Possible security exploit in 2.5.6

[shannonw]

Hi,

I've found a number of our sites running various versions from 1.6/1.7 up to the current version 2.5.6 appear to have been compromised via the admin template bluestork. It looks like there is a security hole, and in this case it has allowed a hacker to upload some DDOS scripts and attack other servers.

The scripts were uploaded into the /administrator/templates/bluestork/ folder and the main file names were called stph.php and indx.php

Are the Joomla devs or anyone aware of a security hole? If so, is there a fix available or should we simply remove the template entirely from each site to secure the site properly?

Thanks.

[shannonw]

UPDATE
I've removed the bluestork templates entirely for now, which seems to be the best option.

FYI, the versions of the affected installs are:
1.6.3
1.7.0
2.5.2
2.5.6

It would be interesting to know how many people were affected by this exploit. Apparently many hosts/datacenters were affected by this last night.

Thanks.

[webhostuk]

Thank you for the share, I will make sure that our customers are aware of this one if anyone is using this template.

[mandville]

1. please visit http://developer.joomla.org/security and follow the instruvtions for notifying the JSST who deal with core vulnerabilities.
2. Please provide logs showing the point of access where these iles were uploaded
3. runs the fpa on the sites and post the results http://forum.joomla.org/viewtopic.php?f=621&t=582860 or send them to the jsst
4. follow checklist 7

Are all these joomla versions on the same server?

[dragosmv]

I also had one of my websites suspended because of /administrator/templates/bluestork/stph.php
My ISP suspended my website until this morning when i removed the bluestork template. He also told me he had about 20 websites with this issue.
Big problem is that this template is the default one and i have a lot of Joomla! websites using it... should i remove the template on all of them?

[minadreapta]

i can confirm i also had the same problem with several Joomla installations. There were DDOS attacks from some files within bluestork directory.

There was also a file called error.php in there, besides stph.php and indx.php.

[brian]

OK Guys before making such statements you really need to understand the basics of web site security

1. The original poster was running out of date, unsupported versions of Joomla with known security issues
2. A hacker after finding a hole needs to place a file on your site so they can do even more nasty things. It makes the hackers life much much easier if they always put their file i the same place on every site that they exploit. So clearly any folder which is part of the core installation of joomla is a good place for them to place their files.

The location of the file does not have any relevance to the location of the hack. In fact it almost certainly means that the folder is not the source of the hole. Think about it if you can write to any folder on the server why would you chose the one with the hole in it. Thats just too obvious

Finally any webhost that says "they have had lots of sites with the same issue" is clearly indicating that their server was exploited and through that a file was placed in every site.

This exploit is therefore either at a server level or most likely through one of the old software version on one of the site and the host doesnt understand how to setup a secure web server where one exploited site doesnt mean that all the sites on the server will e exploited.

Time to get a new host who does understand the basics of secure web hosting and make sure that you keep your own web site up to date.

It is far too easy to blame others when the problem is staring you in the mirror each morning

[wohej]

Wow OP, you have no idea how many hours I wasted this morning investigating this because of your post and the followup comments from others acknowledging the "problem". We didn't get hit at our webservers, I thought it might be due to our rulesets blocking it, but obviously it was not. But some of our colo/dedi clients did. Please don't post before actually confirming that it has been a TESTED hole in the "affected versions".

Jokes on me! Mod, please put a RED TEXT on top saying April fools. Damn.

[mandville]

wohej, as its not april, there will be no "fool text"
dragosmv + minadreapta both said they had a similar situation.
Brian stated directly what he understands the issue is and would be my next post.
Myself, i pointed out the correct procedure for informing joomla of core exploits, the request for the site reports and of course checklist 7 . Including the statement [ ] Ensure you have the latest version of Joomla for your 1.5 or 2.5 version of Joomla. Delete all files in your Joomla installation, saving a copy of the configuration.php file.

Too many people took offense when we used to post
"Has your site been compromised?
If so, unless you are running the latest version of Joomla, you probably won't get much sympathy from some of the users around here. Why? Because Joomla is amazingly quick to react to security exploits and patches are release when needed, often within hours."

