Hacked via eXtplorer admin access! Read this!

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, fcoulter, PhilD, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
cf1237
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 161
Joined: Thu Mar 19, 2009 1:48 pm

Hacked via eXtplorer admin access! Read this!

Post by cf1237 » Wed Dec 18, 2013 11:03 pm

Web host reported they detected and stopped a hack exploit where hacker was trying to manipulate site files by using eXtplorer's "default" password and gaining unrestricted access. Try as I might, I could find anywhere in my Joomla! 2.5.1.7 site - or any other Joomla! sites I administer - to access any kind of administrative controls or password for the eXtplorer component.

It turns out that in any Joomla! site (or any other kind of site, for that matter...) with any version of eXtplorer installed, there is a administrative direct access to eXtplorer built in to the component itself! Once you sign in with a username and password, you have unlimited access to all site files, getting past all permissions, etc. This is apparently by design! The defaults are "admin" and "admin" - brilliant, no? The documentation is out there, but not easily found with reference to Joomla!

HERE is how to gain access to the eXtplorer admin panel, where you login with the defaults, and then respond to a message that says your password is not really secure (I am not making this up...) - and you can change it.

http://mysite.com/administrator/compone ... extplorer/

Unreal. Luckily, my web host was quickly on to the hackers, and prevented any real damage by locking out public access and alerting me. I deleted the one file the host found in the root of the Joomla! system:

/www/www/mysite/.cpanel_config.php

Never a dull moment!

HTH

User avatar
brian
Joomla! Master
Joomla! Master
Posts: 11767
Joined: Fri Aug 12, 2005 7:19 am
Location: Leeds, UK
Contact:

Re: Hacked via eXtplorer admin access! Read this!

Post by brian » Thu Dec 19, 2013 1:07 am

Thanks for the report. That really is a MASSIVE security hole. I have reported it on the JED and to the vel.joomla.org teams
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

JWeiry
Joomla! Apprentice
Joomla! Apprentice
Posts: 16
Joined: Thu Apr 08, 2010 4:41 am

Re: Hacked via eXtplorer admin access! Read this!

Post by JWeiry » Thu Dec 19, 2013 1:42 am

I would just like to add that i have confirmed this on J3.1.1 - J3.2.0 so far (although this should be completely independent of Joomla version)

As this affects who knows how many sites that we host, this is an issue because it means that we will have to manually go through and uninstall extplorer from each site :(

What i want to know is... How did the extplorer team let this massive security hole stay in the software? >:(

cheers cf1237 for reporting this!

User avatar
brian
Joomla! Master
Joomla! Master
Posts: 11767
Joined: Fri Aug 12, 2005 7:19 am
Location: Leeds, UK
Contact:

Re: Hacked via eXtplorer admin access! Read this!

Post by brian » Thu Dec 19, 2013 1:47 am

JWeiry wrote: What i want to know is... How did the extplorer team let this massive security hole stay in the software? >:(
who knows for certain but looking at the code they have written some code to prevent direct access to that file BUT it doesnt work
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

mycarhelpline
Joomla! Apprentice
Joomla! Apprentice
Posts: 34
Joined: Mon May 21, 2012 8:42 am

Re: Hacked via eXtplorer admin access! Read this!

Post by mycarhelpline » Thu Dec 19, 2013 2:24 am

Does that mean, shall we uninstall com_extplorer on all sites where-ever its installed
Pl confirm !!

JWeiry
Joomla! Apprentice
Joomla! Apprentice
Posts: 16
Joined: Thu Apr 08, 2010 4:41 am

Re: Hacked via eXtplorer admin access! Read this!

Post by JWeiry » Thu Dec 19, 2013 2:54 am

mycarhelpline wrote:Does that mean, shall we uninstall com_extplorer on all sites where-ever its installed
Pl confirm !!
Currently yes, it would be advisable at least until we hear more from the eXtplorer guys or a fix comes out. But even then every installation would need to be upgraded.

FOR UNIX ADMINISTRATORS
I have managed to get a quick script running to help disable com_extplorer from being accessible to the outside world. Please keep in mind that this entirely depends if your VirtualHost's allow htaccess overrides and you MAY have to change permissions for files to match user/group filesystem permissions.

