RSA-2048 Encrypted files - Hack

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, fcoulter, PhilD, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
User avatar
Joe_SA
Joomla! Intern
Joomla! Intern
Posts: 63
Joined: Sun Mar 24, 2013 11:23 am
Location: Clarens, South Africa
Contact:

RSA-2048 Encrypted files - Hack

Post by Joe_SA » Mon Jan 04, 2016 4:33 pm

Hi Guys

After the recent vulnerability where Joomla sites were hacked with Scripting, I have updated all my Joomla sites to Joomla! 3.4.8 and made backups with Akeeba

This morning I found that several of my sites were hacked and all files were encrypted, including the akeeba .jpa files.

This is huge as I cannot use the Akeeba files that are on the server in the backup folder.

The hackers ask for .5 bitcoin ($500) for the encryption key, which I obviously will not pay but this leaves me with a huge amount of work... sites will have to be rebuilt etc

This is an example of one of the hacked sites: http://blackbusinessgrants.co.za/

Please let me know if you know of any extension that will protect Joomla! sites against this kind of hacking.

Any help or advice will be appreciated.

Regards

JJ

User avatar
Bernard T
Joomla! Guru
Joomla! Guru
Posts: 782
Joined: Thu Jun 29, 2006 11:44 am
Location: Hrvatska
Contact:

Re: RSA-2048 Encrypted files - Hack

Post by Bernard T » Mon Jan 04, 2016 4:52 pm

Hi there,

if those files are really encrypted (post a sample of index.php here) you will have to find a backup which wasn't in the folder with the rest of your files. Clearly, keeping backups on the same hosting account as the website itself is not a good practice.

Did you inform your hosting provider and ask for their backups?
Did you find any traces of access via Access Logs or FTP transfer logs? Your hosting provider can help with that also ...
VEL Team || Security Forum || PHP/Web Security Specialist || OWASP member
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak

User avatar
brian
Joomla! Master
Joomla! Master
Posts: 11726
Joined: Fri Aug 12, 2005 7:19 am
Location: Leeds, UK
Contact:

Re: RSA-2048 Encrypted files - Hack

Post by brian » Mon Jan 04, 2016 5:00 pm

Seen a few cases of this this week. In all cases the ftp logs showed that the site was downloaded via ftp and then encrypted files uploaded. This is not something that a joomla extension could prevent as its not joomla specific.

Of course you should never keep your backups on the server - thats as good as keeping your spare keys inside the house
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

User avatar
Joe_SA
Joomla! Intern
Joomla! Intern
Posts: 63
Joined: Sun Mar 24, 2013 11:23 am
Location: Clarens, South Africa
Contact:

Re: RSA-2048 Encrypted files - Hack

Post by Joe_SA » Mon Jan 04, 2016 5:08 pm

Hi Bernard

Yup they were really encrypted as I downloaded the .jpa file... it was called (eg) site_backup.jpa.encrypted

I renamed it back to site_backup.jpa and akeeba did not recognize it as a .jpa file

See attached the encrypted index.php file (I could not add the file as it was called index.php.encrypted so I removed the .encrypted and tried to add it as index.php but it would still not accept it so I packed it as a rar)

Yup. I know I need an off server backup and will have to go crawling to my hosts as I do not have any...

I am downloading backups from unaffected sites frantically as we speak.

I now have 6 sites that are hacked like this and counting.

I need to install an extension that will prevent this.

If you Google RSA-2048 you will find that this is the hack used on Windows PC's to capture and encrypt all files and then hold the owner ransom for money.

I am surprised that this has not been discussed on the forum yet... This only happened to my Joomla! sites that I recently upgraded to Joomla! 3.4.8

6 from 26 Websites have been hacked and I am only on the letter "C"

It is really terrifying...

Regards

JJ
You do not have the required permissions to view the files attached to this post.
Last edited by Joe_SA on Mon Jan 04, 2016 5:13 pm, edited 1 time in total.

