What is [kudos]DDOSER ?

Discussion regarding Joomla! 2.5 security issues.

Moderators: Bernard T, mandville, fcoulter, PhilD, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Locked
cammot
Joomla! Apprentice
Joomla! Apprentice
Posts: 38
Joined: Tue Sep 01, 2009 9:00 pm

What is [kudos]DDOSER ?

Post by cammot » Thu Nov 13, 2014 4:20 am

My Joomla Site was recently hacked, but not sure if the hacker broke the site directly, or through another domain on the shared server. We were able to restore the site from a recent backup on the server. However, I notice a folder on the site that I have not noticed before, and wanted to find out if this is a Joomla directory/files or some malicious directory/files - here is the directory name, sub directory and file contents

[Kudos]DDOSER
- DDOSER
--- socks.py
--- socks.pcy
--- terminal.py
--- terminal.pcy
--- torshammer.py

Just curious - is this a malicious directory or is a legitimate Jooma directory ?

Please let me know, and what to do about it.

Thanks
Last edited by mandville on Thu Nov 13, 2014 5:16 am, edited 1 time in total.
Reason: removed kudos. posting names or images of hack teams is not permitted

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14781
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: What is [kudos]DDOSER ?

Post by mandville » Thu Nov 13, 2014 5:16 am

Without the fpa we could not know where to start
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

lgedwards
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Thu Nov 13, 2014 5:08 am
Location: Bangalore
Contact:

Re: What is [kudos]DDOSER ?

Post by lgedwards » Thu Nov 13, 2014 5:23 am

cammot wrote:My Joomla Site was recently hacked, but not sure if the hacker broke the site directly, or through another domain on the shared server. We were able to restore the site from a recent backup on the server. However, I notice a folder on the site that I have not noticed before, and wanted to find out if this is a Joomla directory/files or some malicious directory/files - here is the directory name, sub directory and file contents

[Kudos]DDOSER
- DDOSER
--- socks.py
--- socks.pcy
--- terminal.py
--- terminal.pcy
--- torshammer.py

Just curious - is this a malicious directory or is a legitimate Jooma directory ?

Please let me know, and what to do about it.

Thanks
How do you say that is "kudos DDOSER"?.
Where did you find in server ?
Can you specify the path pls?
Last edited by mandville on Thu Nov 13, 2014 5:26 am, edited 1 time in total.
Reason: removed kudos. posting names or images of hack teams is not permitted

cammot
Joomla! Apprentice
Joomla! Apprentice
Posts: 38
Joined: Tue Sep 01, 2009 9:00 pm

Re: What is [kudos]DDOSER ?

Post by cammot » Thu Nov 13, 2014 5:42 am

How did the subject line change !!? I thought my original subject line was:

What is [Kudos]DDOSER ?

Not sure how this got changed to [kudos]DDOSER ?

Anyway - in my Joomla site's there is a directory named: [Kudos]DDOSER which has a subdirectory named: DDOSER and in this subdirectories are these five files:

socks.py
socks.pcy
terminal.py
terminal.pcy
torshammer.py
Last edited by mandville on Thu Nov 13, 2014 6:13 am, edited 1 time in total.
Reason: removed kudos. posting names or images of hack teams is not permitted

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14781
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: What is [kudos]DDOSER ?

Post by mandville » Thu Nov 13, 2014 6:15 am

The title was changed for this reason
removed kudos. posting names or images of hack teams is not permitted

Run and post your fpa.
action Checklist 7
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

cammot
Joomla! Apprentice
Joomla! Apprentice
Posts: 38
Joined: Tue Sep 01, 2009 9:00 pm

Re: What is [kudos]DDOSER ?

Post by cammot » Thu Nov 13, 2014 11:08 am

mandville wrote: Run and post your fpa.
action Checklist 7
Thanks for your help. My apologies in advance....

I do not know how to run my fpa !! Please advise how I do this. Also, what is "action Checklist 7". Please advise on this too.

thanks - Sincerely

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14781
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: What is [kudos]DDOSER ?