Create a .htaccess file somewhere with the contents:

Code: Select all

Order deny,allow
deny from all
Run the following script in the root directory of your websites (/home/ or /var/www/ etc.)

Code: Select all

find /var/www/ -type d -name "com_extplorer" -exec cp /location/of/.htaccess {} \;
This will create a copy of the .htaccess file inside every com_extplorer directory on the server under the specified directory.
Depending on server settings, this file may or may not work with the permissions assigned to each user/website so additional permissions may need to be set on each file.

I'm still looking to see if there could be a way to globally inherit through apache or php.ini, but so far I'm not having much luck.


::EDIT / UPDATE::

With a little more testing about how to fix the systems, i believe that the vulnerability is fairly simple to fix.
/administrator/components/com_extplorer/index.php:35

Code: Select all

Change From:
if( stristr( $_SERVER['SCRIPT_NAME'], 'administrator/components/com_extplorer')) {

Change To:
if( stristr( $_SERVER['SCRIPT_NAME'], 'administrator/components/com_extplorer') || !defined('_JEXEC')) {
Most extensions already use _JEXEC to determine if the files are being accessed directly, so adding a check for the definition seems to work fine for blocking access.

Can anyone test this for their installs?

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14818
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Hacked via eXtplorer admin access! Read this!

Post by mandville » Thu Dec 19, 2013 7:41 am

confirmation of report to developer via vel and unpublishing from JED.
thanks to Brian and Jacque for their reports.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
soeren
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 111
Joined: Mon Aug 29, 2005 10:58 am
Location: Germany
Contact:

Re: Hacked via eXtplorer admin access! Read this!

Post by soeren » Thu Dec 19, 2013 9:08 am

Hi,

I can't replicate this issue on any host I have eXtplorer running on (and that's a lot).
What is your Server configuration? Apache or nginx? mod_apache2 or mod_cgi with php-cgi or mod_fcgi with php-fcgi or php-fpm?

Obviously this isn't a global problem and it doesn't affect *all* eXtplorer installations. I would like to track down which systems are affected (I guess those who have an empty or different value for $_SERVER['SCRIPT_NAME'])

ciao, Sören

2020media
Joomla! Apprentice
Joomla! Apprentice
Posts: 13
Joined: Tue Aug 07, 2007 3:46 pm
Location: London, UK
Contact:

Re: Hacked via eXtplorer admin access! Read this!

Post by 2020media » Thu Dec 19, 2013 9:31 am

@JWeiry
I'm taking no chances and have added your original .htacess solution to all my sites. Tested on a couple of older versions and it worked.
2020Media.com - UK Web Hosting
Joomla Hosting: http://www.2020media.com/joomla

User avatar
brian
Joomla! Master
Joomla! Master
Posts: 11767
Joined: Fri Aug 12, 2005 7:19 am
Location: Leeds, UK
Contact:

Re: Hacked via eXtplorer admin access! Read this!

Post by brian » Thu Dec 19, 2013 9:48 am

Soeren - I can replicate this on my own localhost and I have replicated it in the wild - feel free to email me and I can give you a url of a site in the wild I have exploited
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

User avatar
brian
Joomla! Master
Joomla! Master
Posts: 11767
Joined: Fri Aug 12, 2005 7:19 am
Location: Leeds, UK
Contact:

Re: Hacked via eXtplorer admin access! Read this!

Post by brian » Thu Dec 19, 2013 10:00 am

For anyone following this I am in contact with Soeren - the developer - and have explained how the exploit is working, shown multiple examples and why it will work on ALL sites.
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14818
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Hacked via eXtplorer admin access! Read this!

Post by mandville » Thu Dec 19, 2013 10:03 am

cf1237 wrote:/www/www/mysite/.cpanel_config.php
can you email a zip copy of that file if it still exists to velATjoomla.org
then remove from your server and ask your host to grep accounts for it.
also can you run a copy of the fpa and post your results?
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

JWeiry
Joomla! Apprentice
Joomla! Apprentice
Posts: 16
Joined: Thu Apr 08, 2010 4:41 am

Re: Hacked via eXtplorer admin access! Read this!

