Pharmacy Hack aicontactsafe and xcalendar

[mavaughan]

I had a new intrusion loaded on my site yesterday, Somehow someone was able to install a plugin called xcalendar, it was installed in > plugins/system/xcalendar/.

It only appeared on the pages delivered by aicontactsafe. I notified the developer today.

It placed a new class file in the header, and injected "Canada Pharmacy" test in my <h1> tag. In the code I could see href tag that linked to the hacker site.

I found it by going to Manage Extensions and was looking for items that had no vendor names, install dates etc. Or information about it.

I unpublished it, and found the folder and set permissions to 000, that made it disappear from the site.

I am looking into the DB to see if anything is there.

I wanted to give folks heads up since it just happened yesterday, and others may have been affected.

I will post more as I find new info.

Joomla version 2.5.24.
aiContactSafe v.2.0.21c.stable

[Bernard T]

Hi, FPA report please http://forum.joomla.org/viewtopic.php?f=714&t=793531

[mavaughan]

Bernard

I tried to run and it just hangs on the first screen and does not give a report... probably not good huh...

[Bernard T]

Bernard
I tried to run and it just hangs on the first screen and does not give a report... probably not good huh...

That's not a good sign. Please ask your hosting provider for assistance.

[mavaughan]

Ok, I tried this located here.

http://forum.joomla.org/viewtopic.php?t=656394#p2766599

An now I get this error.

Warning: readdir() expects parameter 1 to be resource, boolean given in /services/webpages/html/sitename.com/fpa-en.php on line 1484

So I looked at line 1484 got this line of code:

// loop through the directory
while ( false !== ( $file = readdir( $dh ) ) ) {

Which was referenced with this comment box:

/** getDirectory FUNCTION TO RECURSIVELY READ THROUGH LOOKING FOR PERMISSIONS ************
** this is used to read the directory structure and return a list of folders with 'elevated'
** mode-sets ( -7- or --7 ) ignoring the first position as defaults folders are normally 755.
** $dirCount is applied when the folder list is excessive to reduce unnecessary processing
** on really sites with 00's or 000's of badly configured folder modes. Limited to displaying
** the first 10 only.
*****************************************************************************************/

Then I realized I wrote 000 over the permissions from the hacked directory. I changed these to 755 and it ran, will post. Just posting this in case someone else has the same self induced fail issue that I had...

[mavaughan]

Joomla! Instance :: Joomla! 2.5.24-Stable (Ember) 25-July-2014
Joomla! Platform :: Joomla Platform 11.4.0-Stable (Brian Kernighan) 03-Jan-2012
Joomla! Configured :: Yes | Read-Only (444) | Owner: 38207 (uid: /gid: ) | Group: 60 (gid: ) | Valid For: 2.5
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 0 | .htaccess/web.config: Yes | GZip: 0 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 5.0.1.2.With.Authcache+Pxeboot_Cmdline_4096+socket_patch | Technology: i686 | Web Server: Apache | Encoding: gzip,deflate,sdch | Doc Root: /services/webpages/k/n/knowledgebiz.com/public | System TMP Writable: Yes

PHP Configuration :: Version: 5.3.28 | PHP API: apache2handler | Session Path Writable: Yes | Display Errors: | Error Reporting: 1 | Log Errors To: | Last Known Error: | Register Globals: 1 | Magic Quotes: 1 | Safe Mode: 0 | Open Base: | Uploads: 1 | Max. Upload Size: 250000000 | Max. POST Size: 250000000 | Max. Input Time: -1 | Max. Execution Time: 30 | Memory Limit: 128M

MySQL Configuration :: Version: 5.5.32-log (Client:5.1.70) | Host: --protected-- (--protected--) | Collation: latin1_swedish_ci (Character Set: latin1) | Database Size: 28.66 MiB | #of Tables:  134