User avatar
Bernard T
Joomla! Guru
Joomla! Guru
Posts: 782
Joined: Thu Jun 29, 2006 11:44 am
Location: Hrvatska
Contact:

Re: RSA-2048 Encrypted files - Hack

Post by Bernard T » Mon Jan 04, 2016 5:12 pm

If the FTP log files confirm the offsite encryption then it's just a new generation of the Cryptolocker clones malware family.
Btw. it would be interesting to get and compare destination IP addresses. I am sure the attackers rotate them, but they can't do it way too often.

A security code running on the website itself could notice sudden file changes and alert the user, but probably that would be too late. In most cases hosted software couldn't do anything about eg. disabling FTP access.

Saving your FTP credentials in the FTP client, and using unprotected plain-text FTP connections is a high risk which enables such attacks
VEL Team || Security Forum || PHP/Web Security Specialist || OWASP member
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak

User avatar
Joe_SA
Joomla! Intern
Joomla! Intern
Posts: 63
Joined: Sun Mar 24, 2013 11:23 am
Location: Clarens, South Africa
Contact:

Re: RSA-2048 Encrypted files - Hack

Post by Joe_SA » Mon Jan 04, 2016 5:16 pm

Yeah... our FTP is locked in the control panel and can only be unlocked by time or IP

I still need to check if it the sites were on the same server and if it might have been a server issue.

But for now I would really suggest that anyone using Akeeba should keep backups off their servers.

The fact that it only happened with Joomla! .4.8 sites is really alarming.

Btw... I added the index.php in RAR format with my previous post.

User avatar
Bernard T
Joomla! Guru
Joomla! Guru
Posts: 782
Joined: Thu Jun 29, 2006 11:44 am
Location: Hrvatska
Contact:

Re: RSA-2048 Encrypted files - Hack

Post by Bernard T » Mon Jan 04, 2016 5:17 pm

Joe_SA wrote: I am downloading backups from unaffected sites frantically as we speak.
First thing to do immediately is to either change the FTP username / passwords or disable FTP access. Then deleting all (let me guess - Filezilla?) stored passwords.
VEL Team || Security Forum || PHP/Web Security Specialist || OWASP member
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak

User avatar
Bernard T
Joomla! Guru
Joomla! Guru
Posts: 782
Joined: Thu Jun 29, 2006 11:44 am
Location: Hrvatska
Contact:

Re: RSA-2048 Encrypted files - Hack

Post by Bernard T » Mon Jan 04, 2016 5:23 pm

Joe_SA wrote:Yeah... our FTP is locked in the control panel and can only be unlocked by time or IP

The fact that it only happened with Joomla! .4.8 sites is really alarming.
Joomla version has nothing to do with this issue if the FTP is being used for retransfer of the files.

All backups should be kept offsite, no matter which way they are being created.

I don't like to be a bearer of bad news, but in this situation there is a high probability your computer is infected with some malware, or even a cryptolocker, so you should take some urgent actions regarding your local computer backups and scanning as well.
VEL Team || Security Forum || PHP/Web Security Specialist || OWASP member
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak

User avatar
Joe_SA
Joomla! Intern
Joomla! Intern
Posts: 63
Joined: Sun Mar 24, 2013 11:23 am
Location: Clarens, South Africa
Contact:

Re: RSA-2048 Encrypted files - Hack

Post by Joe_SA » Mon Jan 04, 2016 5:33 pm

Bernard T wrote:I don't like to be a bearer of bad news, but in this situation there is a high probability your computer is infected with some malware, or even a cryptolocker, so you should take some urgent actions regarding your local computer backups and scanning as well.
This is unlikely as I do not use FTP unless absolutely required.

I don't even use it to download the backup files but rather downloading from the file manager.
Bernard T wrote:All backups should be kept offsite, no matter which way they are being created.
The mere quantity of my sites did not enable me to do this... In the last two weeks I had to upgrade all sites to Joomla! 3.4.8 because of the last vulnerability... then had to make backups of all of them. Before I could even get to saving those backups off site the new hack appeared.

