.65) | Host: --protected-- (--protected--) | Collation: latin1_swedish_ci (Character Set: latin1) | Database Size: 17.22 MiB | #of Tables: 65
Detailed Environment :: wrote:PHP Extensions :: Core (5.3.10) | date (5.3.10) | ereg () | libxml () | openssl () | pcre () | sqlite3 (0.7-dev) | zlib (1.1) | bcmath () | calendar () | ctype () | curl () | dom (20031129) | hash (1.0) | filter (0.11.0) | ftp () | gd () | gettext () | SPL (0.2) | iconv () | session () | json (1.2.1) | mbstring () | mcrypt () | mysql (1.0) | mysqli (0.1) | posix () | pspell () | Reflection ($Revision: 321634 $) | standard (5.3.10) | imap () | SimpleXML (0.1) | exif (1.4 $Id: exif.c 321634 2012-01-01 13:15:04Z felipe $) | tidy (2.0) | tokenizer (0.1) | xml () | xmlreader (0.1) | xmlrpc (0.51) | xmlwriter (0.1) | xsl (0.1) | zip (1.9.1) | cgi-fcgi () | timezonedb () | imagick (3.0.1) | suhosin (0.9.33) | PDO (1.0.4dev) | pdo_sqlite (1.0.1) | SQLite (2.0-dev) | pdo_mysql (1.0.2) | ionCube Loader () | Zend Guard Loader () | Zend Engine (2.3.0) |
Potential Missing Extensions ::

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No
Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

Elevated Permissions (First 10) ::
Extensions Discovered :: wrote:Components :: SITE :: MailTo (1.5.0) | WF_DIRECTIONALITY_TITLE (2.2.6) | WF_CLEANUP_TITLE (2.2.6) | WF_AUTOSAVE_TITLE (2.2.6) | WF_PREVIEW_TITLE (2.2.6) | WF_PRINT_TITLE (2.2.6) | WF_INLINEPOPUPS_TITLE (2.2.6) | WF_BROWSER_TITLE (2.2.6) | WF_MEDIA_TITLE (2.2.6) | WF_NONBREAKING_TITLE (2.2.6) | WF_XHTMLXTRAS_TITLE (2.2.6) | WF_LAYER_TITLE (2.2.6) | WF_IMGMANAGER_TITLE (2.2.6) | WF_TEXTCASE_TITLE (2.2.6) | WF_KITCHENSINK_TITLE (2.2.6) | WF_SOURCE_TITLE (2.2.6) | WF_ARTICLE_TITLE (2.2.6) | WF_PASTE_TITLE (2.2.6) | WF_SEARCHREPLACE_TITLE (2.2.6) | WF_FULLSCREEN_TITLE (2.2.6) | WF_VISUALBLOCKS_TITLE (2.2.6) | WF_LINK_TITLE (2.2.6) | WF_SPELLCHECKER_TITLE (2.2.6) | WF_TABLE_TITLE (2.2.6) | WF_ANCHOR_TITLE (2.2.6) | WF_STYLE_TITLE (2.2.6) | WF_CONTEXTMENU_TITLE (2.2.6) | WF_VISUALCHARS_TITLE (2.2.6) | WF_POPUPS_JCEMEDIABOX_TITLE (2.2.6) | WF_POPUPS_WINDOW_TITLE (2.2.6) | WF_AGGREGATOR_VIMEO_TITLE (2.2.6) | WF_AGGREGATOR_[youtube]_TITLE (2.2.6) | WF_LINKS_JOOMLALINKS_TITLE (2.2.6) | WF_MEDIAPLAYER_JCEPLAYER_TITLE (2.2.6) | WF_LINK_SEARCH_TITLE (2.2.6) | WF_FILESYSTEM_JOOMLA_TITLE (2.2.6) | Wrapper (1.5.0) | User (1.5.0) |
Components :: ADMIN :: JCALPro Plugin (1.0.0) | Gallery2 Bridge Plugin (1.0.2) | Contacts Plugin (1.0.1) | Eventlist Plugin (1.0.0) | JEvents Plugin (1.0.3) | MyBlog Plugin (1.5.1) | Hot Property Plugin (1.0.1) | JMovies Plugin (1.5.0) | Mosets Tree Plugin (1.0.1) | AcyMailing Plugin (1.0.0) | Remository Plugin (1.0.3) | Kunena Plugin (1.0.1) | RSGallery2 Extension (1.0.0) | JoomGallery Plugin (1.5.1) | Glossary Plugin (1.5.1) | Content Plugin (1.5.1) | Jomres Plugin (1.0) | Rapid Recipe Plugin (1.0.0) | Virtuemart Plugin (1.1.4) | JoomDOC Extension (1.0.0) | Agora Plugin (1.0.0) | JDownloads Plugin (1.5.1) | RD-Autos Plugin (1.5.0) | lknAnswers Plugin (1.5.0) | CMS Shop Builder Plugin (1.5.0) | SectionEx Plugin (1.0.2) | SOBI2 Plugin (1.5.1) | Yoflash XMap Plugin (0.0.1) | KnowledgeBase Plugin (1.0.0) | DOCman Plugin (1.5.0) | Web Links Plugin (1.5.1) | JoomSuite Resources Plugin (1.0.0) | Rokdownloads Plugin (1.0.4) | Xmap (1.2.11) | Chrono Contact (V 3.2) | Media Manager (1.5.0) | Admintools (2.1.13) | Template Manager (1.5.0) | Configuration Manager (1.5.0) | Search (1.5.0) | Frontpage (1.5.0) | Plugin Manager (1.5.0) | JCE (2.2.6) | Editor - JCE (2.2.6) | plg_quickicon_jcefilebrowser (2.5.0) | JCE File Browser (2.0.0) | JCE (2.2.6) | Unknown (-) | Control Panel (1.5.0) | Trash (1.0.0) | Module Manager (1.5.0) | Menus Manager (1.5.0) | Language Manager (1.5.0) | Contact Items (1.0.0) | User Manager (1.5.0) | Content Page (1.5.0) | Mass Mail (1.5.0) | Akeeba (3.4.1) | Installation Manager (1.5.0) | Chrono Connectivity (2.0 RC3) | Cache Manager (1.5.0) | Messaging (1.5.0) |

