Joomla 4 User Database modifying itself Topic is solved

Discussion regarding Joomla! 4.x security issues.

Moderators: mandville, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
Locked
TheKLF99
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Sun Jul 19, 2020 9:36 am

Joomla 4 User Database modifying itself

Post by TheKLF99 » Wed Jan 12, 2022 7:15 am

Over the past few days I've noticed a slight issue with Joomla 4 that clearly seems to be some kind of major security issue.

I've gone to login to a few of my sites that I have super administrator rights to and found I've been unable to login.

When going into the backend of my database I've found the username for the super admin has been changed to "[redacted]_<random three letters>".

I've got a mix of both Joomla 4 and Joomla 3 sites that I host - all the sites are hosted on their own separate CPanel account through my reseller hosting account and each site has it's own database with it's own unique database password, the admin accounts also all have their own unique username and password (no site shares the same password).

I've noticed none of the Joomla 3 sites have been affected with this issue, only the Joomla 4 sites. The Joomla 4 sites that have been affected are all running templates from Joomlart - however I've asked Joomlart's tech team if they were aware of anything like this - and they said they've had no reports come in about it.

Up until recently I noticed the only sites that were affected were the ones without Akeeba LoginGuard installed, but the other day one of the sites with Akeeba LoginGuard had the username changed and the only user with permissions to change usernames (without directly accessing the database) would be the user protected by Akeeba LoginGuard - so either whatever is changing the usernames bypassed Akeeba LoginGuard or is just writing directly to the database - I have a feeling that it's writing directly to the database as the username change isn't even recorded in the site log.

I googled [redacted] (as the username always seems to be changed to [redacted]_<random letters> and the only thing that came up was some kind of cPanel vulnerability. I also used Visual Studio to search through the entire sites code for any mention of [redacted] but also nothing.

The cPanel accounts are also protected with both a random password and 2fa too.

Has anyone else had this issue and why is it only targetting Joomla 4 sites with Joomlart templates - is there something in Joomla 4 that's causing this?

Here is the FPA from one of the affected sites...
Forum Post Assistant (v1.6.4) : 12-Jan-2022 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 4.0.5-Stable (Furaha) 11-December-2021
Joomla! Configured :: Yes | Writable (644) |
Configuration Options :: Offline: false | SEF: true | SEF Suffix: false | SEF ReWrite: false | .htaccess/web.config: Yes | GZip: false | Cache: false | CacheTime: 15 | CacheHandler: file | CachePlatformPrefix: false | FTP Layer: N/A | Proxy: N/A | LiveSite: | Session lifetime: 15 | Session handler: database | Shared sessions: false | SSL: 0 | Error Reporting: default | Site Debug: false | Language Debug: false | Default Access: 1 | Unicode Slugs: false | dbConnection Type: mysqli | PHP Supports J! 4.0.5: Yes | Database Supports J! 4.0.5: Yes | Database Credentials Present: Yes |

Host Configuration :: OS: Linux | OS Version: 3.10.0-962.3.2.lve1.5.44.el7.x86_64 | Technology: x86_64 | Web Server: LiteSpeed | Encoding: gzip, deflate, br | System TMP Writable: Yes | Free Disk Space : 156.67 GiB |

PHP Configuration :: Version: 8.0.14 | PHP API: litespeed | Session Path Writable: Yes | Display Errors: 0 | Error Reporting: 32759 | Log Errors To: error_log | Last Known Error: 12th January 2022 07:23:52. | Register Globals: | Magic Quotes: | Safe Mode: | Allow url fopen: | Open Base: | Uploads: 1 | Max. Upload Size: 1024M | Max. POST Size: 1024M | Max. Input Time: 600 | Max. Execution Time: 300 | Memory Limit: 1024M