Post by mandville » Thu Nov 13, 2014 11:41 am

See this post
Before you post : read and action this
http://forum.joomla.org/viewtopic.php?f=621&t=582854
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

cammot
Joomla! Apprentice
Joomla! Apprentice
Posts: 38
Joined: Tue Sep 01, 2009 9:00 pm

Re: What is [kudos]DDOSER ?

Post by cammot » Thu Nov 13, 2014 9:41 pm

mandville wrote:See this post
Before you post : read and action this
http://forum.joomla.org/viewtopic.php?f=621&t=582854
Problem Description :: Forum Post Assistant (v1.2.4) : 13th November 2014 wrote:Suspect Malicious Site content
Log/Error Message :: Forum Post Assistant (v1.2.4) : 13th November 2014 wrote:None
Log/Error Message :: Forum Post Assistant (v1.2.4) : 13th November 2014 wrote:None
Actions Taken To Resolve by Forum Post Assistant (v1.2.4) 13th November 2014 wrote:Restored a backup, that is now working - but the purpose of this posting is to determine if the backup is not compromised.
Forum Post Assistant (v1.2.4) : 13th November 2014 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 2.5.9-Stable (Ember) 4-February-2013
Joomla! Platform :: Joomla Platform 11.4.0-Stable (Brian Kernighan) 03-Jan-2012
Joomla! Configured :: Yes | Writable (775) | Owner: namaskarbooks (uid: 1/gid: 1) | Group: apache (gid: 1) | Valid For: 2.5
Configuration Options :: Offline: 1 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 1 | .htaccess/web.config: No (ReWrite Enabled but no .htaccess?) | GZip: 0 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.18-028stab056 | Technology: i686 | Web Server: Apache/2.0.64 (Unix) | Encoding: gzip, deflate | Doc Root: /home/namaskarbooks/www/namaskar-africana.net | System TMP Writable: Yes

PHP Configuration :: Version: 5.3.15 | PHP API: apache2handler | Session Path Writable: No | Display Errors: | Error Reporting: 22527 | Log Errors To: | Last Known Error: | Register Globals: | Magic Quotes: | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 2M | Max. POST Size: 8M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 128M

MySQL Configuration :: Version: 5.5.20 (Client:5.1.45) | Host: --protected-- (--protected--) | Collation: utf8_general_ci (Character Set: utf8) | Database Size: 12.45 MiB | #of Tables:  192
Detailed Environment :: wrote:PHP Extensions :: Core (5.3.15) | date (5.3.15) | ereg () | libxml () | pcre () | filter (0.11.0) | Reflection ($Id: e98652ba2326bd9391b730afdaf96c017d9fab48 $) | SPL (0.2) | hash (1.0) | apache2handler () | SimpleXML (0.1) | xml () | session () | iconv () | sqlite3 (0.7-dev) | bcmath () | bz2 () | calendar () | ctype () | curl () | dba () | dom (20031129) | standard (5.3.15) | ftp () | gd () | gettext () | gmp () | exif (1.4 $Id$) | imap () | json (1.2.1) | mbstring () | mcrypt () | mysql (1.0) | mysqli (0.1) | oci8 (1.4.7) | openssl () | PDO (1.0.4dev) | pdo_mysql (1.0.2) | PDO_OCI (1.0.1) | pdo_pgsql (1.0.2) | pdo_sqlite (1.0.1) | pgsql () | posix () | pspell () | soap () | sockets () | SQLite (2.0-dev) | tokenizer (0.1) | wddx () | xmlreader (0.1) | xmlrpc (0.51) | xmlwriter (0.1) | xsl (0.1) | zip (1.11.0) | zlib (1.1) | mhash () | Zend Engine (2.3.0) |
Potential Missing Extensions :: suhosin |

Switch User Environment (Experimental) :: PHP CGI: No | Server SU: No | PHP SU: No | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No

