Configuration file compromised on PW-protected site

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, fcoulter, PhilD, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Post Reply
bulgin
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 178
Joined: Sun Sep 30, 2007 10:18 pm

Configuration file compromised on PW-protected site

Post by bulgin » Tue Oct 01, 2019 12:04 am

Joomla! 3.9.10 Stable

If the entire configuration file is compromised, what steps are required to protect the site given that no breach has occurred? No breach has occurred because the entire site was behind two factor authentication AND http basic authentication.

The site shows no signs of compromise whatsoever and logs files show no suspicious activity.

Other than changing the password for the mysql database, are their any worries about the "secret"?

User avatar
toivo
Joomla! Master
Joomla! Master
Posts: 11455
Joined: Thu Feb 15, 2007 5:48 am
Location: Suzhou, China

Re: Configuration file compromised on PW-protected site

Post by toivo » Tue Oct 01, 2019 12:12 am

Please post the results from the Forum Post Assistant (FPA) by following the instructions at https://forumpostassistant.github.io/docs/.
Toivo Talikka, Global Moderator

bulgin
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 178
Joined: Sun Sep 30, 2007 10:18 pm

Re: Configuration file compromised on PW-protected site

Post by bulgin » Tue Oct 01, 2019 12:30 am

Forum Post Assistant (v1.4.9 (lambrusca) : 1st October 2019 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 3.9.8-Stable (Amani) 11-June-2019
Joomla! Platform :: Joomla Platform 13.1.0-Stable (Curiosity) 24-Apr-2013
Joomla! Configured :: Yes | Read-Only (444) | Owner: --protected-- . (uid: 1/gid: 1) | Group: --protected-- (gid: 1) | Valid For: 3.9
Configuration Options :: Offline: false | SEF: true | SEF Suffix: false | SEF ReWrite: false | .htaccess/web.config: Yes | GZip: false | Cache: true | CacheTime: 15 | CacheHandler: file | CachePlatformPrefix: false | FTP Layer: false | Proxy: false | LiveSite: | Session lifetime: 15 | Session handler: database | Shared sessions: false | SSL: 2 | Error Reporting: default | Site Debug: false | Language Debug: false | Default Access: 1 | Unicode Slugs: false | dbConnection Type: mysqli | PHP Supports J! 3.9.8: Yes | Database Supports J! 3.9.8: Yes | Database Credentials Present: Yes |

Host Configuration :: OS: Linux | OS Version: 3.10.0-957.27.2.el7.x86_64 | Technology: x86_64 | Web Server: Apache | Encoding: gzip, deflate, br | Doc Root: --protected-- | System TMP Writable: Yes | Free Disk Space : 57.30 GiB |

PHP Configuration :: Version: 7.2.22 | PHP API: fpm-fcgi | Session Path Writable: Yes | Display Errors: | Error Reporting: 32759 | Log Errors To: /home/emailbucket/logs/habitat_haus.php.error.log | Last Known Error: | Register Globals: | Magic Quotes: | Safe Mode: | Allow url fopen: 1 | Open Base: | Uploads: 1 | Max. Upload Size: 2M | Max. POST Size: 8M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 128M

Database Configuration :: Version: 5.7.27 (Client:mysqlnd 5.0.12-dev - 20150407 - $Id: 3591daad22de08524295e1bd073aceeff11e6579 $) | Host: --protected-- (--protected--) | default Collation: latin1_swedish_ci (default Character Set: latin1) | Database Size: 5.56 MiB | #of Tables: 108
Detailed Environment :: wrote:PHP Extensions :: Core (7.2.22) | date (7.2.22) | libxml (7.2.22) | openssl (7.2.22) | pcre (7.2.22) | zlib (7.2.22) | filter (7.2.22) | hash (1.0) | pcntl (7.2.22) | Reflection (7.2.22) | SPL (7.2.22) | session (7.2.22) | standard (7.2.22) | cgi-fcgi () | bcmath (7.2.22) | calendar (7.2.22) | ctype (7.2.22) | curl (7.2.22) | dom (20031129) | fileinfo (1.0.5) | ftp (7.2.22) | gd (7.2.22) | iconv (7.2.22) | imap (7.2.22) | intl (1.1.0) | json (1.6.0) | mbstring (7.2.22) | mysqlnd (mysqlnd 5.0.12-dev - 20150407 - $Id: 3591daad22de08524295e1bd073aceeff11e6579 $) | PDO (7.2.22) | Phar (2.0.2) | posix (7.2.22) | SimpleXML (7.2.22) | sockets (7.2.22) | sqlite3 (7.2.22) | tokenizer (7.2.22) | xml (7.2.22) | xmlwriter (7.2.22) | xsl (7.2.22) | zip (1.15.4) | mysqli (7.2.22) | pdo_mysql (7.2.22) | pdo_sqlite (7.2.22) | wddx (7.2.22) | xmlreader (7.2.22) | redis (4.2.0) | Zend Engine (3.2.0) |
Potential Missing Extensions ::
Disabled Functions :: exec | passthru | shell_exec | system |