Post by JWeiry » Thu Dec 19, 2013 10:14 am

mandville wrote:
cf1237 wrote:/www/www/mysite/.cpanel_config.php
can you email a zip copy of that file if it still exists to velATjoomla.org
then remove from your server and ask your host to grep accounts for it.
also can you run a copy of the fpa and post your results?
We have a number of these files which our own maldet scanner has picked up.
I can grab a copy of each file quarantined and email them through shortly for you if cf1237 doesn't have them anymore.
We don't wipe our quarantine just in case stuff like this pop's up that people need info from :)
brian wrote:For anyone following this I am in contact with Soeren - the developer - and have explained how the exploit is working, shown multiple examples and why it will work on ALL sites.
Good to hear, hopefully they will be able to get a fix out quickly enough :)

User avatar
brian
Joomla! Master
Joomla! Master
Posts: 11767
Joined: Fri Aug 12, 2005 7:19 am
Location: Leeds, UK
Contact:

Re: Hacked via eXtplorer admin access! Read this!

Post by brian » Thu Dec 19, 2013 10:24 am

Personally I consider this extension to be a very bad idea to have on your server but if you really must then you can secure it by either
1. Password protecting your /administrator folder with htaccess
2. editing the index.php found in /administrator/components/com_extplorer
replace line 34
if( stristr( $_SERVER['SCRIPT_NAME'], 'administrator/components/com_extplorer')) {
with
if( stristr( $_SERVER['SCRIPT_NAME'], 'com_extplorer')) {
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

User avatar
soeren
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 111
Joined: Mon Aug 29, 2005 10:58 am
Location: Germany
Contact:

Re: Hacked via eXtplorer admin access! Read this!

Post by soeren » Thu Dec 19, 2013 10:38 am

Hi @all,

a new version of eXtplorer has been released, which fixes this security problem (besides other bug fixes).

Download it here: http://extplorer.net/files

ciao, Sören

JWeiry
Joomla! Apprentice
Joomla! Apprentice
Posts: 16
Joined: Thu Apr 08, 2010 4:41 am

Re: Hacked via eXtplorer admin access! Read this!

Post by JWeiry » Thu Dec 19, 2013 10:44 am

soeren wrote:Hi @all,

a new version of eXtplorer has been released, which fixes this security problem (besides other bug fixes).

Download it here: http://extplorer.net/files

ciao, Sören
Thanks for the update there Sören, I will upload this copy and do some testing.

rianf
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Wed Feb 03, 2010 6:13 am

Re: Hacked via eXtplorer admin access! Read this!

Post by rianf » Thu Dec 19, 2013 12:18 pm

Hi everybody,
I could replicate the exploit on a live site. the new version of extplorer solves the problem. but, very important: you have to uninstall the old version first, because If you don't there is only a small info that the directory is already in use and afterwards it says "extplorer installed successfully". If you don't read this carfully, you might believe that the problem is solved, when in reality it isn't. I was still be able to access extplorer directly, only after deinstallation and complete new installation of the new version it redirects me to the homepage when trying to access directly...

User avatar
simbus82
Joomla! Intern
Joomla! Intern
Posts: 70
Joined: Sat May 19, 2007 1:59 pm
Location: Parma (Italy)
Contact:

Re: Hacked via eXtplorer admin access! Read this!

Post by simbus82 » Thu Dec 19, 2013 2:52 pm

soeren wrote:Hi @all,

a new version of eXtplorer has been released, which fixes this security problem (besides other bug fixes).

Download it here: http://extplorer.net/files

ciao, Sören
Thanks but you need to work on install and update process!

I need to unistall previous version before install new version: and i have a lot of sites to check :-(

And... please enable the autoupdate function like other extensions :-[

User avatar
brian
Joomla! Master
Joomla! Master
Posts: 11767
Joined: Fri Aug 12, 2005 7:19 am
Location: Leeds, UK
Contact:

Re: Hacked via eXtplorer admin access! Read this!

Post by brian » Thu Dec 19, 2013 2:54 pm

Seriously folks there is no reason ever to install this component on any site ever. If you feel that you need it to overcome hosting issues then get a real host.