Now, if shannonw would like to post the FPA information, perhaps we can find other security lapses in the site

[shannonw]

Let me just clarify a few things here:

1) The topic clearly says Possible - not confirmed.
2) Some of the versions that were hacked are current 2.5.6.
3) These sites were in different hosting accounts, on different servers (all running suPHP, mod security, etc).
4) Complete removal of the bluestork template has stopped any further intrusions.

I will get the FPA and log details and report back soon.

Thanks.

[Sean Clement]

1: Can't comment (not read the whole thread)
2: It is most likely that the server has been compromised, other sites on the server running vulnerable versions of Joomla or even vulnerable version of other CMSs.
3: There's a number of hacks going around and 90% of the time they all happen because the 'webmaster' hasn't bothered updating installed extensions (along with updating to Joomla 2.5.6, they have websites still on J1.6 & J1.7 (as you stated within your thread)), making it easier for hackers to upload 'PHP shells' to the server as Brian stated. Hackers don't generally upload hacker files to the same location as the exploited 'extension'.
4: Give it time, the 'extension' that allowed the hacker to 'walk in' is still in place, deleting the 'bluestork' template DOESN'T make your website secure.

[minadreapta]

if the server was compromised how come that all the problem sites are Joomla?
no wordpress, no oscommerce, no other CMSs? no simple html/php websites?

only Joomla websites are compromised.

I am very curious: if the server was compromised, why not upload the shell scripts or the DDOS ones anywhere else but Joomlas?

[shannonw]

OK, below is the FPA output from one of the sites running 2.5.6. I've had to protect certain data for obvious reasons, but the script showed no security warnings or errors, and everything was highlighted green. If there is anything showing that is the real reason for the hack, and not the bluestork script, please let me know so all of the sites can be secured properly.

Note: This particular account contains no other CMS or scripts. No changes have been made since the hacking, except for the bluestork template being removed.

Contrary to one of the previous posters, when I have dealt with hacks before (and I've dealt with many over the years with many types of CMSs), most of the time when a hacker uploads files, they are placed in the location where the security flaw has occurred. Why do they need to go to the trouble of putting the files elsewhere? They don't care about covering up the security flaw, they just want to do the damage and move on. Also, like the above user posted, if the hackers had root server access why only pick Joomla sites and only the bluestork folder?

I can understand that hacks can occur easily with installs that haven't been updated, however in this case where some of the sites are running the latest version have been hacked as well, it rang some alarm bells.

After ruling out differing Joomla versions, separate accounts and servers, the only consistent factor between all of the hacks was that they were done in the bluestork folder. This why I started this thread to see if there's a possibility that this template could be the issue.

[09-Jul-2012 01:33:15 UTC] PHP Fatal error: Call to a member function checkAnswer() on a non-object in /home/--protected--/public_html/libraries/cms/form/rule/captcha.php on line 52

Joomla! Instance :: Joomla! 2.5.6-Stable (Ember) 19-June-2012
Joomla! Platform :: Joomla Platform 11.4.0-Stable (Brian Kernighan) 03-Jan-2012
Joomla! Configured :: Yes | Read-Only (444) | Owner: --protected-- (uid: 798/gid: 793) | Group: --protected-- (gid: 793) | Valid For: 2.5 and above
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 0 | .htaccess/web.config: Yes | GZip: 0 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.18-408.el5.lve0.8.58PAE | Technology: i686 | Web Server: Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 | Encoding: gzip, deflate | Doc Root: /home/--protected--/public_html | System TMP Writable: Yes

PHP Configuration :: Version: 5.3.9 | PHP API: cgi-fcgi | Session Path Writable: Unknown | Display Errors: 1 | Error Reporting: 22519 | Log Errors To: error_log | Last Known Error: 17th August 2012 14:28:17. | Register Globals: 0 | Magic Quotes: 1 | Safe Mode: 0 | Open Base: | Uploads: 1 | Max. Upload Size: 50M | Max. POST Size: 8M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 32M

MySQL Configuration :: Version: 5.1.63-cll (Client:5.1.63) | Host: --protected-- (--protected--) | Collation: latin1_swedish_ci (Character Set: latin1) | Database Size: 916.95 KiB | #of _FPA_TABLE: 81

