Hack via the Joomla Redirect plugin?

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, fcoulter, PhilD, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Post Reply
CatfishPKR
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 127
Joined: Thu Oct 21, 2010 2:17 pm

Hack via the Joomla Redirect plugin?

Post by CatfishPKR » Mon May 27, 2019 6:22 pm

I happened to open the Joomla redirect plugin and found several hundreds of entries there. Almost all of them were definitely not made by me and looked quite suspicious.
Has there been any know exploitability in this plugin?
I deleted all entries, emptied the trash, purged all entries and disabled the plugin now.
Is that going to be enough, or could there be more?

Achaa
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 141
Joined: Mon Jul 29, 2013 8:25 pm

Re: Hack via the Joomla Redirect plugin?

Post by Achaa » Mon May 27, 2019 7:17 pm

Were both sides (Expired URL / New URL) filled in and 'status' set to active?

At a bare minimum, I'd be changing all passwords. (Admin CP/ FTP/ hosting account etc.)
"Experts often possess more data than judgement."
All suggestions are given with good intent.
http://arbitrarytimes.com Where I test stuff.... :pop

CatfishPKR
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 127
Joined: Thu Oct 21, 2010 2:17 pm

Re: Hack via the Joomla Redirect plugin?

Post by CatfishPKR » Mon May 27, 2019 8:19 pm

Most of the suspicious ones were inactive and with only the expired URLs set

Achaa
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 141
Joined: Mon Jul 29, 2013 8:25 pm

Re: Hack via the Joomla Redirect plugin?

Post by Achaa » Mon May 27, 2019 8:22 pm

CatfishPKR wrote:
Mon May 27, 2019 8:19 pm
Most of the suspicious ones were inactive and with only the expired URLs set
Then assuming you don't want to collect bad links, you probably need to deactivate the redirect plugin.

EDIT - Not necessarily deactivate - but disable the 'collect URLs' function.

Do you see this notice?
The Redirect Plugin is enabled. The 'Collect URLs' option in the Redirect System Plugin is disabled. Error page URLs will not be collected by this component.
It's meant to collect 'bad' links on your site, but individuals with malicious intent, will often type in various addresses on your site in an attempt to exploit/ find vulnerabilities.
"Experts often possess more data than judgement."
All suggestions are given with good intent.
http://arbitrarytimes.com Where I test stuff.... :pop

CatfishPKR
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 127
Joined: Thu Oct 21, 2010 2:17 pm

Re: Hack via the Joomla Redirect plugin?

Post by CatfishPKR » Wed May 29, 2019 6:07 am

There is now way those redirects could have been set from within the admin backend IMO. If anyone had access there, the damage would have been worse. Question is, how do they make Joomla create those entries?

User avatar
pmleconte
Joomla! Explorer
Joomla! Explorer
Posts: 390
Joined: Fri Mar 17, 2017 12:55 pm
Location: France

Re: Hack via the Joomla Redirect plugin?

Post by pmleconte » Wed May 29, 2019 7:39 am

Hi,

Redirection plugin is most of the time used when you move your website either to a new address or to a new environnement. So you'll have old addresses redirected to new ones.

What you see in your component are common attacks where robots try to enter your website using known vulnerabilities, reason why it's important to keep your website updated with latest versions (Joomla, PHP, extensions,...).

When you analyze those attacks, you'll find a bunch of them trying to access your wp-admin, which, of course, does not exist....

Pascal
If anything can go wrong, it will.
https://www.conseilgouz.com/en

CatfishPKR
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 127
Joined: Thu Oct 21, 2010 2:17 pm

Re: Hack via the Joomla Redirect plugin?

Post by CatfishPKR » Wed May 29, 2019 8:07 am

thanks

User avatar
pmleconte
Joomla! Explorer
Joomla! Explorer
Posts: 390
Joined: Fri Mar 17, 2017 12:55 pm
Location: France

Re: Hack via the Joomla Redirect plugin?

Post by pmleconte » Thu May 30, 2019 7:33 am

Hi,

If you need more information, please check sozzled discussion : viewtopic.php?t=958501

Pascal
If anything can go wrong, it will.
https://www.conseilgouz.com/en

CatfishPKR
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 127
Joined: Thu Oct 21, 2010 2:17 pm

Re: Hack via the Joomla Redirect plugin?

Post by CatfishPKR » Thu May 30, 2019 8:05 am

That's an interesting read. I think I am going to simply deactivate the plugin on all my sites after purging the existing redirects.


Post Reply

Return to “Security in Joomla! 3.x”