This is not the first time their has been a wide open hole in this component and it probably wont be the last
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

User avatar
simbus82
Joomla! Intern
Joomla! Intern
Posts: 70
Joined: Sat May 19, 2007 1:59 pm
Location: Parma (Italy)
Contact:

Re: Hacked via eXtplorer admin access! Read this!

Post by simbus82 » Thu Dec 19, 2013 3:19 pm

brian wrote:Seriously folks there is no reason ever to install this component on any site ever. If you feel that you need it to overcome hosting issues then get a real host.

This is not the first time their has been a wide open hole in this component and it probably wont be the last

You are right!

But with a "super secured" server we don't have FTP enabled on our machine, so we use extplorer to work with css & php. If a site need lot of edits in the time, it is a good and rapid solution to access site files from everywhere.

User avatar
brian
Joomla! Master
Joomla! Master
Posts: 11767
Joined: Fri Aug 12, 2005 7:19 am
Location: Leeds, UK
Contact:

Re: Hacked via eXtplorer admin access! Read this!

Post by brian » Thu Dec 19, 2013 4:03 pm

Sorry I am still laughing that you have super secured the server and installed this extension.
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

User avatar
PhilTaylor-Prazgod
Joomla! Ace
Joomla! Ace
Posts: 1203
Joined: Sat Aug 20, 2005 12:32 pm
Location: Jersey, Channel Islands
Contact:

Re: Hacked via eXtplorer admin access! Read this!

Post by PhilTaylor-Prazgod » Thu Dec 19, 2013 4:50 pm

If you know what this is and how to use it then please use it - unsupported and I'll not answer questions on it :-) https://gist.github.com/PhilETaylor/8042402

(Hint: mod_security rule for serious servers)
Phil Taylor - Full Time Joomla/PHP Security Expert
Blue Flame Digital Solutions Limited.
- https://mySites.guru - Manage Unlimited Joomla/WordPress Sites In One Dashboard for Security, Audits and more.
- https://www.phil-taylor.com/
- @myPhilTaylor

mihha
Joomla! Intern
Joomla! Intern
Posts: 84
Joined: Sun Jan 08, 2006 3:30 pm
Location: Zagreb
Contact:

Re: Hacked via eXtplorer admin access! Read this!

Post by mihha » Thu Dec 19, 2013 5:44 pm

brian wrote:Seriously folks there is no reason ever to install this component on any site ever. If you feel that you need it to overcome hosting issues then get a real host.

This is not the first time their has been a wide open hole in this component and it probably wont be the last
I have to admit that I don't see reason why you should bash an extension developer with the comment like this one. If you don't like what he is doing then don't use it. I am sure that the developer is willing to fix all the issues if someone finds them

User avatar
fcoulter
Joomla! Ace
Joomla! Ace
Posts: 1685
Joined: Thu Sep 13, 2007 11:39 am
Location: UK
Contact:

Re: Hacked via eXtplorer admin access! Read this!

Post by fcoulter » Thu Dec 19, 2013 7:23 pm

I have to agree with Brian's reservations about this extension. I don't think that his intention is to bash the developer (nor is mine) but to say that Joomla site owners need to think very carefully about whether this extension is a good idea. Clearly a lot of people find it useful because it is popular, but it is this usefulness that makes it dangerous.

Having it installed means that if an attacker gains access to your Joomla admin they also get access to your entire file system, substantially increasing the damage that can be done. I have had to deal with a few hacked Joomla sites, in each case the first thing that the attackers do is to install this extension, because it makes life easy for them. It worried me enough that I developed a method on my own sites to stop it from ever being installed, it consisted of creating an empty folder called com_extplorer in the Joomla components folder, and then making this folder unwritable using Linux file permissions. Then if anyone tried to install the extension the installation would fail due to the folder being unwritable.

FTP clients do have their problems, but I prefer to access my file system using an ftp client. You would need to be very unlucky to have both your Joomla admin and your ftp account compromised. It just cuts down the risk to keep the two separate - for this reason I also don't use the Joomla ftp.
http://www.spiralscripts.co.uk for Joomla! extensions
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"

User avatar
PhilTaylor-Prazgod
Joomla! Ace
Joomla! Ace
Posts: 1203
Joined: Sat Aug 20, 2005 12:32 pm
Location: Jersey, Channel Islands
Contact:

Re: Hacked via eXtplorer admin access! Read this!

