Website found with hack code Topic is solved

Relax and enjoy The Lounge. For all Non-Joomla! topics or ones that don't fit anywhere else. Normal forum rules apply.
Post Reply
Achaa
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 126
Joined: Mon Jul 29, 2013 8:25 pm

Website found with hack code

Post by Achaa » Fri Nov 02, 2018 6:05 pm

I'd appreciate some advice please.

(Long story short)
A little reverse engineering has led me to a website with active shell code still online.
The link is accessed via a $_GET call from a script on a compromised site.

The website doesn't have any pages displayed, so you'd have to know the exact link to get to the bad code.
I feel that this should be reported. But to whom?

Advice appreciated. :)
"Experts often possess more data than judgement."
All suggestions are given with good intent.
http://arbitrarytimes.com Where I test stuff.... :pop

User avatar
sozzled
Joomla! Champion
Joomla! Champion
Posts: 5832
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia
Contact:

Re: Website found with hack code

Post by sozzled » Fri Nov 02, 2018 6:15 pm

Achaa wrote:
Fri Nov 02, 2018 6:05 pm
I feel that this should be reported. But to whom?
In the first instance, report the issue to the person who owns (or is responsible for managing) the website.

Does it matter to anyone if this website contains a security flaw that has compromised this website? Is there a possibility that this security compromise will affect any of your websites (or any of mine), for that matter? There have got to be hundreds of thousands of websites on the internet that have security issues. I don't know if there's a great deal of benefit to anyone by reporting just another website (wherever there may be registries of compromised websites on the internet) because, frankly, I don't think any of us has the time to check if any of the sites we visit may be on a list.

If the compromised website is indexed by Google, you could report the matter to Google (I guess). Unless this problem is related to Joomla security and, in particular, to the security of websites used by this forum community, I somehow see this as a discussion for "The Lounge". Cheers. :)
https://www.kuneze.com/blog
Former member of Kunena project team
If you think I’m wrong then say “I think you're wrong.” If you say “You’re wrong!”, how do you know?

Achaa
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 126
Joined: Mon Jul 29, 2013 8:25 pm

Re: Website found with hack code

Post by Achaa » Fri Nov 02, 2018 6:39 pm

The compromised website was (is) a Joomla website. It wouldn't have occured to me to ask this question here if it wasn't.

The owner is aware, as he asked me to look into it. I have no idea if (or how) it would affect anyone else as I removed the code.
(I went through the logs and found how it was activated and then replicated it offline.)
After following the trail and finding the code, I went through the usual decoding routines and found the shell code. What they were going to do with it - again, I have no idea.

As far as I am concerned the website is still compromised as I have no idea how they got the initial code onto the server. It's no longer my concern as they will need to get it looked at by a pro.

What I feel is my concern, is that the shell code is just sitting there waiting to be downloaded by more compromised (Joomla?) sites.
Which of course leads me to my initial question.
"Experts often possess more data than judgement."
All suggestions are given with good intent.
http://arbitrarytimes.com Where I test stuff.... :pop

User avatar
AMurray
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3951
Joined: Sat Feb 13, 2010 7:35 am
Location: Australia

Re: Website found with hack code

Post by AMurray » Sat Nov 03, 2018 11:01 pm

On the message list for this sub-form (Security in Joomla) there is a post instructing how to recover from a hack: viewtopic.php?f=714&t=946026 - suggest following that in the first instance.
Regards,
--------------------------------------------------------------
A Murray
Millennium Falcon - it's the ship that made the Kessel run in less than 12 parsecs! The fastest hunk of junk in the galaxy.

Achaa
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 126
Joined: Mon Jul 29, 2013 8:25 pm

Re: Website found with hack code

Post by Achaa » Sun Nov 04, 2018 11:46 am

Hi A Murray, thanks for your input.

I don't believe this site is compromised. I believe it is deliberately and maliciously serving the code to sites that are compromised.
"Experts often possess more data than judgement."
All suggestions are given with good intent.
http://arbitrarytimes.com Where I test stuff.... :pop

annahersh
Joomla! Explorer
Joomla! Explorer
Posts: 271
Joined: Wed Aug 15, 2018 8:23 pm

Re: Website found with hack code

Post by annahersh » Thu Nov 08, 2018 4:58 pm

If you are concerned that a third party extension is the culprit, report at https://vel.joomla.org/submit-vel

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 35867
Joined: Sat Apr 05, 2008 9:58 pm

Re: Website found with hack code

Post by Webdongle » Thu Nov 08, 2018 5:32 pm

Achaa wrote:
Sun Nov 04, 2018 11:46 am
Hi A Murray, thanks for your input.

I don't believe this site is compromised. I believe it is deliberately and maliciously serving the code to sites that are compromised.
If it was code added to the site (whether it directly affects the site or serves malicious code to other site) then the site has been compromised.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

Achaa
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 126
Joined: Mon Jul 29, 2013 8:25 pm

Re: Website found with hack code

Post by Achaa » Fri Nov 09, 2018 12:54 pm

Sorry to push this point, I just want to make sure I'm understanding this clearly.