Switch User Environment (Experimental) :: PHP CGI: No | Server SU: No | PHP SU: No | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No
Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) | administrator/logs/ (755) |

Elevated Permissions (First 10) ::
Database Information :: wrote:Database statistics :: Uptime: 79955 | Threads: 1 | Questions: 23823 | Slow queries: 0 | Opens: 10603 | Flush tables: 1 | Open tables: 1995 | Queries per second avg: 0.297 |
Extensions Discovered :: wrote:Components :: SITE ::
Core :: com_wrapper (3.0.0) 1 | com_mailto (3.0.0) 1 |
3rd Party:: WF_STYLESELECT_TITLE (2.7.14) ? | WF_FULLSCREEN_TITLE (2.7.14) ? | WF_TEXTCASE_TITLE (2.7.14) ? | WF_HR_TITLE (2.7.14) ? | WF_SPELLCHECKER_TITLE (2.7.14) ? | WF_BROWSER_TITLE (2.7.14) ? | WF_FONTCOLOR_TITLE (2.7.14) ? | WF_LAYER_TITLE (2.7.14) ? | WF_IMGMANAGER_TITLE (2.7.14) ? | WF_FONTSIZESELECT_TITLE (2.7.14) ? | WF_XHTMLXTRAS_TITLE (2.7.14) ? | WF_EMOTIONS_TITLE (2.7.14) ? | WF_CLEANUP_TITLE (2.7.14) ? | WF_AUTOSAVE_TITLE (2.7.14) ? | WF_CONTEXTMENU_TITLE (2.7.14) ? | WF_SOURCE_TITLE (2.7.14) ? | WF_CHARMAP_TITLE (2.7.14) ? | WF_DIRECTIONALITY_TITLE (2.7.14) ? | WF_VISUALCHARS_TITLE (2.7.14) ? | WF_ARTICLE_TITLE (2.7.14) ? | WF_KITCHENSINK_TITLE (2.7.14) ? | WF_CLIPBOARD_TITLE (2.7.14) ? | WF_VISUALBLOCKS_TITLE (2.7.14) ? | WF_LINK_TITLE (2.7.14) ? | WF_WORDCOUNT_TITLE (2.7.14) ? | WF_SEARCHREPLACE_TITLE (2.7.14) ? | WF_MEDIA_TITLE (2.7.14) ? | WF_NONBREAKING_TITLE (2.7.14) ? | WF_STYLE_TITLE (2.7.14) ? | WF_FORMATSELECT_TITLE (2.7.14) ? | WF_ANCHOR_TITLE (2.7.14) ? | WF_INLINEPOPUPS_TITLE (2.7.10) ? | WF_LISTS_TITLE (2.7.14) ? | WF_FONTSELECT_TITLE (2.7.14) ? | WF_TABLE_TITLE (2.7.14) ? | WF_PREVIEW_TITLE (2.7.14) ? | WF_PRINT_TITLE (2.7.14) ? | WF_FILESYSTEM_JOOMLA_TITLE (2.7.14) ? | WF_LINKS_JOOMLALINKS_TITLE (2.7.14) ? | WF_AGGREGATOR_[youtube]_TITLE (2.7.14) ? | WF_AGGREGATOR_DAILYMOTION_TITLE (2.7.14) ? | WF_AGGREGATOR_VIMEO_TITLE (2.7.14) ? | WF_LINK_SEARCH_TITLE (2.7.14) ? | WF_POPUPS_JCEMEDIABOX_TITLE (2.7.14) ? |