Apache Modules :: core | prefork | http_core | mod_so | mod_access | mod_auth | mod_include | mod_log_config | mod_env | mod_setenvif | mod_mime | mod_autoindex | mod_asis | mod_negotiation | mod_dir | mod_actions | mod_userdir | mod_alias | mod_rewrite | mod_suexec | mod_cgi | mod_perl | mod_apreq2 | mod_php5 | mod_auth_mysql | mod_ssl | Apache/2.0.64 (Unix) |
Potential Missing Modules :: mod_expires | mod_deflate | mod_security | mod_evasive | mod_dosevasive | mod_qos | mod_userdir |
Folder Permissions :: wrote:Core Folders :: images/ (775) | components/ (775) | modules/ (775) | plugins/ (775) | language/ (775) | templates/ (775) | cache/ (775) | logs/ (775) | tmp/ (775) | administrator/components/ (775) | administrator/modules/ (775) | administrator/language/ (775) | administrator/templates/ (775) |

Elevated Permissions (First 10) :: images/ (775) | images/namaskar/ (775) | images/namaskar/eddie/ (775) | images/namaskar/goa/ (775) | images/namaskar/special/ (775) | images/sampledata/ (775) | images/sampledata/fruitshop/ (775) | images/sampledata/parks/ (775) | images/sampledata/parks/animals/ (775) | images/sampledata/parks/landscape/ (775) |
Extensions Discovered :: wrote:Components :: SITE :: com_mailto (2.5.0) | com_wrapper (2.5.0) |
Components :: ADMIN :: com_cpanel (2.5.0) | com_content (2.5.0) | com_banners (2.5.0) | Content (1.5.12) | Users (1.5.0) | News Feeds (1.5.1) | AceShop (1.5.5) | AyelShop (1.5.0) | Web Links (1.5.1) | Contact (1.5.3) | Mail To (1.5.1) | Banners (1.5.2) | Wrapper (1.5.0) | Search (1.5.1) | AceSEF (1.5.1) | AceSEF (2.5.5) | com_media (2.5.0) | com_joomlaupdate (2.5.0) | com_redirect (2.5.0) | com_plugins (2.5.0) | com_weblinks (2.5.0) | com_finder (2.5.0) | com_messages (2.5.0) | osefileman (3.0.4) | osefileman (3.0.4) | com_languages (2.5.0) | com_search (2.5.0) | com_cache (2.5.0) | com_installer (2.5.0) | AceSQL (1.0.3) | AceShop (2.0.0) | Akeeba (3.5.2) | com_config (2.5.0) | com_categories (2.5.0) | Admintools (3.3.1) | com_menus (2.5.0) | com_admin (2.5.0) | com_newsfeeds (2.5.0) | com_templates (2.5.0) | com_users (2.5.0) | com_checkin (2.5.0) | com_login (2.5.0) | com_modules (2.5.0) |

Modules :: SITE :: mod_articles_archive (2.5.0) | mod_users_latest (2.5.0) | mod_weblinks (2.5.0) | mod_breadcrumbs (2.5.0) | mod_whosonline (2.5.0) | mod_login (2.5.0) | mod_languages (2.5.0) | mod_articles_news (2.5.0) | mod_stats (2.5.0) | mod_articles_categories (2.5.0) | mod_random_image (2.5.0) | mod_menu (2.5.0) | mod_feed (2.5.0) | mod_banners (2.5.0) | mod_search (2.5.0) | mod_articles_category (2.5.0) | AceShop - All-in-One (1.0.1) | mod_articles_latest (2.5.0) | mod_footer (2.5.0) | mod_custom (2.5.0) | mod_wrapper (2.5.0) | mod_finder (2.5.0) | mod_syndicate (2.5.0) | mod_related_items (2.5.0) | mod_articles_popular (2.5.0) |
Modules :: ADMIN :: mod_latest (2.5.0) | mod_status (2.5.0) | AceShop - Quick Icons (1.0.0) | mod_version (2.5.0) | mod_login (2.5.0) | mod_popular (2.5.0) | mod_quickicon (2.5.0) | mod_submenu (2.5.0) | mod_multilangstatus (2.5.0) | mod_menu (2.5.0) | mod_feed (2.5.0) | AceSEF - Quick Icons (1.7.0) | mod_toolbar (2.5.0) | mod_custom (2.5.0) | mod_logged (2.5.0) | mod_title (2.5.0) |