PHP Extensions :: Core (5.3.9) | date (5.3.9) | ereg () | libxml () | openssl () | pcre () | sqlite3 (0.7-dev) | zlib (1.1) | bcmath () | calendar () | ctype () | curl () | dom (20031129) | hash (1.0) | filter (0.11.0) | ftp () | gd () | gettext () | SPL (0.2) | iconv () | session () | intl (1.1.0) | json (1.2.1) | mbstring () | mcrypt () | mysql (1.0) | mysqli (0.1) | standard (5.3.9) | Phar (2.0.1) | posix () | pspell () | Reflection ($Revision: 321634 $) | imap () | SimpleXML (0.1) | soap () | sockets () | exif (1.4 $Id: exif.c 321634 2012-01-01 13:15:04Z felipe $) | tidy (2.0) | tokenizer (0.1) | xml () | xmlreader (0.1) | xmlrpc (0.51) | xmlwriter (0.1) | xsl (0.1) | zip (1.9.1) | cgi-fcgi () | timezonedb () | suhosin (0.9.32.1) | PDO (1.0.4dev) | pdo_sqlite (1.0.1) | SQLite (2.0-dev) | pdo_mysql (1.0.2) | ionCube Loader () | Zend Guard Loader () | Zend Engine (2.3.0) |
Potential Missing Extensions ::

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No

Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

Elevated Permissions (First 10) :: None

Components :: SITE :: com_mailto (2.5.0) | com_wrapper (2.5.0) |
Components :: ADMIN :: jVoteSystem (2.05) | com_login (2.5.0) | com_weblinks (2.5.0) | AcePolls (1.0.6) | com_templates (2.5.0) | com_cache (2.5.0) | com_newsfeeds (2.5.0) | com_modules (2.5.0) | com_checkin (2.5.0) | com_categories (2.5.0) | com_cpanel (2.5.0) | com_media (2.5.0) | com_redirect (2.5.0) | com_config (2.5.0) | FlexBanners (2.0.1) | com_plugins (2.5.0) | com_languages (2.5.0) | com_joomlaupdate (2.5.0) | com_banners (2.5.0) | com_search (2.5.0) | com_menus (2.5.0) | com_messages (2.5.0) | com_finder (2.5.0) | com_installer (2.5.0) | com_content (2.5.0) | com_admin (2.5.0) | com_users (2.5.0) |

Modules :: SITE :: mod_breadcrumbs (2.5.0) | mod_footer (2.5.0) | mod_articles_news (2.5.0) | mod_whosonline (2.5.0) | mod_stats (2.5.0) | mod_weblinks (2.5.0) | mod_languages (2.5.0) | mod_articles_popular (2.5.0) | mod_articles_archive (2.5.0) | mod_banners (2.5.0) | AcePolls (1.0.0) | FlexBanners (2.0.1) | mod_articles_categories (2.5.0) | mod_articles_latest (2.5.0) | jVoteSystemModule (1.00) | mod_search (2.5.0) | mod_syndicate (2.5.0) | Simple File Lister v1.0 (1.0) | mod_users_latest (2.5.0) | mod_login (2.5.0) | mod_articles_category (2.5.0) | mod_wrapper (2.5.0) | mod_menu (2.5.0) | mod_related_items (2.5.0) | Simple File Upload v1.3 (for J (1.3) | mod_feed (2.5.0) | mod_custom (2.5.0) | mod_finder (2.5.0) | mod_random_image (2.5.0) |
Modules :: ADMIN :: mod_status (2.5.0) | mod_logged (2.5.0) | mod_quickicon (2.5.0) | mod_title (2.5.0) | mod_version (2.5.0) | mod_submenu (2.5.0) | mod_login (2.5.0) | mod_menu (2.5.0) | mod_popular (2.5.0) | mod_multilangstatus (2.5.0) | mod_feed (2.5.0) | mod_custom (2.5.0) | mod_latest (2.5.0) | mod_toolbar (2.5.0) |

