com_users/views/dir.php HACK!!

Discussion regarding Joomla! 2.5 security issues.

Moderators: Bernard T, mandville, fcoulter, PhilD, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Locked
x126
Joomla! Explorer
Joomla! Explorer
Posts: 405
Joined: Sun May 07, 2006 8:24 pm

com_users/views/dir.php HACK!!

Post by x126 » Wed Dec 24, 2014 3:30 pm

I just found a file in my com_users/views directory

running J 2.5.7

the file is called dir.php and seems to be the cause of thousands of emails being sent via this account on the server. I compared the com_users directory to the original 2.5.7 install directory and the dir.php is not present.

I did a quick search in Google for some of the code contained in it and it brings up something from pastebin.com ( The only result which was indexed 11 hours ago, which coincides with the time emails started)

https://www.google.com/[removed]

Anyone else experience this?

Is this a new Vulnerability????

User avatar
pe7er
Joomla! Master
Joomla! Master
Posts: 22157
Joined: Thu Aug 18, 2005 8:55 pm
Location: Nijmegen, The Netherlands
Contact:

Re: com_users/views/dir.php HACK!!

Post by pe7er » Wed Dec 24, 2014 4:47 pm

x126 wrote:running J 2.5.7 [..] Is this a new Vulnerability????
No, you are using an outdated Joomla version.
The latest version in the 2.5 series is Joomla 2.5.28.

All Joomla versions below Joomla 2.5.14 (like your version 2.5.7) have a security issue which was solved by the 2.5.14 update.

To solve your problem, see https://docs.joomla.org/Security_Checkl ... or_defaced
Kind Regards,
Peter Martin, Global Moderator
https://db8.nl - Joomla specialist, Nijmegen, Nederland
Co-developer of d2 Content https://data2site.com/joomla-extensions/d2-content

x126
Joomla! Explorer
Joomla! Explorer
Posts: 405
Joined: Sun May 07, 2006 8:24 pm

Re: com_users/views/dir.php HACK!!

Post by x126 » Wed Dec 24, 2014 4:59 pm

My Mistake! My current version is actually 2.5.27

But in Joomla Update Component it states...

No updates available
You already have the latest Joomla! version, 2.5.27.

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 19553
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: com_users/views/dir.php HACK!!

Post by leolam » Thu Dec 25, 2014 4:08 am

x126 wrote:Is this a new Vulnerability????
No you have been hacked and whacked. That file is not a Joomla file

Only thing you can do is follow the entire list that Mandville posted:



[ ] Download and RUN the Forum Post Assistant / FPA Instructions available here and are also included in the download package. Post the generated results in your security/been hacked topic. Use these links to download the FPA:
Download .tar.gz version or Download the .zip version NOTE: Do not download the FPA from any other website or links found on the Internet.

[ ] Ensure you have the latest version of Joomla for your version of Joomla. Delete all files in your Joomla installation, saving a copy of the configuration.php file.

[ ] Review Vulnerable Extensions List to make sure any 3rd party extensions versions used appear on the vulnerable list.

[ ] Review and action Security Checklist 7 Make sure you've gone through all of the steps.

[ ] Scan all machines with FTP, Joomla super admin, and Joomla admin access for malware, virus, trojans, spyware, etc. Checklist 7 contains a list or recommended scanners.

[ ] Change all passwords and if possible user names for the website host control panel. Change the Joomla database user name and password.

[ ] Use proper permissions on files and directories. They should never be 777, ideal is 644 for files and 755 for directories. The configuration file can be set to 444 which is read only.

[ ] Check your htaccess for for any odd code (i.e. code which is not in the standard htaccess supplied as part of the Joomla installation).

[ ] Check the crontab or Task Scheduler for unexpected jobs/tasks.

[ ] Ensure you do not have anonymous ftp enabled.

[ ] Verify individually that any non-Joomla file such as but not limited to that will be placed back on the website such as images, pdf files, files for download, and other documents and files are valid and are supposed to be part of your website.

[ ] Replace the deleted files with fresh copies of a current full version of Joomla (minus the installation directory) you downloaded earlier. Install freshly downloaded copies of any extensions and templates used on the site. If the Joomla database user name and password were changed earlier, then make the necessary changes to the configuration.php file and upload a copy to the website. Upload any non-Joomla files that are necessary for your website. Only by replacing all files in the installation (including extensions and templates) can you be sure to remove the backdoors inserted and hidden in various files and directories More detailed information can be found in the Security Checklist 7 document.


Leo 8)
Joomla's #1 Professional Support Provider:
-> Joomla Professional Support: https://gws-desk.com -
-> Joomla Specialized Hosting Solutions: https://gws-host.com -
-> Joomla Webmaster Services: gws-webmaster.services


Locked

Return to “Security in Joomla! 2.5”