Super user account created through frontend on Joomla 3.10.12

[cliveg2]

I've also noticed this on some of my sites. Initially I thought it was just ones still running 3.10, but it is also on some running 4.3.4. I have disabled the accounts, but it is really worrying that this has happened. We urgently need a fix for this, and some idea of how it was achieved to see if there is some form of work-around that can stop it happening again, especially on 3.10 as I guess we are not going to see a fix for this.

[cliveg2]

> @cliveg2 are any of your affected sites hosted on 20i?
Yes, all of them.

[cliveg2]

Joomla! Instance :: Joomla! 3.10.12-Stable (Daraja) 8-July-2023
Joomla! Platform :: Joomla Platform 13.1.0-Stable (Curiosity) 24-Apr-2013
Joomla! Configured :: Yes | Read-Only (444) |
Configuration Options :: Offline: false | SEF: true | SEF Suffix: false | SEF ReWrite: false | .htaccess/web.config: Yes | GZip: true | Cache: true | CacheTime: 15 | CacheHandler: file | CachePlatformPrefix: false | FTP Layer: false | Proxy: false | LiveSite: | Session lifetime: 15 | Session handler: database | Shared sessions: false | SSL: 2 | Error Reporting: none | Site Debug: false | Language Debug: false | Default Access: Public | Unicode Slugs: false | dbConnection Type: mysqli | PHP Supports J! 3.10.12: Yes | Database Supports J! 3.10.12: Yes | Database Credentials Present: Yes |

Host Configuration :: OS: Linux | OS Version: 3.10.0-1160.99.1.el7.x86_64 | Technology: x86_64 | Web Server: Apache | Encoding: gzip | System TMP Writable: Yes | Free Disk Space : 283.94 GiB |

PHP Configuration :: Version: 8.1.24 | PHP API: fpm-fcgi | Session Path Writable: Yes | Display Errors: 0 | Error Reporting: 22519 | Log Errors To: | Last Known Error: | Register Globals: | Magic Quotes: | Safe Mode: | Allow url fopen: 1 | Open Base: | Uploads: 1 | Max. Upload Size: 128M | Max. POST Size: 128M | Max. Input Time: 60 | Max. Execution Time: 300 | Memory Limit: 128M

Database Configuration :: Version: 10.4.26-MariaDB-log (Client:mysqlnd 8.1.24) | Database Size: 81.77 MiB | #of Tables with config prefix:  143 | #of other Tables:  0 | User Privileges : GRANT SELECTUser Privileges : INSERTUser Privileges : UPDATEUser Privileges : DELETEUser Privileges : CREATEUser Privileges : DROPUser Privileges : INDEXUser Privileges : ALTERUser Privileges : CREATE TEMPORARY TABLESUser Privileges : LOCK TABLESUser Privileges : EXECUTEUser Privileges : CREATE VIEWUser Privileges : SHOW VIEWUser Privileges : CREATE ROUTINEUser Privileges : ALTER ROUTINE ON `cl49-a-jooml-ej`.* TO `cl49-a-jooml-ej`@`%`

