Site hacked : ver. 1.5.15

[readytohelpwm]

Alright, so far our site has been hacked 2 times in the last week. I am running ver. 1.5.15.

I am not sure how they are doing this, but I have asked my Hosting company to investigate to see what they can figure out. The site was first hacked on Christmas, which my host company did a full server restore from a backup that was 90 days old. Afterwards I went in, changed all my passwords (to the site & the server), and then re-updated the site to the latest version of Joomla again.

This morning I wake up to the site being hacked yet again. This time by a different organization. The only thing that I can see in common between the two hack attempts is that they have found a way to change the Super Administrator password. I do not know how they are getting access to this, since this second hack was done with a different admin password.

My next step is to restore the server again, update it to 1.5.15, and disable the admin account. Whats even more weird, I am running the plugin that changes the default "/administrator" url to something obscured "/administrator/?Ajdi01M2jd". Any thoughts, suggestions, or ideas are highly appreciated.

[readytohelpwm]

Heres some additional information about the version I am running, I just reset the admin password so I can get in to site admin.

System InformationSetting Value

PHP Built on: Linux gatorxxx.xxxxxx.com 2.6.28.9 #41 SMP Fri Nov 27 22:14:58 CST 2009 i686
Database Version: 5.1.30
Database Collation: utf8_general_ci
PHP Version: 5.2.11
Web Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Web Server to PHP interface: cgi-fcgi
Joomla! Version: Joomla! 1.5.15 Stable [ Wojmamni Ama Mamni ] 05-November-2009 04:00 GMT
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; WOW64; Trident/4.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; InfoPath.2; .NET CLR 3.5.30729; .NET CLR 3.0.30729)

Relevant PHP SettingsSetting Value

Safe Mode: Off
Open basedir: None
Display Errors: On
Short Open Tags: On
File Uploads: On
Magic Quotes: Off
Register Globals: On
Output Buffering: Off
Session Save Path: /tmp
Session Auto Start: 0
XML Enabled: Yes
Zlib Enabled: Yes
Disabled Functions: dl
Mbstring Enabled: Yes
Iconv Available: Yes
WYSIWYG Editor: Editor - No Editor

[readytohelpwm]

one more final note, I am checking the files for this site, the site was hacked either 12/28/2009 late at night, or early 12/29/2009 (today). Acorrding to the log files, there have been no modifed files in the last 24 hours. The last modification is listed was 12/27/2009 and that matches the time stamp by me when I went in a modified a few things. They have hi-jacked the homepage, which is odd since the index.php file has not been modifified.

[mandville]

hi
so it looks like a virus on your computer could have grabbed your ftp credentials.
see http://docs.joomla.org/Security_Checklist_7 and also check the VEL to make sure that everything else is running fine

[readytohelpwm]

I have run virus scan after scan and my system comes back clean. (lol I remove viruses from computers for a living.) I have read through the check-lists, and my site was close to meeting all the requirments. I also ran a check against your list of known security problems with different add-ons, and I am not running any add-ons that are in your list.

I did however see something strange, I only keep what I actually need on my site (which isnt much), but in my templates folder, I have 2 templates that I hold on too. I just changed the template from my current default to the secondary one I had on hand and the defacement has gone away.

The only thing I can figure is some how these people have figured out away to gain access to the administrator password, and their modifying the default template for their defacement purposes. I just can't figure out how exactly their gaining access to the admin panel.

One note though, incase anyone else runs in to this problem, if you try to login to your admin account and quickly learn your password has been changed...do not sit their and try different passwords over and over again. I am thinking this may of been where I slipped up the second time around, since I figured I had forgotten my password and tried a whole range of passwords that I use commonly, and of course when I changed the password I set it to something I am used too. This time around, I am going to use a secure password that I have never entered in to this site before and see what happens.

I guess my next move is to restore the site, change the passwords again, tripple check everything is locked down, and remove the default administator username and see what happens.

[readytohelpwm]

Well my site is back up and running again, I have deleted the default administrator account, reset all my passwords to secure non-used passwords, all files that had been tampered with have been restored with original Joomla files. I guess nothing else to do but sit back and wait to see what happens.