PHP Extensions :: Core (5.3.28) | date (5.3.28) | ereg () | libxml () | openssl () | pcre () | sqlite3 (0.7-dev) | zlib (1.1) | calendar () | ctype () | curl () | dba () | dom (20031129) | hash (1.0) | fileinfo (1.0.5-dev) | filter (0.11.0) | ftp () | gd () | gettext () | SPL (0.2) | iconv () | session () | json (1.2.1) | mbstring () | mcrypt () | mssql () | mysql (1.0) | mysqli (0.1) | standard (5.3.28) | PDO (1.0.4dev) | pdo_mysql (1.0.2) | PDO_ODBC (1.0.1) | pdo_sqlite (1.0.1) | Phar (2.0.1) | Reflection ($Id: 4af6c4c676864b1c0bfa693845af0688645c37cf $) | imap () | SimpleXML (0.1) | siteguard () | soap () | sockets () | SQLite (2.0-dev) | exif (1.4 $Id$) | tokenizer (0.1) | wddx () | xml () | xmlreader (0.1) | xmlwriter (0.1) | xsl (0.1) | zip (1.11.0) | apache2handler () | Zend Engine (2.3.0) |
Potential Missing Extensions :: suhosin |

Switch User Environment (Experimental) :: PHP CGI: No | Server SU: No | PHP SU: No | Custom SU (LiteSpeed/Cloud/Grid): No
Potential Ownership Issues: Maybe

Apache Modules :: core | mod_authn_file | mod_authn_default | mod_authz_host | mod_authz_groupfile | mod_authz_user | mod_authz_default | mod_auth_basic | mod_include | mod_filter | mod_deflate | mod_log_config | mod_env | mod_expires | mod_headers | mod_setenvif | mod_version | mod_proxy | mod_proxy_connect | mod_proxy_ftp | mod_proxy_http | mod_proxy_scgi | mod_proxy_ajp | mod_proxy_balancer | mod_ssl | prefork | http_core | mod_mime | mod_autoindex | mod_asis | mod_cgi | mod_vhost_alias | mod_negotiation | mod_dir | mod_actions | mod_speling | mod_userdir | mod_alias | mod_rewrite | mod_so | mod_php5 | mod_substitute | mod_fpcgid | mod_wiredminds | Apache |
Potential Missing Modules :: mod_security | mod_evasive | mod_dosevasive | mod_qos | mod_userdir |

Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

Elevated Permissions (First 10) ::