Database Configuration :: Version: 5.5.5-10.5.13-MariaDB-cll-lve (Client:mysqlnd 8.0.14) | Database Size: 24.88 MiB | #of Tables with config prefix:  72 | #of other Tables:  213 | User Privileges : GRANT ALL
Detailed Environment :: wrote:PHP Extensions :: Core (8.0.14) | date (8.0.14) | libxml (8.0.14) | openssl (8.0.14) | pcre (8.0.14) | zlib (8.0.14) | filter (8.0.14) | hash (8.0.14) | json (8.0.14) | pcntl (8.0.14) | readline (8.0.14) | Reflection (8.0.14) | SPL (8.0.14) | session (8.0.14) | standard (8.0.14) | litespeed () | bcmath (8.0.14) | bz2 (8.0.14) | ctype (8.0.14) | curl (8.0.14) | dba (8.0.14) | dom (20031129) | enchant (8.0.14) | mbstring (8.0.14) | fileinfo (8.0.14) | ftp (8.0.14) | gd (8.0.14) | gettext (8.0.14) | gmp (8.0.14) | iconv (8.0.14) | imap (8.0.14) | ldap (8.0.14) | exif (8.0.14) | mysqlnd (mysqlnd 8.0.14) | odbc (8.0.14) | PDO (8.0.14) | pgsql (8.0.14) | Phar (8.0.14) | posix (8.0.14) | pspell (8.0.14) | shmop (8.0.14) | SimpleXML (8.0.14) | snmp (8.0.14) | soap (8.0.14) | sockets (8.0.14) | sqlite3 (8.0.14) | sysvmsg (8.0.14) | sysvsem (8.0.14) | sysvshm (8.0.14) | tokenizer (8.0.14) | xml (8.0.14) | xmlwriter (8.0.14) | xsl (8.0.14) | zip (1.19.5) | mysqli (8.0.14) | pdo_mysql (8.0.14) | PDO_ODBC (8.0.14) | pdo_pgsql (8.0.14) | pdo_sqlite (8.0.14) | xmlreader (8.0.14) | redis (5.3.2) | timezonedb (2021.5) | Zend OPcache (8.0.14) | Zend Engine (4.0.14) |
Potential Missing Extensions ::

Switch User Environment :: PHP CGI: No | Server SU: No | PHP SU: No | Potential Ownership Issues: No
Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (---) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) | administrator/logs/ (755) |

Elevated Permissions (First 10) ::
Database Information :: wrote:Database statistics :: Uptime: 1828478 | Threads: 43 | Questions: 4917678892 | Slow queries: 2662 | Opens: 12333397 | Open tables: 199999 | Queries per second avg: 2689.493 |
Extensions Discovered :: wrote:Components :: Site ::
Core ::
3rd Party::

Components :: Admin ::
Core :: com_config (4.0.0) 1 | com_newsfeeds (4.0.0) 1 | com_categories (4.0.0) 1 | com_login (4.0.0) 1 | com_users (4.0.0) 1 | com_redirect (4.0.0) 1 | com_admin (4.0.0) 1 | com_cpanel (4.0.0) 1 | com_content (4.0.0) 1 | com_joomlaupdate (4.0.3) 1 | com_checkin (4.0.0) 1 | com_languages (4.0.0) 1 | com_banners (4.0.0) 1 | com_associations (4.0.0) 1 | com_menus (4.0.0) 1 | com_postinstall (4.0.0) 1 | com_tags (4.0.0) 1 | com_media (3.0.0) 1 | com_actionlogs (3.9.0) 1 | com_installer (4.0.0) 1 | com_workflow (4.0.0) 1 | com_privacy (3.9.0) 1 | com_finder (4.0.0) 1 | com_templates (4.0.0) 1 | com_ajax (4.0.0) 1 | com_cache (4.0.0) 1 | com_wrapper (4.0.0) 1 | com_mails (4.0.0) 1 | com_messages (4.0.0) 1 | com_plugins (4.0.0) 1 | com_contenthistory (4.0.0) 1 | com_modules (4.0.0) 1 | com_fields (4.0.0) 1 |
3rd Party:: com_jaextmanager (2.5.3) 1 | com_jaextmanager (2.7.1) 1 | LOGINGUARD (5.0.5) 1 |

Modules :: Site ::
Core :: mod_random_image (3.0.0) 1 | mod_whosonline (3.0.0) 1 | mod_tags_popular (3.1.0) 1 | mod_stats (3.0.0) 1 | mod_users_latest (3.0.0) 1 | mod_tags_similar (3.1.0) 1 | mod_articles_news (3.0.0) 1 | mod_articles_popular (3.0.0) 1 | mod_languages (3.5.0) 1 | mod_custom (3.0.0) 1 | mod_articles_latest (3.0.0) 1 | mod_syndicate (3.0.0) 1 | mod_footer (3.0.0) 1 | mod_articles_archive (3.0.0) 1 | mod_login (3.0.0) 1 | mod_wrapper (3.0.0) 1 | mod_menu (3.0.0) 1 | mod_finder (3.0.0) 1 | mod_feed (3.0.0) 1 | mod_related_items (3.0.0) 1 | mod_articles_category (3.0.0) 1 | mod_breadcrumbs (3.0.0) 1 | mod_banners (3.0.0) 1 | mod_articles_categories (3.0.0) 1 |
3rd Party:: JA Quick Contact (2.7.0) 1 | MOD_JA_ACM (2.2.7) 1 | JA Masthead (1.1.2) 1 |