PHP Extensions :: Core (8.1.24) | date (8.1.24) | libxml (8.1.24) | pcre (8.1.24) | zlib (8.1.24) | filter (8.1.24) | hash (8.1.24) | json (8.1.24) | pcntl (8.1.24) | readline (8.1.24) | Reflection (8.1.24) | SPL (8.1.24) | session (8.1.24) | standard (8.1.24) | cgi-fcgi (8.1.24) | bcmath (8.1.24) | bz2 (8.1.24) | calendar (8.1.24) | ctype (8.1.24) | curl (8.1.24) | dba (8.1.24) | dom (20031129) | mbstring (8.1.24) | FFI (8.1.24) | fileinfo (8.1.24) | ftp (8.1.24) | gd (8.1.24) | gettext (8.1.24) | gmp (8.1.24) | iconv (8.1.24) | imap (8.1.24) | intl (8.1.24) | ldap (8.1.24) | exif (8.1.24) | mysqlnd (mysqlnd 8.1.24) | odbc (8.1.24) | openssl (8.1.24) | PDO (8.1.24) | pgsql (8.1.24) | Phar (8.1.24) | posix (8.1.24) | pspell (8.1.24) | shmop (8.1.24) | SimpleXML (8.1.24) | snmp (8.1.24) | soap (8.1.24) | sockets (8.1.24) | sodium (8.1.24) | sqlite3 (8.1.24) | sysvmsg (8.1.24) | sysvsem (8.1.24) | sysvshm (8.1.24) | tidy (8.1.24) | tokenizer (8.1.24) | xml (8.1.24) | xmlwriter (8.1.24) | xsl (8.1.24) | zip (1.19.5) | mysqli (8.1.24) | pdo_dblib (8.1.24) | PDO_Firebird (8.1.24) | pdo_mysql (8.1.24) | PDO_ODBC (8.1.24) | pdo_pgsql (8.1.24) | pdo_sqlite (8.1.24) | xmlreader (8.1.24) | xmlrpc (1.0.0-dev) | imagick (3.7.0) | OAuth (2.0.7) | sqlsrv (5.10.1) | pdo_sqlsrv (5.10.1) | ionCube Loader (13.0.2) | SourceGuardian (14.0.2) | Zend OPcache (8.1.24) | Zend Engine (4.1.24) |
Potential Missing Extensions ::

Switch User Environment :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Potential Ownership Issues: No

Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) | administrator/logs/ (---) |

Elevated Permissions (First 10) ::

Database statistics :: Uptime: 21667747 | Threads: 105 | Questions: 54357725589 | Slow queries: 151412 | Opens: 1613251637 | Flush tables: 1 | Open tables: 16000 | Queries per second avg: 2508.693 |

Components :: Site ::
Core :: com_wrapper (3.0.0) 1 | com_mailto (3.0.0) 1 |
3rd Party:: WF_VISUALBLOCKS_TITLE (2.9.51) ? | WF_DIRECTIONALITY_TITLE (2.9.51) ? | WF_EMOTIONS_TITLE (2.9.51) ? | WF_LISTS_TITLE (2.9.51) ? | WF_LANGCODE_TITLE (2.9.51) ? | WF_FORMATSELECT_TITLE (2.9.51) ? | WF_ARTICLE_TITLE (2.9.51) ? | WF_HELP_TITLE (2.9.51) ? | WF_ATTRIBUTES_TITLE (2.9.51) ? | WF_MEDIA_TITLE (2.9.51) ? | WF_BROWSER_TITLE (2.9.51) ? | WF_FONTSELECT_TITLE (2.9.51) ? | WF_STYLESELECT_TITLE (2.9.51) ? | WF_LINK_TITLE (2.9.51) ? | WF_NONBREAKING_TITLE (2.9.51) ? | WF_WORDCOUNT_TITLE (2.9.51) ? | WF_REFERENCE_TITLE (2.9.51) ? | WF_SEARCHREPLACE_TITLE (2.9.51) ? | WF_CONTEXTMENU_TITLE (2.9.51) ? | WF_TEXTCASE_TITLE (2.9.51) ? | WF_KITCHENSINK_TITLE (2.9.51) ? | WF_AUTOSAVE_TITLE (2.9.51) ? | WF_FONTSIZESELECT_TITLE (2.9.51) ? | WF_STYLE_TITLE (2.9.51) ? | WF_TABLE_TITLE (2.9.51) ? | WF_CHARMAP_TITLE (2.9.51) ? | WF_SPELLCHECKER_TITLE (2.9.51) ? | WF_CLEANUP_TITLE (2.9.51) ? | WF_FONTCOLOR_TITLE (2.9.51) ? | WF_ANCHOR_TITLE (2.9.51) ? | WF_FULLSCREEN_TITLE (2.9.51) ? | JCE - Noneditable (1.0.0) ? | WF_CLIPBOARD_TITLE (2.9.51) ? | WF_PREVIEW_TITLE (2.9.51) ? | WF_IMGMANAGER_TITLE (2.9.51) ? | WF_VISUALCHARS_TITLE (2.9.51) ? | WF_PRINT_TITLE (2.9.51) ? | WF_HR_TITLE (2.9.51) ? | WF_FILESYSTEM_JOOMLA_TITLE (2.9.51) ? | WF_LINKS_JOOMLALINKS_TITLE (2.9.51) ? | WF_LINK_SEARCH_TITLE (2.9.51) ? | WF_AGGREGATOR_VIMEO_TITLE (2.9.51) ? | WF_AGGREGATOR_VIDEO_TITLE (2.9.51) ? | WF_AGGREGATOR_DAILYMOTION_TITLE (2.9.51) ? | WF_AGGREGATOR_[youtube]_TITLE (2.9.51) ? | WF_AGGREGATOR_AUDIO_TITLE (2.9.51) ? | WF_POPUPS_JCEMEDIABOX_TITLE (2.9.51) ? |