Hectic... I tell you

User avatar
Joe_SA
Joomla! Intern
Joomla! Intern
Posts: 63
Joined: Sun Mar 24, 2013 11:23 am
Location: Clarens, South Africa
Contact:

Re: RSA-2048 Encrypted files - Hack

Post by Joe_SA » Mon Jan 04, 2016 5:43 pm

Bernard T wrote:Joomla version has nothing to do with this issue if the FTP is being used for retransfer of the files.
How would you explain that from over 500 websites of which about 200 were designed by us and probably only 100 with Joomla! the only sites with this issue are Joomla! 3.4.8 websites?

User avatar
Joe_SA
Joomla! Intern
Joomla! Intern
Posts: 63
Joined: Sun Mar 24, 2013 11:23 am
Location: Clarens, South Africa
Contact:

Re: RSA-2048 Encrypted files - Hack

Post by Joe_SA » Mon Jan 04, 2016 5:47 pm

brian wrote:Seen a few cases of this this week. In all cases the ftp logs showed that the site was downloaded via ftp and then encrypted files uploaded. This is not something that a joomla extension could prevent as its not joomla specific
Hi Brian... I will repeat my answer to Bernhard

How would you explain that from over 500 websites of which about 200 were designed by us and probably only 100 with Joomla! the only sites with this issue are Joomla! 3.4.8 websites?

Also... none of the 6 sites, I have with this hack so far, had FTP near them.

mbabker
Joomla! Hero
Joomla! Hero
Posts: 2176
Joined: Sun Feb 28, 2010 8:26 pm

Re: RSA-2048 Encrypted files - Hack

Post by mbabker » Mon Jan 04, 2016 6:03 pm

You're assuming Joomla is the culprit. In a case like this, there are a lot of possibilities. Undocumented/reported Joomla issues, vulnerabilities in extensions, PHP security issues, a MITM attack that was able to catch a password, compromised local systems, or a root hack on the server. You might be able to trace when the hack was triggered (encryption of all the files), but it may be more difficult to determine when the site(s) were actually compromised and if this is something that was placed on your server some time ago.
So long and thanks for all the fish.

Manually updating Joomla? See https://gist.github.com/mbabker/d7bfb4e ... 3607f89281

User avatar
Joe_SA
Joomla! Intern
Joomla! Intern
Posts: 63
Joined: Sun Mar 24, 2013 11:23 am
Location: Clarens, South Africa
Contact:

Re: RSA-2048 Encrypted files - Hack

Post by Joe_SA » Mon Jan 04, 2016 6:11 pm

I hear you mbabker...

As explained previously, I am assuming this because the only sites that were hacked on all my servers were Jooma! 3.4.8 sites that were recently upgraded.

Off course it could be a server issue and I will definitely investigate that option further and will revert back to this post if I find anything else was in fact the issue than Joomla! 3.4.8

All I am saying is that this happened in the last 24 hours and it might be something to keep an eye on or even worth investigating before we get an epidemic on our hands.

;)

brokencup
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Mon Jan 04, 2016 6:21 pm

Re: RSA-2048 Encrypted files - Hack

Post by brokencup » Mon Jan 04, 2016 6:35 pm

I had four of my ten sites get hit with this last week. Two sites were on 3.4.5, one was on 3.4.6, and the last one was on a fresh copy of 3.4.7(it was just a fresh install with an admin account, for a site that I decided to not use). I didn't realize the 5 and 6 had security holes or I would have updated them sooner.

I rent and manage the dedicated server these are on, and saw where encryption commands were indeed executed, not from a shell though.

My initial thoughts were ftp as well, however my ftp logs, show there was no ftp access the day it happened. The encryption commands were executed within around 4 hours of each. Perhaps attackers somehow got a script uploaded to execute the encryption commands? Since everything was encrypted it wasn't really possible to do a virus/mal scan to find it.

Thankfully I had backups. The attackers also added themselves super admin accounts into the joomla db's. So even if you did pay these thieves, they would likely just repeat the attack.

I wish I had more info to provide, but I've already restored my sites, cleaned them, and updated them. I did see in my logs where they tried to login to the super admin accounts that i deleted. As others have already said though, there are many ways this could of happened, so it is hard to pinpoint the point of entry.