Plugins :: SITE :: plg_content_vote (2.5.0) | plg_content_emailcloak (2.5.0) | plg_content_joomla (2.5.0) | Content - Load AcePolls (1.0.0) | plg_content_loadmodule (2.5.0) | plg_content_pagenavigation (2.5.0) | Content - jVoteSystem (2.00) | plg_content_finder (2.5.0) | plg_content_geshi (2.5.0) | plg_content_pagebreak (2.5.0) | plg_system_log (2.5.0) | plg_system_debug (2.5.0) | plg_system_sef (2.5.0) | plg_system_languagecode (2.5.0) | plg_system_redirect (2.5.0) | System - jVoteSystemDatabase (1.00) | plg_system_highlight (2.5.0) | plg_system_cache (2.5.0) | plg_system_p3p (2.5.0) | plg_system_logout (2.5.0) | plg_system_languagefilter (2.5.0) | plg_system_remember (2.5.0) | plg_editors-xtd_article (2.5.0) | plg_editors-xtd_image (2.5.0) | plg_editors-xtd_readmore (2.5.0) | Button - jVoteSystemButton (2.00) | plg_editors-xtd_pagebreak (2.5.0) | plg_search_content (2.5.0) | plg_search_contacts (2.5.0) | Search - AcePolls (1.0.0) | plg_search_newsfeeds (2.5.0) | plg_search_categories (2.5.0) | plg_search_weblinks (2.5.0) | plg_extension_joomla (2.5.0) | AcePolls - JomSocial (1.0.0) | AcePolls - AlphaUserPoints (1.0.0) | AcePolls - Mighty Touch (1.0.0) | plg_user_joomla (2.5.0) | plg_user_profile (2.5.0) | plg_user_contactcreator (2.5.0) | plg_quickicon_extensionupdate (2.5.0) | plg_quickicon_joomlaupdate (2.5.0) | plg_editors_codemirror (1.0) | plg_editors_tinymce (3.5.2) | plg_finder_content (2.5.0) | plg_finder_contacts (2.5.0) | plg_finder_newsfeeds (2.5.0) | plg_finder_categories (2.5.0) | plg_finder_weblinks (2.5.0) | plg_authentication_ldap (2.5.0) | plg_authentication_joomla (2.5.0) | plg_authentication_gmail (2.5.0) | plg_captcha_recaptcha (2.5.0) |

Templates :: SITE :: atomic (2.5.0) | beez_20 (2.5.0) | beez5 (2.5.0) | siteground-j16-14 (1.0.0) |
Templates :: ADMIN :: hathor (2.5.0) |

[mandville]

would love to see the fpa from some of your other j sites that you say arent 2.5
without pointing i notice that jVoteSystem, AcePolls, FlexBanners are all out of date

[SoftDux]

Does anyone know (yet?) how this hack was uploaded, seeing as how this is only limited (so far) to Joomla websites, yet every single one have the same file stored in the same place. So this is either the same hacker (perhaps we can compare IP's shortly before the hack) or a botnet script?

[minadreapta]

from what i can see the files were not uploaded using ftp, and they have not been used from within another account as we use open_basedir on all our servers, suPHP and Apache suEXEC, mod_security rules and other protection methods as well.

there is only one way i can think: uploaded or injected from whitin Joomla somewhere: themes, components, core perhaps. I don't know.

[SeeDyX]

I also think, that it came from within Joomla. From the timestamps of the three generated files, I was able to isolate the relevant entries from the access log. So first came error.php, which was added by an IP, that first registered a new user, confirmed the account by registration email, and afterwards did something in:

/administrator/index.php?option=com_templates&task=source.edit [...]

I sent the complete logfile entries to [email protected], maybe its helpful

Can someone else (with a current Joomla) also find these kind of log entries? Cause the Joomla installation affected here is very old (some 1.7 version....)

[dragosmv]

I think that the Joomla sites affected are those that allowed self registration.
I looked today into my affected Joomla! site and, surprise, this is what i found in users:

Name User Name Enabled Activated User Groups Email Last Visit Date Registration Date ID
alexaalexa alexaalexa Registered Administrator [email protected] 2012-08-02 08:29:19 2012-08-02 06:59:38

So, somehow, this user alexaalexa managed to register as administrator on my website.

[SeeDyX]

Name User Name Enabled Activated User Groups Email Last Visit Date Registration Date ID
alexaalexa alexaalexa Registered Administrator [email protected] 2012-08-02 08:29:19 2012-08-02 06:59:38

So, somehow, this user alexaalexa managed to register as administrator on my website.

Its the same user (only with another mail adress (another number)) here. And he also is in the registered and the admin group.