Components :: Admin ::
Core :: com_ajax (3.2.0) 1 | com_installer (3.0.0) 1 | com_languages (3.0.0) 1 | com_finder (3.0.0) 1 | com_media (3.0.0) 1 | com_modules (3.0.0) 1 | com_joomlaupdate (3.10.1) 1 | com_cache (3.0.0) 1 | com_messages (3.0.0) 1 | com_cpanel (3.0.0) 1 | com_tags (3.1.0) 1 | com_newsfeeds (3.0.0) 1 | com_menus (3.0.0) 1 | com_weblinks (3.9.0) 1 | com_actionlogs (3.9.0) 1 | com_checkin (3.0.0) 1 | com_associations (3.7.0) 1 | com_templates (3.0.0) 1 | com_config (3.0.0) 1 | com_privacy (3.9.0) 1 | com_users (3.0.0) 1 | com_content (3.0.0) 1 | com_plugins (3.0.0) 1 | com_redirect (3.0.0) 1 | com_admin (3.0.0) 1 | com_contenthistory (3.2.0) 1 | com_banners (3.0.0) 1 | com_fields (3.7.0) 1 | com_postinstall (3.2.0) 1 | com_search (3.0.0) 1 | com_login (3.0.0) 1 | com_categories (3.0.0) 1 |
3rd Party:: WATCHFULLI (2.3.5) 1 | COM_GANTRY (4.1.43) 1 | Akeeba (8.3.3) 1 | COM_JCE (2.9.51) 1 |

Modules :: Site ::
Core :: mod_whosonline (3.0.0) 1 | mod_feed (3.0.0) 1 | mod_articles_latest (3.0.0) 1 | mod_footer (3.0.0) 1 | mod_login (3.0.0) 1 | mod_breadcrumbs (3.0.0) 1 | mod_articles_categories (3.0.0) 1 | mod_articles_popular (3.0.0) 1 | mod_wrapper (3.0.0) 1 | mod_related_items (3.0.0) 1 | mod_stats (3.0.0) 1 | mod_languages (3.5.0) 1 | mod_finder (3.0.0) 1 | mod_articles_category (3.0.0) 1 | mod_syndicate (3.0.0) 1 | mod_tags_similar (3.1.0) 1 | mod_articles_archive (3.0.0) 1 | mod_articles_news (3.0.0) 1 | mod_users_latest (3.0.0) 1 | mod_random_image (3.0.0) 1 | mod_weblinks (3.9.0) 1 | mod_search (3.0.0) 1 | mod_tags_popular (3.1.0) 1 | mod_custom (3.0.0) 1 | mod_banners (3.0.0) 1 | mod_menu (3.0.0) 1 |
3rd Party:: sigplus (1.5.0.298) 1 | RokNavMenu (2.0.9) 1 |