User avatar
Joe_SA
Joomla! Intern
Joomla! Intern
Posts: 63
Joined: Sun Mar 24, 2013 11:23 am
Location: Clarens, South Africa
Contact:

Re: RSA-2048 Encrypted files - Hack

Post by Joe_SA » Mon Jan 04, 2016 6:50 pm

Thanx Brokencup... That is constructive news.

So it seems the vulnerability came through the server,right?

Once I have finished backing up the rest of my sites I will start digging into the servers.

So do you feel it might still be an attack on Joomla! sites although through the server?

User avatar
Bernard T
Joomla! Guru
Joomla! Guru
Posts: 782
Joined: Thu Jun 29, 2006 11:44 am
Location: Hrvatska
Contact:

Re: RSA-2048 Encrypted files - Hack

Post by Bernard T » Mon Jan 04, 2016 7:04 pm

Joe_SA wrote:
Bernard T wrote:Joomla version has nothing to do with this issue if the FTP is being used for retransfer of the files.
How would you explain that from over 500 websites of which about 200 were designed by us and probably only 100 with Joomla! the only sites with this issue are Joomla! 3.4.8 websites?
Please notice the condition emphasized above.
Since we are currently blindly guessing what might be the modus operandi, and Brian provided clues that last days the same issue had proven to be FTP-based.

Usually the FPA report could uncover additional clues, but in your situation the perpetrator made sure there is not much to analyze here.

Surely, it could be older hack you didn't notice, or a new undetected vulnerability, or the whole server was compromised. My quick research shows that cryptolocker-inspired attacks on websites started only few months ago. And some cases show that indeed the whole server was compromised and encrypted.

It's up to you to provide us some hard evidence, if possible, from recent logs. Then we could try to conclude how did the hack really happen.


Here an interesting topic on the subject: http://serverfault.com/questions/730463 ... to-lockers ... Two interesting parts there:
They send me a PHP script with the private key, which I should upload to the server and run through a URL. Here is the decrypt file they sent me.
the code really contains packed binaries ...
Did you recovered files? – Paolo P. Nov 5 '15 at 15:01
Not really. I had to use the old backups I have – Shameer Nov 7 '15 at 8:40
Generally, without a proper private key there is no reversal at all. And this topic shows that paying the ransom doesn't guarantee the happy ending.
Joe_SA wrote:So do you feel it might still be an attack on Joomla! sites although through the server?
since this is the first topic here about such issue, but attacks are documented for several months now, I leave you to conclude yourself.
VEL Team || Security Forum || PHP/Web Security Specialist || OWASP member
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak

brokencup
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Mon Jan 04, 2016 6:21 pm

Re: RSA-2048 Encrypted files - Hack

Post by brokencup » Mon Jan 04, 2016 7:07 pm

Joe_SA, I'm not completely sure. I was pretty baffled by this one. I do know my server itself wasn't compromised at root or normal user level. I have root shell disabled, for security reasons, and logs on my normal user showed no access outside of my recorded logins.

I can't completely rule out ftp, as I don't directly manage those accounts(I just create them), individual site owners do. My backups were from 15 days prior to the attacks, and were clean, so there was a window for compromised ftps to have uploaded something.

The only one that really leaves me puzzled, is that fresh 3.4.7 one getting encrypted. I did create an ftp account for it, but it was never used, and the credentials were not given to site owner.

My ftp account passwords are 20 character randomly generated cased characters, numbers, and symbols.

I also have fail2ban and a few other security tools in place to prohibit brute force attacks.

brokencup
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Mon Jan 04, 2016 6:21 pm

Re: RSA-2048 Encrypted files - Hack

Post by brokencup » Mon Jan 04, 2016 7:17 pm

If any of the restored sites get hit or if any of the other 6 do, I'll post again. I originally just wanted to post to say it wasn't exclusive to 3.4.8

The ip address that tried to access the deleted super admin accounts, 74.91.xx.xx , has several recent reports about it on anti-hacker alliance.

