Joomdonation.com hacked - all details out

[Moby58]

Hi guys, received following email (as well as a lot of others I suppose).

I am using Event Booking.

Any ideas??
============================================

Hello Alan Stuart

How the hell are you? No need to ask, I’m fine!

I’m the one who has hacked all of your sites, emails, accounts etc. that has been using JoomDonation.com site/components. Scaring? Hell Yea :-)

About 15 months ago, I was able to penetrate into several Joomla sites. One of these luckies was JoomDonation.com After a while I realised that their crappy components were used by other Joomla developers too so I injected my shells into JoomDonation.com components. As per result, I’ve a list of 300000+ Joomla users+emails and you’re just one of them, lucky thing :-)

Don’t you believe? Follow me on twitter.com/joomleaks or #joomleaks hashtag and you’ll see the database of JoomDonation.com as a beginning.

Yea Yea I know you all have scanners, firewalls, admin tools etc installed on your server/site but you what? F*ck em all. They’re just noob tools. Think about, I’ve injected my own shells into 10000+ Joomla sites and none of you or your magic tools have been awared of.

WARNING: You have 5 days to clean up your sites then my bot will start putting your sites down. If your site was not so valuable for me, removing the components would be enough. If so, then I will most probably blackmail you soon :-)

Want an advice from a hacker? Don’t use any script from Thailand/Vietnam developers, their code is so crappy :-) Try Indian quality.

This email was sent to all JoomDonation.com users. We’ll meet again if you have accounts registered to other Joomla developers :-)

This was my thanksgiving gift, keep yourself safe ;-)

JnLiau

[sgagner]

I have got the same message too
But I don't use any extensions from JoomDonation

[stimpy23]

I just received the same mail. Using edocman on one site..
I'll uninstall edocman for now, but I'm not completely convinced he's telling the truth: Could also be a scam.. It's no problem to find my real name name on the internet, when you have the email address, this mail was sent to..

The mail itself has two external tracking images. One from acymailing leading to a site called "pascaljarry2.freesite.host" - I guess this is, where he sent his mail from. And one from mandrillapp.com..

I'ld love to hear from others what they think about all that...

[brian]

Happy to do a free audit of the extension you have

[guillaumepdm]

Hi,
Me too but I never use a plugin from Joomdonation.com.
It's a Hoax?

[Moby58]

Post from Tuan Pham Ngoc over at JoomDonation.com

Hi All

I believe this is not security issues in our components/extensions. Someone hacked our server (we are using bluehost VPS server for hosting our website) somehow and uses the email systems to send this spam emails to all of you.

They want to destroy our business (and they mentioned India somehow in the email). Just the quick update from us, we will provide more information when we found something !

We are really sorry for this trouble

[neilcw303]

The really sad thing and thing that makes me angry . I do use Joomdonation and its for our charity.

just got the email

So this person has no ethics as he has attacked a component used by Charities to help vulnerable people often who don't have funds to pay for mega protected sites just trying to exist at a low cost to help people .

Makes me sick to the core .

[brianpeat]

I got this same email. I suspect if he's not bluffing that it's related to this coming out in the last few days:

https://foxitsecurity.files.wordpress.c ... srt-v4.pdf

I'm digging through the joomdonation extension now to see if I can spot anything nasty, but this isn't my field, so I have no idea if I'll find anything.

[CelticWebs]

I too just received the email, I have a web hosting and development business so it's quite possible some of my customers do in deed have components from joomdonation.com lets hope it's a hoax aimed at damaging their business rather than reality that is going to effect many websites in a few days!

[Corrall]

Received this to. Have event booking installed. Hope the devloper can confirm it is hoax, or at least distribute files to remove hack

[digitalsoda]

And when I try and login to the JoomDonation website, its down for maintenance

Pretty sure I don't use any of these components across all of the sites I have built

[blackvx]

I'm glad I found this thread.
I have Event Booking on one of my client's site. It is a first to me that a hacker announced his intentions before acting.

[lancert]

I too received this email and found this thread. I uninstalled Event Booking for the time being (I love the extension, just wasn't currently using it), just to be safe.

Please keep us all posted as to what is found out about this. I don't think we can ever take security too seriously.

Thanks everyone for your work on this.

[DaleRG]

I got it too.

I maintain 6 sites for nonprofits, and just purchased Edocman last night. I recieved the email at around 9:45AM in the USA.

Any suggestions would be greatly appreciated,

Dale

[xbonize]

I think JoomDonation server was hacked not our websites. Maybe attacker have our details from JoomDonation database?