Modules :: SITE :: Footer (1.5.0) | Newsflash (1.5.0) | Related Items (1.0.0) | Menu (1.5.0) | Login (1.5.0) | Search (1.0.0) | Plugin in module (1.9.0) | Archived Content (1.5.0) | Random Image (1.5.0) | Feed Display (1.5.0) | Custom HTML (1.5.0) | Sections (1.5.0) | Wrapper (1.0.0) | Poll (1.5.0) | Most Read Content (1.5.0) | Syndicate (1.5.0) | Cassrina Hover Image Menu (2.1) | JW Tabs & Slides Module (1.0) | sigplus (1.3.4.8) | Banner (1.5.0) | Latest News (1.5.0) | Module: Content with Plugins (1.50) | Breadcrumbs (1.5.0) | Who\'s Online (1.0.0) | Statistics (1.5.0) |
Modules :: ADMIN :: Footer (1.0.0) | Quick Icons (1.0.0) | Admin Submenu (1.0.0) | Logged in Users (1.0.0) | Login Form (1.0.0) | Unread Items (1.0.0) | Admin Tools Joomla! Upgrade No (2.1.13) | Admin Menu (1.0.0) | Feed Display (1.5.0) | Popular Items (1.0.0) | Latest News (1.0.0) | Custom HTML (1.5.0) | Toolbar (1.0.0) | Online Users (1.0.0) | JCE File Browser (2.0.0) | Akeeba Backup Notification Mod (3.4.1) | Title (1.0.0) | User Status (1.5.0) | Items Stats (1.0.0) |

Plugins :: SITE :: Button - Readmore (1.5) | Button - Pagebreak (1.5) | Button - Image (1.0.0) | Editor - JCE (2.2.6) | Paste (1.5.7.9) | File Browser (1.5.7.9) | Advanced Link (1.5.7.9) | Joomla! Links for Advanced Lin (1.2.1) | Media Object support (1.5.7.9) | Image Manager (1.5.7.9) | Paste (1.5.7.9) | Advanced Code Editor (1.5.7.9) | JCE SPELLCHECKER TITLE (1.5.7.9) | Editor - TinyMCE 3 (3.2.6) | Editor - XStandard Lite for Jo (1.0) | XML-RPC - Joomla API (1.0) | XML-RPC - Blogger API (1.0) | Search - Content (1.5) | Search - Sections (1.5) | Search - Weblinks (1.5) | Search - Newsfeeds (1.5) | Search - Categories (1.5) | Search - Contacts (1.5) | Authentication - Example (1.5) | Authentication - Joomla (1.5) | Authentication - LDAP (1.5) | Authentication - OpenID (1.5) | Authentication - GMail (1.5) | Content - Example (1.0) | Content - Page Navigation (1.5) | Content - Load Modules (1.5) | Content - Email Cloaking (1.5) | Simple Image Gallery PRO (by J (2.0.5) | Content - Core Design Magic Ta (1.1.0) | Content - Pagebreak (1.5) | Content - Vote (1.5) | Simple Picture Slideshow (1.5.5) | Content - Code Highlighter (Ge (1.5) | Simple Image Gallery (by Jooml (2.1) | User - Example (1.0) | User - Joomla! (1.5) | System - Core Design Scriptegr (1.5.5) | System - Debug (1.5) | System - SC jQuery (1.0.2) | Akeeba Backup Lazy Scheduling (3.3) | System - Log (1.5) | System - Cache (1.5) | System - Mootools Upgrade (1.5) | System - SEF (1.5) | System - Legacy (1.5) | System - Backlinks (1.5) | System - Remember Me (1.5) | System - Admin Tools (2.1.13) | Google Maps (2.13a) |
Templates Discovered :: wrote:Templates :: SITE :: beez (1.0.0) | curious (1.0.0) | rhuk_milkyway (1.0.2) | JA_Purity (1.2.0) |
Templates :: ADMIN :: Khepri (1.0) |

syndicate604
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Sat Apr 23, 2011 9:54 am

Re: What happened? All users suddenly have the username "adm

Post by syndicate604 » Mon Jun 03, 2013 11:33 pm

I have just had this happen on 12 sites on one server.