Modules :: Admin ::
Core :: mod_privacy_dashboard (3.9.0) 1 | mod_feed (3.0.0) 1 | mod_logged (3.0.0) 1 | mod_login (3.0.0) 1 | mod_popular (3.0.0) 1 | mod_quickicon (3.0.0) 1 | mod_stats_admin (3.0.0) 1 | mod_latestactions (3.9.0) 1 | mod_status (3.0.0) 1 | mod_latest (3.0.0) 1 | mod_version (3.0.0) 1 | mod_title (3.0.0) 1 | mod_submenu (3.0.0) 1 | mod_sampledata (3.8.0) 1 | mod_toolbar (3.0.0) 1 | mod_custom (3.0.0) 1 | mod_menu (3.0.0) 1 | mod_multilangstatus (3.0.0) 1 |
3rd Party::

Libraries ::
Core ::
3rd Party:: file_fof30 (3.6.2) ? | file_fof40 (4.1.0) ? |

Plugins ::
Core :: plg_finder_tags (3.0.0) 1 | plg_finder_newsfeeds (3.0.0) 1 | plg_finder_categories (3.0.0) 1 | plg_finder_contacts (3.0.0) 1 | plg_finder_content (3.0.0) 1 | plg_finder_weblinks (3.9.0) 1 | plg_editors-xtd_image (3.0.0) 1 | plg_editors-xtd_fields (3.7.0) 1 | plg_editors-xtd_pagebreak (3.0.0) 1 | plg_editors-xtd_article (3.0.0) 1 | plg_editors-xtd_weblink (3.9.0) 0 | plg_editors-xtd_module (3.5.0) 1 | plg_editors-xtd_readmore (3.0.0) 1 | plg_editors-xtd_menu (3.7.0) 1 | plg_twofactorauth_yubikey (3.2.0) 0 | plg_twofactorauth_totp (3.2.0) 0 | plg_extension_joomla (3.0.0) 1 | plg_fields_text (3.7.0) 1 | plg_fields_usergrouplist (3.7.0) 1 | plg_fields_sql (3.7.0) 1 | plg_fields_textarea (3.7.0) 1 | plg_fields_radio (3.7.0) 1 | plg_fields_imagelist (3.7.0) 1 | plg_fields_media (3.7.0) 1 | plg_fields_color (3.7.0) 1 | plg_fields_repeatable (3.9.0) 1 | plg_fields_integer (3.7.0) 1 | plg_fields_calendar (3.7.0) 1 | plg_fields_list (3.7.0) 1 | plg_fields_editor (3.7.0) 1 | plg_fields_url (3.7.0) 1 | plg_fields_user (3.7.0) 1 | plg_fields_checkboxes (3.7.0) 1 | plg_quickicon_joomlaupdate (3.0.0) 1 | plg_quickicon_extensionupdate (3.0.0) 1 | plg_quickicon_privacycheck (3.9.0) 1 | plg_quickicon_eos310 (3.10.0) 1 | plg_quickicon_phpversioncheck (3.7.0) 1 | plg_authentication_joomla (3.0.0) 1 | plg_authentication_gmail (3.0.0) 0 | plg_authentication_ldap (3.0.0) 0 | plg_authentication_cookie (3.0.0) 1 | plg_installer_packageinstaller (3.6.0) 1 | PLG_INSTALLER_URLINSTALLER (3.6.0) 1 | plg_installer_webinstaller (2.1.2) 1 | PLG_INSTALLER_FOLDERINSTALLER (3.6.0) 1 | plg_search_tags (3.0.0) 0 | plg_search_newsfeeds (3.0.0) 1 | plg_search_categories (3.0.0) 1 | plg_search_contacts (3.0.0) 1 | plg_search_content (3.0.0) 1 | plg_search_weblinks (3.9.0) 1 | plg_captcha_recaptcha (3.4.0) 1 | plg_captcha_recaptcha_invisible (3.8) 0 | plg_user_terms (3.9.0) 0 | plg_user_joomla (3.0.0) 1 | plg_user_profile (3.0.0) 0 | plg_user_contactcreator (3.0.0) 0 | PLG_ACTIONLOG_JOOMLA (3.9.0) 1 | plg_content_confirmconsent (3.9.0) 0 | plg_content_finder (3.0.0) 1 | plg_content_vote (3.0.0) 1 | plg_content_fields (3.7.0) 1 | plg_content_pagebreak (3.0.0) 