Plugins :: SITE :: plg_quickicon_joomlaupdate (2.5.0) | plg_quickicon_extensionupdate (2.5.0) | System - AceShop jQuery (1.0.0) | plg_system_sef (2.5.0) | System - AceSEF (1.7.0) | plg_system_cache (2.5.0) | plg_system_remember (2.5.0) | System - AceShop Redirect (1.0.0) | plg_system_highlight (2.5.0) | plg_system_debug (2.5.0) | plg_system_languagefilter (2.5.0) | plg_system_redirect (2.5.0) | System - AceSEF Meta Manager ( (1.7.0) | plg_system_languagecode (2.5.0) | plg_system_p3p (2.5.0) | plg_system_logout (2.5.0) | plg_system_log (2.5.0) | System - Admin Tools (3.3.1) | plg_editors_codemirror (1.0) | plg_editors_tinymce (3.5.4.1) | plg_captcha_recaptcha (2.5.0) | plg_authentication_ldap (2.5.0) | plg_authentication_gmail (2.5.0) | plg_authentication_joomla (2.5.0) | plg_extension_joomla (2.5.0) | plg_user_contactcreator (2.5.0) | User - AceShop (1.0.0) | plg_user_profile (2.5.0) | plg_user_joomla (2.5.0) | plg_editors-xtd_image (2.5.0) | plg_editors-xtd_article (2.5.0) | plg_editors-xtd_readmore (2.5.0) | plg_editors-xtd_pagebreak (2.5.0) | plg_search_categories (2.5.0) | Search - AceShop (1.0.0) | plg_search_contacts (2.5.0) | plg_search_weblinks (2.5.0) | plg_search_content (2.5.0) | plg_search_newsfeeds (2.5.0) | plg_finder_categories (2.5.0) | plg_finder_contacts (2.5.0) | plg_finder_weblinks (2.5.0) | plg_finder_content (2.5.0) | plg_finder_newsfeeds (2.5.0) | plg_content_pagenavigation (2.5.0) | plg_content_loadmodule (2.5.0) | plg_content_vote (2.5.0) | plg_content_geshi (2.5.0) | Content - AceShop (1.0.0) | plg_content_emailcloak (2.5.0) | plg_content_finder (2.5.0) | plg_content_pagebreak (2.5.0) | plg_content_joomla (2.5.0) | PLG_JMONITORING_AKEEBABACKUP_T (1.0) |
Templates Discovered :: wrote:Templates :: SITE :: beez_20 (2.5.0) | beez5 (2.5.0) | atomic (2.5.0) |
Templates :: ADMIN :: bluestork (2.5.0) | hathor (2.5.0) |

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14781
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: What is [kudos]DDOSER ?

Post by mandville » Thu Nov 13, 2014 9:44 pm

Summary
out of date vulnerable joomla

Ditto extensions - see vel.joomla.org


Inadequate hosting configuration
Inadequate folder permission
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

cammot
Joomla! Apprentice
Joomla! Apprentice
Posts: 38
Joined: Tue Sep 01, 2009 9:00 pm

Re: What is [kudos]DDOSER ?

Post by cammot » Thu Nov 13, 2014 9:58 pm

mandville wrote:Summary
out of date vulnerable joomla
When I try to update my Joomla to the latest version thru the Components Menu / Joomla Update - I get this response:

No Joomla Updates Available
You already have the latest Joomla! version, 2.5.9.

Please advise.

Thanks

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14781
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: What is [kudos]DDOSER ?

Post by mandville » Thu Nov 13, 2014 11:35 pm

try going to the update tab of your extension manager and clearing cache. Then do check for updates
http://docs.joomla.org/No-updates-shown ... nt-version
or (also via search) http://foobla.com/blog/5168-joomla-upda ... 25-joomla3
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

cammot
Joomla! Apprentice
Joomla! Apprentice
Posts: 38
Joined: Tue Sep 01, 2009 9:00 pm

Re: What is [kudos]DDOSER ?

Post by cammot » Fri Nov 14, 2014 10:04 pm

mandville wrote: Inadequate hosting configuration
Inadequate folder permission
Kindly advise which hosting and folder permissions are inadequate.

Thanks

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14781
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: What is [kudos]DDOSER ?

Post by mandville » Fri Nov 14, 2014 10:21 pm

HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}


Locked

Return to “Security in Joomla! 2.5”