Components :: ADMIN ::
Core :: com_installer (3.0.0) 1 | com_cpanel (3.0.0) 1 | com_messages (3.0.0) 1 | com_modules (3.0.0) 1 | com_actionlogs (3.9.0) 1 | com_templates (3.0.0) 1 | com_config (3.0.0) 1 | com_postinstall (3.2.0) 1 | com_users (3.0.0) 1 | com_admin (3.0.0) 1 | com_joomlaupdate (3.6.2) 1 | com_banners (3.0.0) 1 | com_menus (3.0.0) 1 | com_ajax (3.2.0) 1 | com_plugins (3.0.0) 1 | com_languages (3.0.0) 1 | com_content (3.0.0) 1 | com_checkin (3.0.0) 1 | com_categories (3.0.0) 1 | com_tags (3.1.0) 1 | com_finder (3.0.0) 1 | com_login (3.0.0) 1 | com_contenthistory (3.2.0) 1 | com_associations (3.7.0) 1 | com_search (3.0.0) 1 | com_privacy (3.9.0) 1 | com_media (3.0.0) 1 | com_newsfeeds (3.0.0) 1 | com_fields (3.7.0) 1 | com_redirect (3.0.0) 1 | com_cache (3.0.0) 1 |
3rd Party:: COM_SPEASYIMAGEGALLERY (1.5.1) 1 | SP Page Builder (3.4.2) 1 | COM_JCE (2.7.14) 1 | FlexiContact (12.05) 1 | COM_BREEZINGFORMS (1.9.0 Stable ) 1 | sysbreezingforms (1.0.0) 1 | SP Simple Portfolio (1.7) 1 |

Modules :: SITE ::
Core :: mod_banners (3.0.0) 1 | mod_articles_category (3.0.0) 1 | mod_custom (3.0.0) 1 | mod_menu (3.0.0) 1 | mod_articles_news (3.0.0) 1 | mod_footer (3.0.0) 1 | mod_syndicate (3.0.0) 1 | mod_articles_popular (3.0.0) 1 | mod_breadcrumbs (3.0.0) 1 | mod_related_items (3.0.0) 1 | mod_articles_latest (3.0.0) 1 | mod_feed (3.0.0) 1 | mod_search (3.0.0) 1 | mod_stats (3.0.0) 1 | mod_login (3.0.0) 1 | mod_articles_categories (3.0.0) 1 | mod_users_latest (3.0.0) 1 | mod_whosonline (3.0.0) 1 | mod_articles_archive (3.0.0) 1 | mod_wrapper (3.0.0) 1 | mod_tags_popular (3.1.0) 0 | mod_random_image (3.0.0) 1 | mod_tags_similar (3.1.0) 0 | mod_languages (3.5.0) 1 | mod_finder (3.0.0) 1 |
3rd Party:: SP Easy Image Gallery Module (1.3) 1 | SP Page Builder (1.2) 1 | SP Simple Portfolio Module (1.6) 1 | BreezingForms (1.8.4) 0 |

Modules :: ADMIN ::
Core :: mod_custom (3.0.0) 1 | mod_title (3.0.0) 1 | mod_submenu (3.0.0) 1 | mod_privacy_dashboard (3.9.0) 1 | mod_menu (3.0.0) 1 | mod_version (3.0.0) 1 | mod_quickicon (3.0.0) 1 | mod_status (3.0.0) 1 | mod_logged (3.0.0) 1 | mod_popular (3.0.0) 1 | mod_latestactions (3.9.0) 1 | mod_feed (3.0.0) 1 | mod_latest (3.0.0) 1 | mod_login (3.0.0) 1 | mod_multilangstatus (3.0.0) 1 | mod_stats_admin (3.0.0) 1 | mod_toolbar (3.0.0) 1 | mod_sampledata (3.8.0) 0 |
3rd Party:: mod_sppagebuilder_admin_menu (1.3) 1 | mod_sppagebuilder_icons (1.0.2) 1 |

Libraries ::
Core ::
3rd Party::