Modules :: Admin ::
Core :: mod_latest (3.0.0) 1 | mod_post_installation_messages (4.0.0) 1 | mod_user (4.0.0) 1 | mod_version (3.0.0) 1 | mod_privacy_status (4.0.0) 1 | mod_logged (3.0.0) 1 | mod_custom (3.0.0) 1 | mod_privacy_dashboard (3.9.0) 1 | mod_latestactions (3.9.0) 1 | mod_multilangstatus (3.0.0) 1 | mod_login (3.0.0) 1 | mod_loginsupport (4.0.0) 1 | mod_frontend (4.0.0) 1 | mod_messages (4.0.0) 1 | mod_menu (3.0.0) 1 | mod_popular (3.0.0) 1 | mod_feed (3.0.0) 1 | mod_submenu (3.0.0) 1 | mod_title (3.0.0) 1 | mod_stats_admin (3.0.0) 1 | mod_quickicon (3.0.0) 1 | mod_sampledata (3.8.0) 1 | mod_toolbar (3.0.0) 1 |
3rd Party::

Libraries ::
Core ::
3rd Party::

Plugins ::
Core :: plg_actionlog_joomla (3.9.0) 1 | plg_privacy_consents (3.9.0) 1 | plg_privacy_actionlogs (3.9.0) 1 | plg_privacy_message (3.9.0) 1 | plg_privacy_content (3.9.0) 1 | plg_privacy_user (3.9.0) 1 | plg_system_cache (3.0.0) 0 | plg_system_highlight (3.0.0) 1 | plg_system_accessibility (4.0.0) 0 | plg_system_actionlogs (3.9.0) 0 | plg_system_sessiongc (3.8.6) 1 | plg_system_updatenotification (3.5.0) 1 | plg_system_privacyconsent (3.9.0) 0 | plg_system_log (3.0.0) 1 | plg_system_stats (3.5.0) 1 | plg_system_sef (3.0.0) 1 | plg_system_logout (3.0.0) 1 | plg_system_debug (3.0.0) 1 | plg_system_remember (3.0.0) 1 | plg_system_logrotation (3.9.0) 1 | plg_system_languagecode (3.0.0) 0 | plg_system_skipto (4.0.0) 1 | plg_system_languagefilter (3.0.0) 0 | plg_system_fields (3.7.0) 1 | plg_system_redirect (3.0.0) 0 | plg_system_webauthn (4.0.0) 1 | plg_system_httpheaders (4.0.0) 0 | plg_media-action_crop (4.0.0) 1 | plg_media-action_rotate (4.0.0) 1 | plg_media-action_resize (4.0.0) 1 | plg_captcha_recaptcha_invisible (3.8) 0 | plg_captcha_recaptcha (3.4.0) 0 | plg_webservices_modules (4.0.0) 1 | plg_webservices_templates (4.0.0) 1 | plg_webservices_privacy (4.0.0) 1 | plg_webservices_config (4.0.0) 1 | plg_webservices_tags (4.0.0) 1 | plg_webservices_languages (4.0.0) 1 | plg_webservices_users (4.0.0) 1 | plg_webservices_messages (4.0.0) 1 | plg_webservices_installer (4.0.0) 1 | plg_webservices_banners (4.0.0) 1 | plg_webservices_plugins (4.0.0) 1 | plg_webservices_content (4.0.0) 1 | plg_webservices_menus (4.0.0) 1 | plg_webservices_redirect (4.0.0) 1 | plg_webservices_newsfeeds (4.0.0) 1 | plg_quickicon_downloadkey (4.0.0) 1 | plg_quickicon_overridecheck (4.0.0) 1 | plg_quickicon_extensionupdate (3.0.0) 1 | plg_quickicon_joomlaupdate (3.0.0) 1 | plg_quickicon_phpversioncheck (3.7.0) 1 | plg_quickicon_privacycheck (3.9.0) 1 | plg_authentication_ldap (3.0.0) 0 | plg_authentication_joomla (3.0.0) 1 | plg_authentication_cookie (3.0.0) 1 | plg_sampledata_multilang (4.0.0) 1 | plg_api-authentication_basic (4.0.0) 0 | plg_api-authentication_token (4.0.0) 1 | plg_finder_tags (3.0.0) 1 | plg_finder_contacts (3.0.0) 1 | plg_finder_content (3.0.0) 1 | plg_finder_categories (3.0.0) 1 | plg_finder_newsfeeds (3.0.0) 1 | plg_filesystem_local (4.0.0) 1 | plg_installer_folderinstaller (3.6.0) 1 | plg_installer_override (4.0.0) 1 | plg_installer_urlinstaller (3.6.0) 1 | plg_installer_packageinstaller (3.6.0) 1 | plg_installer_webinstaller (4.0.0) 1 | plg_editors-xtd_article (3.0.0) 1 | plg_editors-xtd_readmore (3.0.0) 1 | plg_editors-xtd_menu (3.7.0) 1 | plg_editors-xtd_image (3.0.0) 1 | plg_editors-xtd_pagebreak (3.0.0) 1 | plg_editors-xtd_module (3.5.0) 1 | plg_editors-xtd_fields (3.7.0) 1 | plg_content_vote (3.0.0) 0 | plg_content_emailcloak (3.0.0) 1 | plg_content_joomla (3.0.0) 1 | plg_content_confirmconsent (3.9.0) 0 | plg_content_finder (3.0.0) 0 | plg_content_pagebreak (3.0.0) 1 | plg_content_loadmodule (3.0.0) 1 | plg_content_pagenavigation (3.0.0) 1 | plg_content_fields (3.7.0) 1 | plg_behaviour_taggable (4.0.0) 1 | plg_behaviour_versionable (4.0.0) 1 | plg_twofactorauth_yubikey (3.2.0) 0 | plg_twofactorauth_totp (3.2.0) 0 | plg_workflow_publishing (4.0.0) 1 | plg_workflow_featuring (4.0.0) 1 | plg_workflow_notification (4.0.0) 1 | plg_user_token (3.9.0) 1 | plg_user_profile (3.0.0) 0 | plg_user_joomla (3.0.0) 1 | plg_user_contactcreator (3.0.0) 0 | plg_user_terms (3.9.0) 1 | plg_fields_url (3.7.0) 1 | plg_fields_editor (3.7.0) 1 | plg_fields_calendar (3.7.0) 1 | plg_fields_integer (3.7.0) 1 | plg_fields_text (3.7.0) 1 | plg_fields_list (3.7.0) 1 | plg_fields_color (3.7.0) 1 | plg_fields_sql (3.7.0) 1 | plg_fields_subform (4.0.0) 1 | plg_fields_textarea (3.7.0) 1 | plg_fields_radio (3.7.0) 1 | plg_fields_checkboxes (3.7.0) 1 | plg_fields_media (3.7.0) 1 | plg_fields_usergrouplist (3.7.0) 1 | plg_fields_user (3.7.0) 1 | plg_fields_imagelist (3.7.0) 1 | plg_extension_joomla (3.0.0) 1 | plg_extension_finder (4.0.0) 1 | plg_extension_namespacemap (4.0.0) 1 |
3rd Party:: PLG_ACTIONLOG_LOGINGUARD (5.0.5) 1 | plg_system_t4 (2.0.9) 1 | System - JA Google Map (2.7.2) 1 | PLG_SYSTEM_LOGINGUARD (5.0.5) 1 | PLG_USER_LOGINGUARD (5.0.5) 1 | plg_editors_codemirror (5.64.0) 1 | plg_editors_tinymce (5.10.2) 1 | PLG_LOGINGUARD_EMAIL (5.0.5) 1 | PLG_LOGINGUARD_FIXED (5.0.5) 0 | PLG_LOGINGUARD_PUSHBULLET (5.0.5) 0 | PLG_LOGINGUARD_SMSAPI (5.0.5) 0 | PLG_LOGINGUARD_TOTP (5.0.5) 1 | PLG_LOGINGUARD_U2F (5.0.5) 1 | PLG_LOGINGUARD_WEBAUTHN (5.0.5) 1 | PLG_LOGINGUARD_YUBIKEY (5.0.5) 1 |
Templates Discovered :: wrote:Templates :: Site :: cassiopeia (1.0) 0 | ja_ego (2.0.0) 1 |
Templates :: Admin :: atum (1.0) 1 |
Last edited by toivo on Wed Jan 12, 2022 7:29 am, edited 2 times in total.
Reason: mod note: kudos removed - please read the forum rules at https://forum.joomla.org/viewtopic.php?f=8&t=65