User avatar
Bernard T
Joomla! Guru
Joomla! Guru
Posts: 782
Joined: Thu Jun 29, 2006 11:44 am
Location: Hrvatska
Contact:

Re: RSA-2048 Encrypted files - Hack

Post by Bernard T » Mon Jan 04, 2016 7:24 pm

brokencup wrote:The ip address that tried to access the deleted super admin accounts, 74.91.xx.xx , has several recent reports about it on anti-hacker alliance.
you can post the whole IP address here, there's no need to hide it.
TOR exit node?
At least to whom does the IP range belong?
VEL Team || Security Forum || PHP/Web Security Specialist || OWASP member
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak

brokencup
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Mon Jan 04, 2016 6:21 pm

Re: RSA-2048 Encrypted files - Hack

Post by brokencup » Mon Jan 04, 2016 7:35 pm

Unfortunately all I remember off top of my head were the 74.91, if i come across the log, I'll post rest of it.

One of the other sites had 77.221.147.16 attempt to login with the hacker created super admin account

User avatar
Joe_SA
Joomla! Intern
Joomla! Intern
Posts: 63
Joined: Sun Mar 24, 2013 11:23 am
Location: Clarens, South Africa
Contact:

Re: RSA-2048 Encrypted files - Hack

Post by Joe_SA » Mon Jan 04, 2016 7:45 pm

Brokencup...thanx again.

My sites are hosted on shared servers but without SSH access... It is however possible that on of the other website owners has requested SSH access and thereby compromised the server or even through FTP on their side.

I rarely use FTP but on the hacked sites I know I did not use it.

There is one funny thing and I have going through all my Joomla! sites, downloading the .jpa backup files...

I have been doing this alphabetically... All six sites start either with "B"or "C", were Joomla!s sites and after that I have not discovered any hacks.

Almost done with downloads.. will post more info on here shortly

User avatar
Joe_SA
Joomla! Intern
Joomla! Intern
Posts: 63
Joined: Sun Mar 24, 2013 11:23 am
Location: Clarens, South Africa
Contact:

Re: RSA-2048 Encrypted files - Hack

Post by Joe_SA » Mon Jan 04, 2016 7:54 pm

Bernhard

I do not wish to bark at you and if my previous post seemed like I did, I apologize.

I spent about 5 hours this morning researching the RSA-2048 cryptolocker attack, just to figure out the files cannot be decrypted.

It has been an extremely frustrating day and it is not over yet... I know that I was stupid in leaving the backup files on the server but that is now one of the reasons why I have so much work to do and definitely my own fault.

As you, I am trying to figure out how this happened and why it happened to my Joomla sites so that we can try and help others when this happens to them.

So please bear with me.. I will let you know if I have more info

User avatar
Bernard T
Joomla! Guru
Joomla! Guru
Posts: 782
Joined: Thu Jun 29, 2006 11:44 am
Location: Hrvatska
Contact:

Re: RSA-2048 Encrypted files - Hack

Post by Bernard T » Mon Jan 04, 2016 8:09 pm

Joe_SA wrote:Bernhard

I do not wish to bark at you and if my previous post seemed like I did, I apologize.
No apology needed, don't worry about it. I know you're stressed.

Do your stuff and let us know when you'll know more.
VEL Team || Security Forum || PHP/Web Security Specialist || OWASP member
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak

User avatar
Joe_SA
Joomla! Intern
Joomla! Intern
Posts: 63
Joined: Sun Mar 24, 2013 11:23 am
Location: Clarens, South Africa
Contact:

Re: RSA-2048 Encrypted files - Hack

Post by Joe_SA » Tue Jan 05, 2016 9:49 am

Seems this was part of the zero-day exploit after all.

The sites were exploited between 15 and 20 December and even though I updated them on and after 20 Dec it seems that it was too late.

Attached are the logs FYI

Regards

J
You do not have the required permissions to view the files attached to this post.

User avatar
Bernard T
Joomla! Guru
Joomla! Guru
Posts: 782
Joined: Thu Jun 29, 2006 11:44 am
Location: Hrvatska
Contact:

Re: RSA-2048 Encrypted files - Hack

Post by Bernard T » Tue Jan 05, 2016 11:12 am

Thanks for sharing the findings with us.