[Sean Clement]

I know within all prior version to Joomla 2.5.4 (so 1.6 & 1.7 etc) all had escalation issues where a user could register within a site and then do some type of SQL Injection to raise their 'Access Level' to 'Super Administrator'.

If you allow/don't want people to register within your websites you can turn registration off by going to 'Users' -> 'User manager' then 'Options'. Look for 'Allow User Registration' and select 'No'. This will stop people from creating an account and then making their account 'Super Admin', additionally updating to the latest version of Joomla (J!2.5.6) would stop 'hackers' from upping their access level.

[crispus]

{removed}

[mandville]

crispus - please start a NEW topic following the sticky "before you post read this" http://forum.joomla.org/viewtopic.php?f=621&t=582854 at the top of the forum and do NOT post the entire contents of the file that has been hacked as it MAY AND WILL infect other peoples computers

[evo_webmaster]

We also have the same problem with alexaalexa being created as an administrator.

I have tried to update from 1.7.3 to the latest, but any attempt to do this appears to disable the backend completely.

[Koning-Aap]

We had the same issue and I tracked down the cause.

Fortunately (in our case) this is not an issue with the bluestork template, at first it just seemed like that, but only because it's the default template.

The stph.php and indx.php file are uploaded with the error.php file. And the error.php file is edited from within the admin interface. We traced down the edit to this POST command: POST /administrator/index.php?option=com_templates&layout=edit .
So, the person editing the error.php-file had administrator powers.

All effected Joomla Installs were 1.6.x/1.7.x/2.5.0-2.5.2 . The administrator powers were obtained during registration using a known exploit: http://developer.joomla.org/security/ne ... ation.html , which had been solved since 2.5.3 .

Another possible security issue that can be the cause had been solved since 2.5.5: http://developer.joomla.org/security/ne ... ation.html

If you use 2.5.6 , the error.php-file had probably been edited before the upgrade. Check the user permission mapping table to verify that there are additional users with administrator rights.

I hope this will be of any help to you.

[brian]

That makes perfect sense.

As you can see from my signature it is easy to be "Exploited yesterday... Hacked tomorrow"

[leodc]

Same issue..
37.72.171.37 - - [02/Aug/2012:15:24:18 +0200] "POST /administrator/index.php?option=com_templates&layout=edit HTTP/1.1" 303 - "-" "-"
37.72.171.37 - - [02/Aug/2012:15:24:18 +0200] "GET /administrator/index.php?option=com_templates&view=source&layout=edit HTTP/1.1" 200 9017 "-" "-"
and tph.php & indx.php in /administrator/templates/bluestork/ folder...

[thwolfi]

Today my ISP did block Filestructure of
/administrator/templates/bluestork

of all customers using joomla.

They blocked it because of exzessive DDOS attacks, from within the bluestork path.
ISP will unlock as soon as Joomla has solved the security issue and users have updated to a new version.

Are there any news from the joomla developement team on that?


--------------------------------------------------
Little addition
--------------------------------------------------
using Joomla 2.5.6
ISP is -> metanet.ch
Propably they have more information for the joomla team.
--------------------------------------------------

This security hole seems to be real and is no joke. Since metanet.ch is a very good secure and reliable hoster.


--------------------------------------------------
Solved (Addition 2)
--------------------------------------------------
Problem was the same here.
self registered User (some really also: alexaalexa alexaalexa) did up them to superuser within older joomla 2.5 versions.
Registerdate was 2-3. August.
The last few day's these users did upload changed error.php file,which is responsible for DDOS attacks.
So for those Joomla users which did update to 2.5.6 after the beginning of August and already had a "hacked" SuperUser the problem was already there.

Luckily I did update to 2.5.6 right away and I was not affected
-----------------------------------------------------

With Version 2.5.6 no User can up themselve anymore to a SuperUser.

[amurillo72]

Hi I have the same problem in one of my sites.
My hosting is: agilityhoster.com
Also I have the same super user.


WHat I should I do to correct the problem?

thanks,

Alejandro

[mandville]

WHat I should I do to correct the problem?

1. disbale/ban user
2. http://docs.joomla.org/Security_Checkli ... ter_relief
3. http://docs.joomla.org/Security_Checklist_7

[anywhere88]

Question: is there a way to avoid new admin registrations at a low level?
If there is such a chance, maybe it will help against this kind of hack...