Are you saying that a website, that is set-up with the sole intention of delivering malicious code - is compromised?
"Experts often possess more data than judgement."
All suggestions are given with good intent.
http://arbitrarytimes.com Where I test stuff.... :pop

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 35867
Joined: Sat Apr 05, 2008 9:58 pm

Re: Website found with hack code

Post by Webdongle » Fri Nov 09, 2018 2:03 pm

Achaa wrote:
Fri Nov 09, 2018 12:54 pm
...
Are you saying that a website, that is set-up with the sole intention of delivering malicious code - is compromised?
I am a little confused here ... is the site you are talking about a site that that you are helping to administrate? Is that the site that is set up to distribute malicious code?
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

Achaa
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 126
Joined: Mon Jul 29, 2013 8:25 pm

Re: Website found with hack code

Post by Achaa » Fri Nov 09, 2018 4:51 pm

ok, there are two sites involved.

Site A: Belongs to a friend.
A directory on site A, contained code that led to site B.
The link on site B contains shell code. (This would be downloaded if someone triggered the code by entering a certain string.)

Site B: Appears to be completely blank.
It does however contain the shell code, but you'd only know that by following the path from site A.

As far as I can see, site B only exists to serve up bad code.
"Experts often possess more data than judgement."
All suggestions are given with good intent.
http://arbitrarytimes.com Where I test stuff.... :pop

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 35867
Joined: Sat Apr 05, 2008 9:58 pm

Re: Website found with hack code

Post by Webdongle » Fri Nov 09, 2018 4:59 pm

Achaa wrote:
Fri Nov 09, 2018 4:51 pm
...
Site A: Belongs to a friend.
A directory on site A, contained code that led to site B....
Then I say again
If it was code added to the site (whether it directly affects the site or serves malicious code to other site) then the site has been compromised.

In other words your friends site that has had code added to it (that may not directly affect his site but serves code to another site) has been compromised. By virtue of the fact that your friends site contains code that was placed by someone else ... then it has been compromised. Follow the instructions and links on viewtopic.php?f=714&t=946026 or hire a professional to clean and secure the site.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

Achaa
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 126
Joined: Mon Jul 29, 2013 8:25 pm

Re: Website found with hack code

Post by Achaa » Fri Nov 09, 2018 5:09 pm

It seems we have severely crossed wires here.

I am aware of what you are saying. Really.
Achaa wrote:
Fri Nov 02, 2018 6:39 pm
As far as I am concerned the website is still compromised as I have no idea how they got the initial code onto the server. It's no longer my concern as they will need to get it looked at by a pro.
It no longer has anything to do with me.
I was just concerned that Site B is sitting there with code on it ready to infect other sites.
Achaa wrote:
Fri Nov 02, 2018 6:39 pm
What I feel is my concern, is that the shell code is just sitting there waiting to be downloaded by more compromised (Joomla?) sites.
"Experts often possess more data than judgement."
All suggestions are given with good intent.
http://arbitrarytimes.com Where I test stuff.... :pop

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 35867
Joined: Sat Apr 05, 2008 9:58 pm

Re: Website found with hack code

Post by Webdongle » Fri Nov 09, 2018 5:15 pm

Then use https://centralops.net/co/ to find who their Host is and report it there ?
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

User avatar
sozzled
Joomla! Champion
Joomla! Champion
Posts: 5832
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia
Contact:

Re: Website found with hack code

Post by sozzled » Fri Nov 09, 2018 7:17 pm

I don't think there is a problem for this forum/community. There may be a problem for the owner of the website but as the OP is not the owner of the website then it's stretching a point to ask for advice concerning what might be possible for the OP to consider in these circumstances.

While it is a "community responsibility" to be aware of risks in using the internet there are two matters that, in my opinion, fall outside of the purpose of this forum:

1) This is not a place to publicly name (or shame) other people's websites. Unless the site owners of these websites are also members of the community, it is unfair to publicly criticise someone else's website without offering the owner of that website the opportunity to respond.

2) There is no obligation on anyone to rectify any problem(s)—even problems that may pose a security risk to others—but, if there is a matter of concern, there are other means outside the use of this forum that are available. Websites that are involved with illegal activities (e.g. phishing scams, ransomware, etc.) can be reported to local law enforcement authorities; websites that redirect their visitors to disreputable or unwanted services/providers can be reported to consumer watchdog authorities.

Websites that have been compromised (i.e. hacked without the owner's knowledge) are a different matter. If someone is aware that a website has been compromised like this, then that same "someone" may attempt to contact the site owner to inform them of the matter; it's entirely a matter for the owner of that site to rectify the issue. It is not our task to comment on how to go about making that contact, whether the issue warrants attention or whether the issues raised in this forum have any impact on (a) individual sites, (b) the reputation of a website, or (c) the the community at large unless there is evidence to show how these matters are relevant or important.

Finally, if the OP is not involved with the problem site or is "no longer involved" with the problem site then the OP should probably leave this issue alone. The problem is for someone else—not a member of this forum community—to address or not as they choose.

Not a "Security in J! 3.x" topic, in my opinion; more like a discussion for The Lounge. I've asked the forum moderators to relocate the topic on that basis.
https://www.kuneze.com/blog
Former member of Kunena project team
If you think I’m wrong then say “I think you're wrong.” If you say “You’re wrong!”, how do you know?

Achaa
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 126
Joined: Mon Jul 29, 2013 8:25 pm

Re: Website found with hack code

Post by Achaa » Fri Nov 09, 2018 8:52 pm

Webdongle wrote:
Fri Nov 09, 2018 5:15 pm
Then use https://centralops.net/co/ to find who their Host is and report it there ?
Thank you.
"Experts often possess more data than judgement."
All suggestions are given with good intent.
http://arbitrarytimes.com Where I test stuff.... :pop


Post Reply

Return to “The Lounge”