Interesting enough, the attacking IP is owned by Godaddy, but it seems it kept on being actively attacking for several days without being deactivated by Godaddy: http://www.abuseipdb.com/report-history/166.62.88.229

This vulnerability was patched with J!3.4.6 published on Dec 14 https://developer.joomla.org/security-c ... ility.html
So it can't be called "zero-day" from that day on, the patch was available. Unfortunately, recent cases like yours confirm what we are screaming for a long time - with every high risk vulnerability fix it is utmost important to do the upgrades ASAP.
VEL Team || Security Forum || PHP/Web Security Specialist || OWASP member
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak

User avatar
Joe_SA
Joomla! Intern
Joomla! Intern
Posts: 63
Joined: Sun Mar 24, 2013 11:23 am
Location: Clarens, South Africa
Contact:

Re: RSA-2048 Encrypted files - Hack

Post by Joe_SA » Tue Jan 05, 2016 2:45 pm

Yeah... oh well... rebuilding sites as we speak... 7 in total

Lesson learned, the hard way :)

User avatar
Bernard T
Joomla! Guru
Joomla! Guru
Posts: 782
Joined: Thu Jun 29, 2006 11:44 am
Location: Hrvatska
Contact:

Re: RSA-2048 Encrypted files - Hack

Post by Bernard T » Tue Jan 05, 2016 3:02 pm

OK, glad to hear that.

I hope you got some backups from your hosting provider.
VEL Team || Security Forum || PHP/Web Security Specialist || OWASP member
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak

User avatar
Joe_SA
Joomla! Intern
Joomla! Intern
Posts: 63
Joined: Sun Mar 24, 2013 11:23 am
Location: Clarens, South Africa
Contact:

Re: RSA-2048 Encrypted files - Hack

Post by Joe_SA » Tue Jan 05, 2016 4:13 pm

nope.. they were not helpful at all o.O

saren_s
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Sat Jan 02, 2016 5:14 am

Re: RSA-2048 Encrypted files - Hack

Post by saren_s » Tue Jan 05, 2016 4:45 pm

I just want to add my experience to this thread.

On Dec 29th 2015 I was hit with this exact same attack. All my website files were encrypted with a message asking for 0.5 bitcoins. All in all about 6 of my websites were encrypted, only 1 out of the 6 was showing the ransom message (below), while the other websites simply had their files encrypted. This was on a shared hosting server, with about 12 websites on the server. So, 6 out of my 12 websites were hit. My understanding is that once the hack has attacked one of your websites it can easily move around into another folder/domain/website on the shared server, it doesn't need to compromise 6 different websites to encrypt the files, it just needs to compromise one of the websites.

None of the websites were up to date, they all either had extensions or Joomla versions out of date. Joomla versions from 2.x to 3.x (most up to date was 3.4 at the time). I'm going to assume this was the root cause of my problem.

I did not have FTP enabled.

The hack had injected files which referenced 166.62.102.232 IP address (http://www.abuseipdb.com/report-history/166.62.102.232). I looked at the server logs and saw a lot of "JDatabaseDriverMysqli" exploit commands. These attacks happened on my server roughly about Dec 18/19th 2015 but the encryption only happened on the 29th.

I had to revert back to my backups, patch everything (both Joomla and extensions), change all passwords, create new backups, monitor 24/7 (I lost days of sleep on this rebuilding) and hope for the best. I then purchased RSFirewall and ensured it blocks all these attacks from happening again, I was aware that the latest Joomla blocks this exploit but I wanted a peace of mind and some sort of monitoring/alerting tools.

One thing I made sure was to ensure all my core Joomla files were actually matching what was on GitHub, RSFirewall has a very nifty feature that alerts you if you have altered core Joomla files.

Thankfully I had backups I could refer to, if I didn't I wouldn't know what to do right now. I'm still frantically monitoring all websites and looking at all logs one by one. My RSFirewall activity is off the scale charts, so many attempts to either upload blocked files, dangerous user agents, sessions exploits, etc etc.