Post by PhilTaylor-Prazgod » Thu Dec 19, 2013 7:45 pm

mandville wrote:
cf1237 wrote:/www/www/mysite/.cpanel_config.php
can you email a zip copy of that file if it still exists to velATjoomla.org
then remove from your server and ask your host to grep accounts for it.
also can you run a copy of the fpa and post your results?
The audits at [my commercial service I apparently cannot mention, although I can in my signature] are starting to see real world examples of this now - here is the source of the hacker shell they upload: [removed hack code]
Last edited by mandville on Thu Dec 19, 2013 7:56 pm, edited 1 time in total.
Reason: removed hack code
Phil Taylor - Full Time Joomla/PHP Security Expert
Blue Flame Digital Solutions Limited.
- https://mySites.guru - Manage Unlimited Joomla/WordPress Sites In One Dashboard for Security, Audits and more.
- https://www.phil-taylor.com/
- @myPhilTaylor

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14818
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Hacked via eXtplorer admin access! Read this!

Post by mandville » Thu Dec 19, 2013 7:58 pm

Sorry Phil, i had to remove the link to the hacking script as per forum rules. The file you quote is very very similar to another but in a slightly different format and by a different name
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14818
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Hacked via eXtplorer admin access! Read this!

Post by mandville » Thu Dec 19, 2013 8:00 pm

Moderation Comment:
As the developer has now released an updated version, and to prevent off topic/missinterpreted posting. The topic may be locked at short notice.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

JWeiry
Joomla! Apprentice
Joomla! Apprentice
Posts: 16
Joined: Thu Apr 08, 2010 4:41 am

Re: Hacked via eXtplorer admin access! Read this!

Post by JWeiry » Thu Dec 19, 2013 10:28 pm

brian wrote:Sorry I am still laughing that you have super secured the server and installed this extension.
Unfortunately Brian, I can't help but think that if ever you wanted a 'super secured' site, that you would install any extension other than the Joomla core.

Again thanks to Sören for releasing a patch quickly, unfortunately I still have had to disable every instance of the extension until i can get around to removing them all and re-installing on some.

User avatar
simbus82
Joomla! Intern
Joomla! Intern
Posts: 70
Joined: Sat May 19, 2007 1:59 pm
Location: Parma (Italy)
Contact:

Re: Hacked via eXtplorer admin access! Read this!

Post by simbus82 » Fri Dec 20, 2013 10:51 am

brian wrote:Sorry I am still laughing that you have super secured the server and installed this extension.
:-\ In fact "super secured" it was in quotes ...

In any case I do not think you have entitled to laugh at others' choices.

I could say it is the fault of Joomla and its htaccess because it allows access to that particular folder due to a double slash.

But the concept is that, it is useless to have a server even without FTP, when there are components with flaws of this type.

cmoeller
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Sat Dec 28, 2013 2:25 pm

Re: Hacked via eXtplorer admin access! Read this!

Post by cmoeller » Sat Dec 28, 2013 4:36 pm

i found the file .cpanel_config.php along with other php-files on a hosted website in the root dated 18.12.13 alarmed by heavy mail-abusage. in this moment i suppose, that the admin access has been used to place files named sys09725848.php in some joomla-component-directories. i found this identical php-file in 4 subdirs (banner, jce, conatct and wrapper), three of them dated 7.3.12 and the on in component_jce dd. 24.12.13 07:24. the content is scrambled to be not readable. transferring it to my desktop, mse gave hints for viruses.
this website had extplorer installed in an old version. on 25th of december i got thousands of returned emails related to the domains used for this very website.
i am sure, that the sys??.php-file have been sending SPAM via php-mail invoked remotely.
Perhaps it is a good idea to scan the servers (find / -iname 'sys0*.php') for theses abnormal files. Thank you for tipps relating to extplorer. i de-installed it completely using winscp instead.
if you are interested in the files i saved, pls. give a hint.


Locked

Return to “Security in Joomla! 3.x”