Components :: SITE :: WF_AGGREGATOR_VIMEO_TITLE (2.4.2) | WF_AGGREGATOR_[youtube]_TITLE (2.4.2) | WF_AGGREGATOR_VINE_TITLE (2.4.2) | WF_FILESYSTEM_JOOMLA_TITLE (2.4.2) | WF_LINKS_JOOMLALINKS_TITLE (2.4.2) | K2 Links for JCE Link (2.2) | WF_MEDIAPLAYER_JCEPLAYER_TITLE (2.4.2) | WF_POPUPS_JCEMEDIABOX_TITLE (2.4.2) | WF_POPUPS_WINDOW_TITLE (2.4.2) | WF_LINK_SEARCH_TITLE (2.4.2) | WF_ANCHOR_TITLE (2.4.2) | WF_ARTICLE_TITLE (2.4.2) | WF_AUTOSAVE_TITLE (2.4.2) | WF_BROWSER_TITLE (2.4.2) | WF_CHARMAP_TITLE (2.4.2) | WF_CLEANUP_TITLE (2.4.2) | WF_CLIPBOARD_TITLE (2.4.2) | WF_CONTEXTMENU_TITLE (2.4.2) | WF_DIRECTIONALITY_TITLE (2.4.2) | WF_FONTCOLOR_TITLE (2.4.2) | WF_FULLSCREEN_TITLE (2.4.2) | WF_IMGMANAGER_TITLE (2.4.2) | WF_INLINEPOPUPS_TITLE (2.4.2) | WF_KITCHENSINK_TITLE (2.4.2) | WF_LAYER_TITLE (2.4.2) | WF_LINK_TITLE (2.4.2) | WF_LISTS_TITLE (2.4.2) | WF_MEDIA_TITLE (2.4.2) | WF_NONBREAKING_TITLE (2.4.2) | WF_PREVIEW_TITLE (2.4.2) | WF_PRINT_TITLE (2.4.2) | WF_SEARCHREPLACE_TITLE (2.4.2) | WF_SOURCE_TITLE (2.4.2) | WF_SPELLCHECKER_TITLE (2.4.2) | WF_STYLE_TITLE (2.4.2) | WF_TABLE_TITLE (2.4.2) | WF_TEXTCASE_TITLE (2.4.2) | WF_VISUALBLOCKS_TITLE (2.4.2) | WF_VISUALCHARS_TITLE (2.4.2) | WF_XHTMLXTRAS_TITLE (2.4.2) | WF_FONTSELECT_TITLE (2.4.2) | WF_FONTSIZESELECT_TITLE (2.4.2) | WF_FORMATSELECT_TITLE (2.4.2) | WF_STYLESELECT_TITLE (2.4.2) | com_mailto (2.5.0) | com_wrapper (2.5.0) | iC rounded - iCagenda Theme (3.3.7) | CB Mamblog Tab (1.2) | CB Mambo Author Tab (1.2) | Yanc Integration (1.2) | CB Captcha (1.3) |
Components :: ADMIN :: com_admin (2.5.0) | aiContactSafe (1.0.0) | aiContactSafe module (1.0.13.stable) | aiContactSafe - Form (1.0.15.stable) | aiContactSafe - Link (1.0.10.stable) | aiContactSafe (2.0.21c.stabl) | Akeeba (3.11.3) | com_banners (2.5.0) | com_cache (2.5.0) | com_categories (2.5.0) | com_checkin (2.5.0) | com_config (2.5.0) | com_content (2.5.0) | com_cpanel (2.5.0) | com_finder (2.5.0) | Gantry (4.1.25) | com_installer (2.5.0) | Unknown (-) | JCE (2.4.2) | com_joomlaupdate (2.5.0) | mod_k2_comments (-) | mod_k2_comments (-) | COM_K2 (2.6.8) | K2 (2.5.4) | com_languages (2.5.0) | com_login (2.5.0) | com_media (2.5.0) | com_menus (2.5.0) | com_messages (2.5.0) | com_modules (2.5.0) | com_newsfeeds (2.5.0) | com_plugins (2.5.0) | com_redirect (2.5.0) | RokCandy (1.5.0) | com_search (2.5.0) | com_templates (2.5.0) | com_users (2.5.0) | com_weblinks (2.5.0) | iCagenda (3.3.8) | Admintools (3.0.3) | comprofiler (1.9.1) | comprofiler (1.9.1) |

Modules :: SITE :: mod_articles_archive (2.5.0) | mod_articles_categories (2.5.0) | mod_articles_category (2.5.0) | mod_articles_latest (2.5.0) | mod_articles_news (2.5.0) | mod_articles_popular (2.5.0) | mod_banners (2.5.0) | mod_breadcrumbs (2.5.0) | mod_custom (2.5.0) | mod_feed (2.5.0) | mod_finder (2.5.0) | mod_footer (2.5.0) | K2 Comments (2.6.8) | K2 Content (2.6.8) | K2 Tools (2.6.8) | K2 User (2.6.8) | K2 Users (2.6.8) | mod_languages (2.5.0) | mod_login (2.5.0) | mod_menu (2.5.0) | mod_random_image (2.5.0) | mod_related_items (2.5.0) | RokAjaxSearch (2.0.3) | RokNavMenu (2.0.7) | mod_search (2.5.0) | mod_stats (2.5.0) | mod_syndicate (2.5.0) | mod_users_latest (2.5.0) | mod_weblinks (2.5.0) | mod_whosonline (2.5.0) | mod_wrapper (2.5.0) | Social Media Icon Links (1.6.0) | iCagenda - Calendar (3.3.6) | Social Media Links Genius (1.001) | CB Login (1.9.1) | CB Workflows (1.9.1) | CB Online (1.9.1) |
Modules :: ADMIN :: mod_custom (2.5.0) | mod_feed (2.5.0) | K2 Quick Icons (admin) (2.6.8) | K2 Stats (admin) (2.6.8) | mod_latest (2.5.0) | mod_logged (2.5.0) | mod_login (2.5.0) | mod_menu (2.5.0) | mod_multilangstatus (2.5.0) | mod_popular (2.5.0) | mod_quickicon (2.5.0) | mod_status (2.5.0) | mod_submenu (2.5.0) | mod_title (2.5.0) | mod_toolbar (2.5.0) | mod_version (2.5.0) | Google Analytics Dashboard (2.6) |