Here is the message the was displayed when visiting the hacked website:
Your personal files are encrypted! Encryption was produced using a unique public key RSA-2048 generated for this computer.

To decrypt files you need to obtain the private key.

The single copy of the private key, which will allow to decrypt the files, located on a secret server at the Internet. After that, nobody and never will be able to restore files...

To obtain the private key and php script for this computer, which will automatically decrypt files, you need to pay 0.5 bitcoin(s) (~210 USD).
Without this key, you will never be able to get your original files back.
***** Manual signatures are NOT allowed ********** Manual signatures are NOT allowed ********** Manual signatures are NOT allowed ********** Manual signatures are NOT allowed *****__

!!!!!!!!!!!!!!!!!!!!! PURSE FOR PAYMENT(ALSO AUTHORIZATION CODE): 1JGGJ3NmxoK9Gru1rzedMU3FCEPFahikKg !!!!!!!!!!!!!!!!!!!!!
WEBSITE: http://l4zd5dbd74wnle3l.onion. to

INSTRUCTION FOR DECRYPT:

After you made payment, you should go to website http://l4zd5dbd74wnle3l.onion. to
Use purse for payment as ur authorization code (1JGGJ3NmxoK9Gru1rzedMU3FCEPFahikKg).
If you already did the payment, you will see decryption pack available for download,
inside decryption pack - key and script for decryption, so all what you need just upload and run that script ( for example: http://http://domain.com/decrypt.php )

Also, at this website you can communicate with our supports and we can help you if you have any troubles,
but hope you understand we will not answer at any messages if you not able to pay.

!!!P.S. Our system is fully automatic, after payment you will receive you're decrypt pack IMMEDIATELY!!!

FAQ:
Q: How can I pay?
A: We are accept only bitcoins.

Q: Where to buy bitcoins?
A: We can't help you to buy bitcoins, but you can check link below: https://en.bitcoin.it/wiki/Buying_Bitcoins_(the_newbie_version)

Q: I already bought bitcoins, where i should send it.
A: 1JGGJ3NmxoK9Gru1rzedMU3FCEPFahikKg

Q: What gonna happen after payment?
A: Download button for decryption pack will be available after you made payment

Q: I pay, but still can't download decryption pack
A: You need to wait 3 confirmations for bitcoin transaction.

Q: How to use decryption pack?
A: Put all files from archive to your server and just run decrpyt.php (example: website.com/decrypt.php)

Q: Can I pay another currency?
A: No.Your personal files are encrypted! Encryption was produced using a unique public key RSA-2048 generated for this computer.

To decrypt files you need to obtain the private key.

The single copy of the private key, which will allow to decrypt the files, located on a secret server at the Internet. After that, nobody and never will be able to restore files...

To obtain the private key and php script for this computer, which will automatically decrypt files, you need to pay 0.5 bitcoin(s) (~210 USD).
Without this key, you will never be able to get your original files back.
Last edited by Bernard T on Tue Jan 05, 2016 7:11 pm, edited 2 times in total.
Reason: urls disabled, ransom truncated

User avatar
Bernard T
Joomla! Guru
Joomla! Guru
Posts: 782
Joined: Thu Jun 29, 2006 11:44 am
Location: Hrvatska
Contact:

Re: RSA-2048 Encrypted files - Hack

Post by Bernard T » Tue Jan 05, 2016 7:08 pm

saren_s wrote:This was on a shared hosting server, with about 12 websites on the server. So, 6 out of my 12 websites were hit. My understanding is that once the hack has attacked one of your websites it can easily move around into another folder/domain/website on the shared server, it doesn't need to compromise 6 different websites to encrypt the files, it just needs to compromise one of the websites
Major league hosting panels tend to place all domains in the same main homedir of the hosting account, and "run" HTTP daemon process under the same local user account. This makes compromising of all websites on the same account a breeze.
VEL Team || Security Forum || PHP/Web Security Specialist || OWASP member
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak


Locked

Return to “Security in Joomla! 3.x”