[brianpeat]

Payment details? This really makes me mad.

[DaleRG]

I think JoomDonation server was hacked not our websites. Maybe attacker have our details from JoomDonation database?

Should that be the case, might I suggest that anyone who has set up temp accounts with Joomdonation in regard to Joomla site access and/or FTP access in order to facilitate any tech support by Joomdonation, that they delete those user names/accounts.

[sapromo]

Same thing here, anybody who also got it or want to help PLEASE PLEASE go to @joomleaks on twitter and report it as sharing private information. They have already posted links where you can download the first 1000 peoples email addresses and the second posts their financial / payment details and they are going through the entire database. IF you can PLEASE go to the twitter page and REPORT it... they won't know you did it but the more people who report that account the faster Twitter will react.

[brianpeat]

Yep, I just did that too. Not that it'll stop him.

[maxelcat]

I have had this too. As far as I know I don't use any of their extensions, but I guess I must have registered with them at some point when I was looking into plugins etc

Kinda scary though - never had an email like that before. I suspect its bluff though - do hackers normally give warnings???

Feel very sorry for the company.

Hope someone can put us all at rest!

[Radek Suski]

People: there is an easy solution to find out what's going on. Brian Teeman proposed help if someone would provide the data to him. Please do it.

The explanation of JoomDonation's people is unfortunately very clumsy.

Regards,
Radek

[dan dares]

I'm pretty sure that Joomdonation payments were all handled by PayPal, and so therefore wouldn't have been held on the Joomdonation server? Can anyone from Joomnation confirm this?

When I brought a plugin last year, payment went to a company called Dang Dam or something.

[maxelcat]

i reported him for spam, but how do you report him for leaking private information?

[numinousmedia]

It's a sub-point under "Abuse" on Twitter.

[sapromo]

It could be that they only got in now, I cannot see IMHO that a hacker will wait around that long to claim his glory. Payments done via PayPal but then again you don't want to share your PayPal payments email I have had that problem before.

How would we even start checking. I have 8 clients with anything from pmform to event booking components with payment processors. I can provide someone with downloaded copies and they can check.

@Brian, how do I get this to you?

[dan dares]

Happy to do a free audit of the extension you have

Thanks Brian

I have the Interspire Email plugin. How can I get it to you?

[3DBob]

Yeh,

Got the same email, but curiously it came to my personal Paypal accounts' attached email that I used when paying for JoomDonation when setting up a donation system for a not-for-profit website.

[DaleRG]

I have the edocman zip that I DL'd last night, just let me know how to get it too you. It is the paid version, but apparently the demo version would have been hit as well?

Contact me and let me know.

[d32134534]

Hey i agree with Radek. As a security consultant myself and having just received this email...i had to post something on here so I registered just for this thread. I have several joomla sites and fortunately only a couple use JoomDonation modules, however the threat could still exist for any Joomla site potentially. Its definitely not the end of the world if they have your name and email...most email systems these days like google and microsoft and yahoo, etc have great spam filters...and if you paid with paypal theres not a huge threat either...most people could guess that any email account has paypal...but good luck attacking paypal, watch what theyll do to you and your IP address if you do. My major concerns would be that they are able to in fact circumvent your own joomla sites to breach and get access, and also if there was any credit card info stored by people not using paypal. Clearly the JoomDonation developer is lying about it just being some email exploit via SMTP on his server...if that was the case, then when you go to JoomDonation.com you wouldnt see that the entire site was put into offline mode with a supposed message from the hacker (that i highly doubt JoomDonation would have humorously posted themselves). The message on the website temporarily went (before the site owner obviously corrected it), "Joomla Extensions by Joomdonation. This site has been HACKED. Don’t you believe? Follow me on twitter.com/joomleaks".

As for me, im going to taunt the loser who "hacked" the site (probably just some lame exploit a kid found) and see if he shows his cards...I have credit monitoring and dont care if he posts my email. Worst case he tries to attack my Joomla sites and Ill get back to all of you what, if anything happens and where he tried to get in from. Firewalls arent n00b tools, so this "hacker" is simply an idiot.

As for all you, Id watch my bank and credit card statements in case you may have paid for anything in the past with JoomDonations outside of using paypal...and Id most definitely backup every single Joomla site that you manage right now, just in case...a backup never hurt anybody. It also wouldnt hurt for you to find a free website uptime monitor online (just google it) which would send you an email if your site goes down or if the home page is severely modified.

Good luck to all of you and happy holidays.

[sapromo]

Agree, the biggest concern is him being able to get into sites via the components/plugins/modules.