[mandville]

its good to hear that you are progressing well and taken a somewhat methodical approach to sorting the site out.
a few things still slightly caused me to jump and hopefully

and remove the default administator username and see what happens.

that should be the first thing people do when they make a site, you have already given a hacker halve the keys to your site. http://docs.joomla.org/Why_should_you_i ... in_user%3F
defacers normally only go after the default template but it could also be that the template you have is actually provided with links or a backdoor in it. can you name the templates?

if you want to insert the file checker code then that will alert you to any changes on your site (on checklist 7)

[readytohelpwm]

My mistake was I forgot to disable / delete the default administrator account. I had created a second account that I used to login to the site, but it slipped my mind to actually remove the default admin account. (Thats what I get for staying up too late working on these sites.)

The template that I am using is called ja_edenite, and I will most certainly look in to the file checker code and see what I can do with it.

Thank you again for your assistance with everything.

[mandville]

i am not aware that ja_edenite has any problems if got from a reputable source. Please let us know how you get on.

[ilox]

Just a little thing, and you might have to request your Hoster to change this...

Register Globals: On

That should be Off. It is a well known fact that leaving Register Globals On makes it easier for scum to get into the system. Almost all reputable Hosts would have flipped that to Off by now.

[euoceo]

You should also see about putting an .htaccess in your admin directory to force a 2nd password verification (Different from the site's admin pw!) before being able access the admin back-end. This is done by putting the following commands in .htaccess:

AuthUserFile /_path_to_directory/.htpasswd
AuthName "Authorization Required"
AuthType Basic
<Limit GET>
require valid-user
</Limit>

Then create a .htpasswd file in that folder. This site here helps you do that:

http://www.htaccesstools.com/htpasswd-generator/


Once this is done when you try to use that directory you'll first get a pop-up asking for a valid username/pw contained in .htpasswd file. After that, then you'll get to the back-end login.

Edit: Make sure to replace _path_to_directory to whatever the server's path is to that folder...

[readytohelpwm]

Outstanding, thank you. I will most deffinetly do this.

[brad]

.. it's all kind of pointless while your host runs such an insecure setup. Please see:
http://community.joomla.org/blogs/leade ... en-up.html
http://community.joomla.org/blogs/leade ... -time.html

.. unless of course you don't mind your site being compromised again.

[readytohelpwm]

I have run in to a slight problem with trying to setup an .htaccess file, which I might as well bring up here just in case anyone else attempts to do the same.

I am running the jsecure plugin, and it appears to cause a slight issue when trying to setup the .htaccess.

Would you happen to know a work around, or what should be entered in the .htaccess file so it will work correctly?

[readytohelpwm]

brad - I have talked with my hosting company before about Registered Globals being on, and as you state in your comments, they attempt to use a work around. My question to you is, you mention disabling it on the user side, would you have a guide / walk-through available to assist users with disabling registered globals? -- At this very moment I am calling my hosting company to see what they have to say again about disabling registered globals on my shared account.

[brad]

Please carefully read the blog posts I linked to. If you had read them, you would not be asking the questions you are. I fear you are focusing all your efforts in the wrong place. It's pointless disabling register_globals on your own site, only serverwide is helpful. Anyway, any host that runs such an insecure setup is one to avoid like the plague.

[readytohelpwm]

Brad - With my current hosting setup, I am utilizing 1 dedicated server and 1 shared hosting server. I just got off the phone with my hosting company and started asking questions about Registered Globals. They did inform me that on all their newer shared hosting servers, the global registers are disabled by default. They did mention that on the older machines (which I have had this account for 3 years), that Globals are left on, but the ability to disable them is provided through the cpanel. Going with your previous comment, even if I disable Registered Globals through my cpanel, do you feel that my site / shared account is still at risk?

I would also like to add for reference to others..I was informed that if you login to your cpanel, go to the software section, click on "PHP Quick Config", click on enable (if not already enabled), half way down you will find Registered Globals with enable / disable options to the right side. (They did mention that this is a common option on most shared hosting accounts running the latest version of cpanel with all software packages installed)

[brad]

It's pointless disabling register_globals on your own site, only serverwide is helpful.

Please read my blog posts to find out why. There is a reason they have been disabled since php 4.2.. what version of php does your host now run? Does your host run suphp?

[readytohelpwm]

I will re-read your posts again, and my current version of php (on my shared account) is PHP Version: 5.2.11, as for suphp I am unsure. -- Im having a really bad day, besides everything that has happened with the security issues, my hosting company (for the first time in 3 years), just had a router go out (so they say), so my site is currently down. lol life is great!

[brad]

You need to find a new hosting company

[readytohelpwm]

Well I got someones attention at my hosting comapny...Im being transfered to a manager to assist me with my concerns...lol depending on how this conversation goes, I may be in the market for a new hosting company.