Plugins :: SITE :: plg_authentication_gmail (2.5.0) | plg_authentication_joomla (2.5.0) | plg_authentication_ldap (2.5.0) | plg_captcha_recaptcha (2.5.0) | plg_content_emailcloak (2.5.0) | plg_content_finder (2.5.0) | plg_content_geshi (2.5.0) | plg_content_joomla (2.5.0) | plg_content_loadmodule (2.5.0) | plg_content_pagebreak (2.5.0) | plg_content_pagenavigation (2.5.0) | plg_content_vote (2.5.0) | Content - Login to Read (1.3) | Content - RokBox (2.0.7) | plg_editors_codemirror (1.0) | plg_editors_jce (2.4.2) | plg_editors_tinymce (3.5.4.1) | plg_editors-xtd_article (2.5.0) | plg_editors-xtd_image (2.5.0) | plg_editors-xtd_pagebreak (2.5.0) | plg_editors-xtd_readmore (2.5.0) | Button - RokCandy (1.5.0) | Button - RokBox (2.0.7) | plg_extension_joomla (2.5.0) | plg_finder_categories (2.5.0) | plg_finder_contacts (2.5.0) | plg_finder_content (2.5.0) | plg_finder_k2 (2.6.8) | plg_finder_newsfeeds (2.5.0) | plg_finder_weblinks (2.5.0) | PLG_JMONITORING_AKEEBABACKUP_T (1.0) | Josetta - K2 Categories (2.6.8) | Josetta - K2 Items (2.6.8) | plg_quickicon_extensionupdate (2.5.0) | plg_quickicon_jcefilebrowser (2.4.2) | plg_quickicon_joomlaupdate (2.5.0) | plg_search_categories (2.5.0) | plg_search_contacts (2.5.0) | plg_search_content (2.5.0) | Search - K2 (2.6.8) | plg_search_newsfeeds (2.5.0) | plg_search_weblinks (2.5.0) | ICAGENDA_PLG_SEARCH (1.1) | plg_system_cache (2.5.0) | plg_system_debug (2.5.0) | System - Gantry (4.1.25) | plg_system_highlight (2.5.0) | System - jUpgrade (3.0) | System - K2 (2.6.8) | plg_system_languagecode (2.5.0) | plg_system_languagefilter (2.5.0) | plg_system_log (2.5.0) | plg_system_logout (2.5.0) | plg_system_p3p (2.5.0) | plg_system_redirect (2.5.0) | plg_system_remember (2.5.0) | System - RokCandy (1.5.0) | System - RokExtender (2.0.0) | plg_system_sef (2.5.0) | System - iCagenda :: Autologin (1.2) | System - Google Analytics 4 Jo (1.0) | System - Mootools Upgrade (1.5) | System - RokBox (2.0.7) | plg_system_jlsecuremysite (1.0.2) | System - Admin Tools (3.0.3) | manage.myJoomla.com Secure Plu (n/a) | plg_system_xcalendar (1.5.0) | plg_user_contactcreator (2.5.0) | plg_user_joomla (2.5.0) | User - K2 (2.6.8) | plg_user_profile (2.5.0) | User - MailIPAddress (2.0) |