One was wordpress

The other were various forms of Joomla from 1.5.26 to 2.5 so version of Joomla and even the platform seems to be irrelevant.

I was also running CSF firewall , MODSEC, and CXS.

The hackers were able to access the MYSQL dbase somehow - perhaps by reading the config file because it was not ALL sites and not all databases, only about 25% of the sites on the same IP. So they did not get root to MYSQL only one by one site access. They did try to upload some bot scripts to the server but CXS Blocked them and they quit. But they did deface each template index file with HACKED BY [removed] HACKERS blah blah blah

As I run a cron job to monitor all PHP file changes I caught the files they edited

index.php
wp-config.php
404.php

on a bunch of sites then tried

public_html/administrator/components/com_contushdvideoshare/images/uploads/rc.php
public_html/administrator/components/com_contushdvideoshare/images/uploads/co.php
public_html/administrator/components/com_contushdvideoshare/images/uploads/tst.php
public_html/administrator/components/com_contushdvideoshare/images/uploads/r.php
public_html/administrator/components/com_contushdvideoshare/images/uploads/sym.php
public_html/administrator/components/com_contushdvideoshare/images/uploads/del.php
public_html/administrator/components/com_contushdvideoshare/images/uploads/bd.php

To upload this wack of scripts all of which were denied.

Mod Sec also made their life difficult

/usr/local/apache/logs/error_log:[Sun Jun 02 15:41:16 2013] [error] [client 41.224.80.231] ModSecurity: Access denied with code 403 (phase 2). Match of "rx (^/file\\\\?file=/etc/cccam\\\\.cfg$|event=update_asl_config|^/etc/js/)" against "REQUEST_URI" required. [file "/usr/local/apache/conf/modsec/10_asl_rules.conf"] [line "246"] [id "390709"] [rev "25"] [msg "Atomicorp.com UNSUPPORTED DELAYED Rules: Attempt to access protected file remotely"] [data "/etc/"] [severity "CRITICAL"] [hostname "xxx.com"] [uri "/administrator/components/com_contushdvideoshare/images/uploads/rc.php"] [unique_id "UavKDK6P9kgAAGVqHjUAAAAR"]

/usr/local/apache/logs/error_log:[Sun Jun 02 15:41:41 2013] [error] [client 41.224.80.231] client denied by server configuration: /home/public_html/administrator/components/com_contushdvideoshare/images/uploads/badi/.htaccess
/usr/local/apache/logs/error_log:[Sun Jun 02 15:41:41 2013] [error] [client 41.224.80.231] client denied by server configuration: /home/public_html/administrator/components/com_contushdvideoshare/images/uploads/badi/.htaccess

I am not sure how they managed to run a script to change all the users in a joomla dbase
to ADMIN

1. get the mysql username and pass from Configuration.php
2. send command to change admin USERNAME and PASS (this is the hack)
3. Login to joomla admin with injected name/password
4. try to use upload features of plugins on the site to further upload hack scripts
5. deface website

My server blocked step 4, and I did find a few sites with 655 on config files, but not ALL.
I changed them all to 400 for now anyway just in case.

I also banned the entire country of [removed] in the firewalls.

This doesn't explain how they do STEP 2. Some kind of injection or plugin expliot that works on both WP and JOOMLA. As they occured at exact same time, also an injection that can beat ModSEC.

I found some OLD attempts back in December which seemed to match the profile


/usr/local/apache/logs/error_log:[Thu Dec 20 03:52:06 2012] [error] [client 41.224.136.97] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?:(?:alter|create|drop)[[:space:]]*(?:column|database|procedure|table) |delete[[:space:]]*update.+set.+=|union all select |union select [a-z][0-9]+ |select (?:load_file|char ?\\\\()|(?:insert|remark)test;)" at ARGS:Itemid. [file "/usr/local/apache/conf/modsec_rules/10_asl_rules.conf"] [line "324"] [id "340144"] [rev "33"] [msg "Atomicorp.com UNSUPPORTED DELAYED Rules: Generic SQL injection protection 2"] [data "get /index.php?option=com_phocagallery&view=category&id=69&itemid=999999.9+%2f*%2130000union+all+select+0x31303235343830303536%2c0x31303235343830303536*%2f-- http/1.1"] [severity "CRITICAL"] [hostname "www.s.com"] [uri "/index.php"] [unique_id "UNL75q6P9kgAAA8TNKAAAAAM"]

So looks like using the PhocaGallery component to inject code and doesn't seem like they even need to know your mysql info they can just use the CMS platform to update the CMS user table directly.
Last edited by mandville on Mon Jun 03, 2013 11:39 pm, edited 2 times in total.
Reason: [removed] nationality reference


Locked

Return to “Security in Joomla! 1.5”