1 | plg_content_joomla (3.0.0) 1 | plg_content_loadmodule (3.0.0) 1 | plg_content_pagenavigation (3.0.0) 1 | plg_content_emailcloak (3.0.0) 1 | plg_content_geshi (3.0.0) ? | plg_system_logrotation (3.9.0) 1 | plg_system_stats (3.5.0) 1 | plg_system_redirect (3.0.0) 0 | plg_system_log (3.0.0) 1 | PLG_SYSTEM_ACTIONLOGS (3.9.0) 1 | plg_system_fields (3.7.0) 1 | plg_system_sessiongc (3.8.6) 1 | plg_system_remember (3.0.0) 1 | plg_system_languagecode (3.0.0) 0 | plg_system_logout (3.0.0) 1 | plg_system_highlight (3.0.0) 1 | plg_system_p3p (3.0.0) 1 | plg_system_privacyconsent (3.9.0) 0 | plg_system_debug (3.0.0) 1 | plg_system_sef (3.0.0) 1 | plg_system_updatenotification (3.5.0) 1 | plg_system_languagefilter (3.0.0) 0 | plg_system_cache (3.0.0) 0 | plg_system_weblinks (3.9.0) 0 | plg_privacy_actionlogs (3.9.0) 1 | plg_privacy_message (3.9.0) 1 | plg_privacy_consents (3.9.0) 1 | plg_privacy_user (3.9.0) 1 | plg_privacy_content (3.9.0) 1 |
3rd Party:: plg_editors-xtd_sigplus (1.5.0.298) 0 | plg_extension_jce (2.9.51) 1 | plg_fields_mediajce (2.9.51) 1 | plg_quickicon_akeebabackup (8.3.3) 0 | plg_quickicon_jce (2.9.51) 1 | PLG_INSTALLER_AKEEBABACKUP (8.3.3) 1 | plg_installer_jce (2.9.51) 1 | plg_editors_tinymce (4.5.12) 1 | plg_editors_codemirror (5.60.0) 1 | plg_editors_jce (2.9.51) 1 | plg_search_sigplus (1.5.0.298) 0 | PLG_ACTIONLOG_AKEEBABACKUP (8.3.3) 1 | plg_content_sigplus (1.5.0.298) 1 | plg_content_jce (2.9.51) 1 | System - RokExtender (2.0.0) 1 | System - Gantry 4 (4.1.43) 1 | PLG_SYSTEM_AKVERSIONCHECK (8.3.3) 1 | Hikashop - VirtueMart Fallback Redi (1.0.0) ? | PLG_SYSTEM_BACKUPONUPDATE (8.3.3) 1 | plg_system_jce (2.9.51) 1 |

Templates :: Site :: rt_voxel_responsive (1.10) 1 | beez3 (3.1.0) 1 | protostar (1.0) 1 |
Templates :: Admin :: isis (1.0) 1 | hathor (3.0.0) 1 |

[cliveg2]

I have 4 sites affected, three of them are J3.10.12, one is J4.3.4
Interestingly, the 3 J3 sites have their database on the same url (shareddb1c.hosting.stackcp.net)
On all the J3 sites, the super user account was created at 20/10/2023 22:11:05. The J4 site was 30 seconds later.
On 2 of the J3 sites and the J4 site, the new account was logged into between 45 minutes and 90 minutes later, and logged out of after a few seconds. The user account on the 4th site has not been logged into.

[toivo]

@cliveg2, the FPA looks good. The memory_limit of 128M may be too low for updates, recommend 256M.

WATCHFULLI (2.3.5) 1

The above component shows that the website is subscribing to the Watchful service. Has it given any security related warnings or alerts?

[cliveg2]

Everything seems fine. Watchful is happy, no malware detected. I'm thinking it might have been a hack into the database server. Database password changed.