Plugins ::
Core :: plg_twofactorauth_totp (3.2.0) 1 | plg_twofactorauth_yubikey (3.2.0) 0 | plg_captcha_recaptcha_invisible (3.8) 0 | plg_captcha_recaptcha (3.4.0) 1 | plg_authentication_ldap (3.0.0) 0 | plg_authentication_joomla (3.0.0) 1 | plg_authentication_cookie (3.0.0) 1 | plg_authentication_gmail (3.0.0) 0 | plg_content_joomla (3.0.0) 1 | plg_content_pagenavigation (3.0.0) 1 | plg_content_confirmconsent (3.9.0) 0 | plg_content_emailcloak (3.0.0) 1 | plg_content_pagebreak (3.0.0) 1 | plg_content_fields (3.7.0) 1 | plg_content_vote (3.0.0) 0 | plg_content_finder (3.0.0) 0 | plg_content_loadmodule (3.0.0) 1 | PLG_ACTIONLOG_JOOMLA (3.9.0) 1 | plg_quickicon_phpversioncheck (3.7.0) 1 | plg_quickicon_extensionupdate (3.0.0) 1 | plg_quickicon_joomlaupdate (3.0.0) 1 | plg_quickicon_privacycheck (3.9.0) 1 | plg_privacy_content (3.9.0) 1 | plg_privacy_actionlogs (3.9.0) 1 | plg_privacy_message (3.9.0) 1 | plg_privacy_consents (3.9.0) 1 | plg_privacy_user (3.9.0) 1 | plg_system_logrotation (3.9.0) 1 | plg_system_redirect (3.0.0) 0 | plg_system_cache (3.0.0) 0 | plg_system_debug (3.0.0) 0 | plg_system_updatenotification (3.5.0) 1 | plg_system_highlight (3.0.0) 0 | plg_system_stats (3.5.0) 0 | plg_system_p3p (3.0.0) 0 | plg_system_logout (3.0.0) 1 | plg_system_remember (3.0.0) 1 | plg_system_log (3.0.0) 1 | plg_system_languagecode (3.0.0) 0 | plg_system_fields (3.7.0) 1 | plg_system_languagefilter (3.0.0) 0 | PLG_SYSTEM_ACTIONLOGS (3.9.0) 0 | plg_system_privacyconsent (3.9.0) 0 | plg_system_sessiongc (3.8.6) 1 | plg_system_sef (3.0.0) 1 | plg_extension_joomla (3.0.0) 1 | plg_editors-xtd_menu (3.7.0) 1 | plg_editors-xtd_module (3.5.0) 1 | plg_editors-xtd_pagebreak (3.0.0) 1 | plg_editors-xtd_article (3.0.0) 1 | plg_editors-xtd_fields (3.7.0) 1 | plg_editors-xtd_readmore (3.0.0) 1 | plg_editors-xtd_image (3.0.0) 1 | plg_fields_imagelist (3.7.0) 1 | plg_fields_editor (3.7.0) 1 | plg_fields_textarea (3.7.0) 1 | plg_fields_checkboxes (3.7.0) 1 | plg_fields_sql (3.7.0) 1 | plg_fields_integer (3.7.0) 1 | plg_fields_radio (3.7.0) 1 | plg_fields_url (3.7.0) 1 | plg_fields_color (3.7.0) 1 | plg_fields_text (3.7.0) 1 | plg_fields_list (3.7.0) 1 | plg_fields_repeatable (3.9.0) 1 | plg_fields_media (3.7.0) 1 | plg_fields_usergrouplist (3.7.0) 1 | plg_fields_calendar (3.7.0) 1 | plg_fields_user (3.7.0) 1 | plg_installer_packageinstaller (3.6.0) 1 | PLG_INSTALLER_FOLDERINSTALLER (3.6.0) 1 | plg_installer_webinstaller (2.0.1) 1 | PLG_INSTALLER_URLINSTALLER (3.6.0) 1 | plg_search_newsfeeds (3.0.0) 0 | plg_search_content (3.0.0) 0 | plg_search_categories (3.0.0) 0 | plg_search_tags (3.0.0) 1 | plg_search_contacts (3.0.0) 0 | plg_finder_newsfeeds (3.0.0) 0 | plg_finder_content (3.0.0) 0 | plg_finder_categories (3.0.0) 0 | plg_finder_tags (3.0.0) 0 | plg_finder_contacts (3.0.0) 0 | plg_user_terms (3.9.0) 0 | plg_user_joomla (3.0.0) 1 | plg_user_profile (3.0.0) 0 | plg_user_contactcreator (3.0.0) 0 |
3rd Party:: BreezingForms (1.8) 0 | BreezingForms - Content - Download (1.1) 0 | plg_content_jce (2.7.14) 1 | BreezingForms - Content - Image Sca (1.1) ? | plg_quickicon_jce (2.7.14) 1 | BreezingForms - AddOns - Telegram (1.0) 0 | BreezingForms - AddOns - GData (1.3) 0 | PLG_CWGEARS (0.5.6) 1 | plg_system_jce (2.7.14) 1 | sysbreezingforms (1.0.0) 1 | CacheControl (1.1) 0 | System - Helix Ultimate Framework (1.1.1) 1 | plg_extension_jce (2.7.14) 1 | plg_fields_mediajce (2.7.14) 1 | plg_editors_jce (2.7.14) 1 | plg_editors_tinymce (4.5.11) 1 | plg_editors_codemirror (5.40.0) 1 | plg_installer_jce (2.7.14) 1 |
Templates Discovered :: wrote:Templates :: SITE :: protostar (1.0) ? | shaper_helixultimate (1.1.1) 1 | beez3 (3.1.0) ? |
Templates :: ADMIN :: isis (1.0) 1 | hathor (3.0.0) 1 |
Last edited by toivo on Tue Oct 01, 2019 1:23 am, edited 1 time in total.
Reason: mod note: disabled smilies in post Options for readability