[brad]

Well I got someones attention at my hosting comapny...Im being transfered to a manager to assist me with my concerns...lol depending on how this conversation goes, I may be in the market for a new hosting company.

All the best, it's pretty simple though.. if they do not run suphp and have not disabled register_globals serverwide, you should still be looking for a new host.

[readytohelpwm]

lol kk hold on a minute, ill update you on what my hosting company has to say.

[brad]

lol kk hold on a minute, ill update you on what my hosting company has to say.

It's ok.. they have a long and poor reputation.. any excuses or reasons they come up with I've probably heard before.

I'll leave you to it.. all the best.

[readytohelpwm]

Brad, the hosting company I am with is in fact running suphp. The real conversation starter was discussing the registered globals setup on my shared hosting account. The technician I spoke with originally informed me that they do in fact have globals enabled, but what most people do not understand that when setup with cphp each users processes that are running, are only tied to that particular user. He also said that he personally thinks that registered globals should be disabled by default at the server level, but since they are unable to do this because there are some sites out there that are in fact out-dated, they must keep it turned on. As he was also telling me, every measure has been taken to ensure that if an account was comprimised on a shared server, that it would be confined to that users account only. The particular tech that I was speaking with was outstanding, he checked the accounts that were running on my particluar shared server and went ahead and disabled globals on the entire shared server. He said as long as no one calls in saying their site quit working related to globals, that they wouldn't re-enable it.

[readytohelpwm]

Relevant PHP SettingsSetting Value

Safe Mode: Off
Open basedir: None
Display Errors: On
Short Open Tags: On
File Uploads: On
Magic Quotes: Off
Register Globals: Off
Output Buffering: Off
Session Save Path: /tmp
Session Auto Start: 0
XML Enabled: Yes
Zlib Enabled: Yes
Disabled Functions: dl
Mbstring Enabled: Yes
Iconv Available: Yes
WYSIWYG Editor: Editor - No Editor

[mandville]

ok - please note that the included ifs at the beginning of each line is a big bold "if"

if they are putting you an a new clean share space then install joomla
if after running the forum post tool and going through checklist 7 and you post the results here without any errors
if you do not get hacked within a few days
if you are happy with the service and the price you are paying, then stay with them

[danik]

Hi there.

i'm not an expert but just to share what i have learned:

some security check lists say that "Display Errors:" sould be off as well to prevent information from hackeres...

regarding mandville comment, if your hosting company enables you to use SSH, you should use the winCSP client as a secure ftp, in addition you can encrypted your master passwored thus preventing hackeres from getting it, even if they manage to get hold of your computer.
check this out:
http://support.suso.com/supki/SSH_Tutorial_for_Windows
http://winscp.net/eng/index.php

BTW
any success with the htacess issue?
i have the same plugin and i want to configure the same solution posted here.

thanks and good luck!!!

[readytohelpwm]

Mandville -- I am attempting to run the forum post tool, and keep getting a blank white screen when I drop jtpost_en.php in my / directory. I will mess around with this again in a little bit and see if I can get it running (Getting ready to run to work.)

Danik -- I have not been able to resolve the issue yet with .htaccess & jsecure. I did however figure out (if you really want to have added security), that if you drop the .htaccess file and password file in your administrator directory following the instructions above, it will infact make it to where NO ONE can access the administrator login page (even if they enter the correct htaccess user and pass). At this point, you just remove the .htacess file via ftp when you need to login, and the admin login page will become available again. This obviously isnt the way its suppose to work...lol but it does create an extra step to be able to get to the admin page. lol -- As soon as I figure out the right way of making it work, Ill make sure to post it here.

Also, I really want to say thank you to you guys, I really do appreciate all the information and help you guys have been giving. It really is nice knowing there are people you can turn too to get help with these problems as they come up.

For now, I am headed to work, and Ill keep watching and waiting to see what happens with my site.

[euoceo]

Re: register globals

This may work, but I'm guessing if the host doesn't know enough to keep register_globals off maybe not. Many places allow you to override variables from the default php.ini file. Try upload a php.ini file to your main directory with this one line:

register_globals = Off


And see if that does the trick. If not, try putting this line in the main directory's .htaccess file:

php_flag register_globals off

If you want to still use your override php.ini you can also try:

php_value include_path "_path_to_directory_/php.ini"

Hopefully one of those methods work. Regardless, you should look at changing hosts! Sites *will* be hacked at some point with a host that uses register_globals on and once that happens and the system itself is compromised then you might as well get your backup ready again.