Templates :: SITE :: atomic (2.5.0) | beez5 (2.5.0) | beez_20 (2.5.0) | gantry (4.1.8) | JA_Purity (1.2.0) | rhuk_milkyway (1.0.2) | rt_panacea (1.6.6) | rt_panacea_j15 (1.5.3) |
Templates :: ADMIN :: bluestork (2.5.0) | hathor (2.5.0) |

[leolam]

@ Mods: Can we please move this to Joomla25 security forum? He runs J25

Leo

[Bernard T]

There are important issues visible in your FPA report:

• server where you're hosted at runs PHP as Apache module (apache2handler), which is strongly discouraged for production since it brings user rights issues and you could get hacked through "neighbor" websites on the same server.
• Register Globals: 1 that's a dangerous setting, should always be off

I would recommend you that you talk with you hoster and change the hosting environment as soon as possible.

We don't have any reports about aiContactSafe 2.0.21c having security issues, but 2.0.19 was vulnerable. If you get any response from the developer let us know.

In the meantime you should take standard steps in cleaning up your website and investigating the source of your website's infection. http://forum.joomla.org/viewtopic.php?f=621&t=582854

[Alex Dobrin]

I did reply to mavaughan's emails ( I'm the developer of aiContactSafe ).
He sent me a zip with that plugin and it is a system plugin that modifies the content of the Joomla pages using the "onAfterRender" event of Joomla.
I don't know why those changes are more evident or only evident on the pages generated with aiContactSafe. Could be some key words on those pages that generate that outcome.

I don't know of any vulnerability in the last version of aiContactSafe and am interested to fix it if any is found. But I don't think the problem described in this topic is generated in it.

[Bernard T]

Hi Alex, and thanks for replying to this topic.

There are too few information from the mavaughan to state aiContactSafe was vulnerable, but it is a suspect according to his statements.

After some googling I found that xcalendar really is a malware. Can someone of you two send me this suspect plugin (xcalendar) so I'll take a closer look on it? Please PM me and I'll give you my email.

@mavaughan - if you did the cleanup and upgraded all extensions that can be upgraded, the entry point for the infection with xcalendar could (maybe) be detected going through access logs.

[artshotwell]

This is a few months later...but I have discovered the same plugin on one of my client's Web sites. The client had spotted text changing from a porn link to unlinked when he accessed one of his pages.

[Webdongle]

I had a new intrusion loaded on my site yesterday, Somehow someone was able to install a plugin called xcalendar, it was installed in > plugins/system/xcalendar/....

Who has admin permissions to upload/install plugins on your site ? Have you scanned all computers that have ftp/Joomla admin/server CP access ?

[artshotwell]

Two other uses had access, one publisher, one registered. I have closed them since they have never used them, far as I can tell. No, I haven't scanned my Mac, the only device with FTP and CP access. Guess that's next on my list. Joomla was on ver 2.5.24. I have just updated it to 2.5.28.

[Webdongle]

... I have just updated it to 2.5.28.

Without deleting all the files on the server you can not be certain you have eradicated the hack

[artshotwell]

No, I recon not. But,frankly, I don't know how to proceed if I delete all files on the server, unless I build the site again from the bottom up.

[leolam]

No, I recon not. But,frankly, I don't know how to proceed if I delete all files on the server, unless I build the site again from the bottom up.

You do not have to.... Go to https://myjoomla.com/site/is/hacked and have Phil help you so you do not have to redo the site or run at least the free scan so you will know what is hiding where

Leo

[artshotwell]

Wow! Thank you... I wasn't aware of Phil or his site. Art

[Webdongle]

... I don't know how to proceed if I delete all files on the server, unless I build the site again from the bottom up.

The files are not the site ... the database is the site. All the Joomla (and 3rd party extension) files do is put/get data to/from the database and fresh originals of those files are easily uploaded. And you surely have the originals of your image files.

Of course there are excellent services that can audit your site and maintain good security.

[artshotwell]

I do have all original files. I have backups from my last update. Running an audit now.

[Webdongle]

I do have all original files. I have backups from my last update. Running an audit now.