User avatar
sozzled
Joomla! Exemplar
Joomla! Exemplar
Posts: 8009
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia
Contact:

Re: Configuration file compromised on PW-protected site

Post by sozzled » Tue Oct 01, 2019 12:39 am

Apart from running a version of J! that's been superseded—would recommend that you update to J! 3.9.12—I would suggest that you increase the PHP settings for Max. Upload Size and Max. POST Size. You may have problems updating J! if they're not set to a minimum of about 32M for each of those.

You might also like to consider using multibyte database collation/character encoding, and also change the Session Handler to "PHP" (for overall improvement to performance).

The rest of the report seems to be OK as far as protecting the configuration.php is concerned. Thanks. 8)
https://www.kuneze.com/blog
“If you think I’m wrong then say, ‘I think you’re wrong.’ If you say ‘You’re wrong!’, how do you know?” :)

bulgin
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 178
Joined: Sun Sep 30, 2007 10:18 pm

Re: Configuration file compromised on PW-protected site

Post by bulgin » Tue Oct 01, 2019 12:42 am

Thank you! I'm concerned that the configuration file was compromised - and as you know the secret and database passwords are in it.

Aren't these a concern? I intend to follow through on your suggetions and of course change the mysql password, but I'm concerned about the so-called "secret" string.

User avatar
AMurray
Joomla! Champion
Joomla! Champion
Posts: 5026
Joined: Sat Feb 13, 2010 7:35 am
Location: Australia

Re: Configuration file compromised on PW-protected site

Post by AMurray » Wed Oct 02, 2019 9:48 am

I would suggest getting a site audit done on https://mysites.guru. The first audit is free but otherwise is a subscription service. The audit will identify any security issues, which may not be obvious in the FPA above.

It's a worthwhile tool to have in your webmaster toolbox.
Regards,
--------------------------------------------------------------
A Murray
Millennium Falcon - it's the ship that made the Kessel run in less than 12 parsecs! The fastest hunk of junk in the galaxy.

User avatar
AMurray
Joomla! Champion
Joomla! Champion
Posts: 5026
Joined: Sat Feb 13, 2010 7:35 am
Location: Australia

Re: Configuration file compromised on PW-protected site

Post by AMurray » Wed Oct 02, 2019 9:50 am

You don't appear to have any backup tool....would suggest Akeeba Backup (free edition), for easy to manage backups.
Regards,
--------------------------------------------------------------
A Murray
Millennium Falcon - it's the ship that made the Kessel run in less than 12 parsecs! The fastest hunk of junk in the galaxy.

User avatar
sozzled
Joomla! Exemplar
Joomla! Exemplar
Posts: 8009
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia
Contact:

Re: Configuration file compromised on PW-protected site

Post by sozzled » Wed Oct 02, 2019 9:53 am

bulgin wrote:
Tue Oct 01, 2019 12:42 am
I'm concerned that the configuration file was compromised - and as you know the secret and database passwords are in it.
Yep! These things are in everyone's configuration.php file. Your J! website won't run without it (nor will any of mine or anyone else's).
https://www.kuneze.com/blog
“If you think I’m wrong then say, ‘I think you’re wrong.’ If you say ‘You’re wrong!’, how do you know?” :)

User avatar
toivo
Joomla! Master
Joomla! Master
Posts: 11455
Joined: Thu Feb 15, 2007 5:48 am
Location: Suzhou, China

Re: Configuration file compromised on PW-protected site

Post by toivo » Wed Oct 02, 2019 10:11 am

The software audit and notifications from the mysites.guru service would assist in updating third party extensions like JCE, SP Page Builder and BreezingForms, which are currently out of date.
Toivo Talikka, Global Moderator


Post Reply

Return to “Security in Joomla! 3.x”