User avatar
brian
Joomla! Master
Joomla! Master
Posts: 12781
Joined: Fri Aug 12, 2005 7:19 am
Location: Leeds, UK
Contact:

Re: Joomla 4 User Database modifying itself

Post by brian » Wed Jan 12, 2022 7:19 am

"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20631
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ Germany/ S'pore/Bogor/ North America
Contact:

Re: Joomla 4 User Database modifying itself

Post by leolam » Thu Aug 25, 2022 6:21 pm

As Brian suggests "You have been hacked" Go to https://mysites.guru and subscribe...first scan is free and it will tell you precisely what is wrong and what the culprit is

Leo 8)
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -

User avatar
brian
Joomla! Master
Joomla! Master
Posts: 12781
Joined: Fri Aug 12, 2005 7:19 am
Location: Leeds, UK
Contact:

Re: Joomla 4 User Database modifying itself

Post by brian » Thu Aug 25, 2022 6:43 pm

leo you are replying to a 8 month old post
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20631
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ Germany/ S'pore/Bogor/ North America
Contact:

Re: Joomla 4 User Database modifying itself

Post by leolam » Thu Aug 25, 2022 7:07 pm

brian wrote:
Thu Aug 25, 2022 6:43 pm
leo you are replying to a 8 month old post
I am getting old dear Brian.....tnx Sir

Leo 8)
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -


Locked

Return to “Security in Joomla! 4.x”