The original files that I am referring to are the files from the Joomla full package and the zip files of the 3rd party extensions. Backup files from thje last update are not original files and may contain hacks.

[leolam]

I do have all original files. I have backups from my last update. Running an audit now.

The original files that I am referring to are the files from the Joomla full package and the zip files of the 3rd party extensions. Backup files from thje last update are not original files and may contain hacks.

All the files he is auditing will be exposed by Phil Taylor's program if containing any dirt at all. The Suite is extremely powerful and we use it in all site restores from hacks avoiding all these rebuilds. You might want to test this yourself. First scan is free ....

Leo

[Webdongle]

... All the files he is auditing will be exposed by Phil Taylor's program if containing any dirt at all. The Suite is extremely powerful and we use it in all site restores from hacks avoiding all these rebuilds. You might want to test this yourself. First scan is free ....

But even if the free scan shows his files are clean there is still the complication of the files from 3rd party extensions. As I have explain several times (in the forum) ... even the extensions that use the same zip file for J2.5 and J3.x sometimes install different files depending on the version of Joomla that they are installed into.

As good as Phil's program is ... it may be an 'overkill' at this moment in time.

Given
artshotwell obviously has the basic skills of managing folders and exporting/importing sql files from to a database.
And
the site is broke but he still has the original database
And
it is prudent(where possible) to delete all the files on the server replacing them with fresh files
Then
restoring the site with fresh Joomla (and extension's) files before using the free scan would be the logical workflow.

... The Suite is extremely powerful and we use it in all site restores from hacks avoiding all these rebuilds. ....

Do you get discount for promoting it so frequently in your posts ?

... You might want to test this yourself. First scan is free ....

If it was not feasible for me to delete the files and replace with clean ones then yes I would use that service. But as my site is a small 'hobby' site then it is easy to delete/replace all the files.

[leolam]

Do you get discount for promoting it so frequently in your posts ?

No but all the time you posting that they have to rebuild their site is simply plain wrong since it is not needed and yes don't post what you do not know about. (!) Myjoomla scans all files and folders including all extensions installed Kevin so comment when you know where you talk about and No I do not get commissions as you so kindly and offensively suggest (but what is new) but we do happen to use it to great satisfaction in cleansing hacked websites avoiding rebuilds.

And again the first site is free so test and than comment before shooting stray bullets since you clearly have no idea where you talk about as shown in your bold cycle of events as they should be according to Webdongle laws? (which is a misinterpretation of the way Myjoomla works) Example of not knowing:

Then
restoring the site with fresh Joomla (and extension's) files before using the free scan would be the logical workflow.

Myjoomla repairs them for you!

Cheers

Leo

[Webdongle]

... but all the time you posting that they have to rebuild their site is simply plain wrong since it is not needed and yes don't post what you do not know about. (!) Myjoomla scans all files and folders including all extensions installed ...

And again the first site is free ... Myjoomla repairs them for you!

The effectiveness of the program is not in question nor is the fact that the first scan is free. But does the free first scan fix the hack for free as well ?

What is in question is whether artshotwell removes the hack by deleting all the files and replacing with fresh or has the free scan and pays for it to be fixed.

Are you saying that the free scan on the first site fixes the site for free as well ?

[artshotwell]

I have tried the free scan. It looks like there is a change for fixing. But, the free scan points to suspicious files. Not to guarantee it catches all of them. It reports many files that may be suspicious, but are clean. The website hack I reported on here is not my site, but one I built for a client. Unless I spot a continuing problem, I feel satisfied the site is clean now. But, I do suppose I could replace all files... but it would take me more time that I want to spend on that at this moment...as I say... unless I find a new or repeat problem. I appreciate the conversation here and will take it to heart.

[Webdongle]

Thanks for reporting the results. You may want to look at http://forum.joomla.org/viewtopic.php?f=621&t=582854 ... it will help you keep sites(you administrate) safe.

[artshotwell]

Thank you. Yes, I have reviewed that link and have, in fact, bookmarked it. Art