Advertisement

[Fixed]Index Page hacked using "Confirm Your Account" Page??

Discussion regarding Joomla! 1.5 security issues.
Joomla! Vulnerable Extensions: http://feeds.joomla.org/JoomlaSecurityV ... Extensions

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
biablasta
Joomla! Intern
Joomla! Intern
Posts: 50
Joined: Sun Nov 22, 2009 8:23 pm

[Fixed]Index Page hacked using "Confirm Your Account" Page??

Post by biablasta » Wed Feb 03, 2010 12:10 pm

Site on Joomla 1.5. Total novice.
Website index page was hacked last night and I found the possible source on Stat Counter. Its a Turkish IP address and the text on the hacked page was all Turkish.

The first page they accessed was the "Confirm Your Account". Then "Forgot Your Password" and then the "Login" page.

1st February 2010 18:20:25 Page View localhost/memo.php
http://www.slow########.com//?option=co ... ut=confirm
1st February 2010 18:20:36 Page View http://www.slow########.com//?option=co ... ut=confirm
http://www.slow#########.com/index.php? ... t=complete
1st February 2010 18:20:45 Page View http://www.slow#########.com/index.php? ... t=complete
http://www.slow#########.com/index.php? ... view=login
1st February 2010 19:55:34 Page View No referring link
http://www.slow#########.com/

This was a return visit. I can only assume that they somehow got a login. The user settings don't allow registration or account activation. I don't understand how this was done. I also was not aware that these pages were accessible.

Can I do anything to close this down? After reading other posts I am going through Security Checklist 7, but I honestly don't know what most of it means.

PD
Last edited by biablasta on Fri Feb 05, 2010 3:53 pm, edited 2 times in total.

Advertisement
User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15157
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Index Page hacked using "Confirm Your Account" Page??

Post by mandville » Wed Feb 03, 2010 12:49 pm

start with the first steps
[ ] Run the forum post assistant and security tool Instructions available here and post your results.
if you have questions on anything in those checklists please ask.

have you also looked at the vulnerable extension list? http://docs.joomla.org/Vulnerable_Extensions_List what you describe sounds like an VE attack
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
portable mini golf https://www.puttersminigolf.co.uk/

User avatar
ilox
Joomla! Explorer
Joomla! Explorer
Posts: 444
Joined: Thu Aug 25, 2005 3:29 pm
Location: Adelaide, South Australia
Contact:

Re: Index Page hacked using "Confirm Your Account" Page??

Post by ilox » Wed Feb 03, 2010 12:49 pm

This seems to be an old hack identified back in 2008...
http://forum.joomla.org/viewtopic.php?f=432&t=317576
and fixed with the release of 1.5.6.

Please run the Forum Posts Asistant to give us a look at the settings on your system: http://forum.joomla.org/viewtopic.php?f=428&t=272481
Also check what Joomla version you are using. It should be 1.5.15. If it isn't, then immediately make it so!
Another quick step you can do is make certain that the Administrator account is unguessable as admin, make it something, anything, but something that might look like it is an admin account.
Cheers, Ian
"Always remember. Love is the purest feeling, the wisest thought and the strongest reason. Always!"
by Sea-Life

biablasta
Joomla! Intern
Joomla! Intern
Posts: 50
Joined: Sun Nov 22, 2009 8:23 pm

Re: Index Page hacked using "Confirm Your Account" Page??

Post by biablasta » Wed Feb 03, 2010 1:18 pm

Thanks for the prompt replies.

Mea Culpa. I was running an old version of 1.5. It is now up to date. I have checked the vulnerable extensions and I don't believe I have any installed, unless they were installed with Joomla (wouldn't it be great if there was some tool to cross reference the output from the component/module/plugin audit with the VE list. I'm dyslexic).

Below is the output from the forum generator.

JTS-post Diagnostic Information wrote:Joomla! Version: Joomla! 1.5.15 Stable [ Wojmamni Ama Mamni ] 05-November-2009 04:00 GMT
configuration.php: Not Writable (Mode: 444 ) | Architecture/Platform: Linux 2.6.18-164.11.1.el5 ( x86_64) | Web Server: Zeus/4.3 | PHP Version: 5.2.11
PHP Requirements: register_globals: Disabled | magic_quotes_gpc: Disabled | safe_mode: Disabled | MySQL Support: Yes | XML Support: Yes | zlib Support: Yes
mbstring Support (1.5 or above): Yes | iconv Support (1.5 or above): Yes | save.session_path: Writable | Max.Execution Time: 240 seconds | File Uploads: Enabled
MySQL Version: 4.1.22-standard ( mysql1.mylogin.ie via TCP/IP )

I wouldn't have a clue if any of this indicates vulnerability. By the way if I have the {mod deleted}, IP is there a way to block it?

Thanks again.

PD
Last edited by mandville on Wed Feb 03, 2010 1:25 pm, edited 2 times in total.
Reason: Leave "deliberate spelling mistakes" at the door

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15157
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Index Page hacked using "Confirm Your Account" Page??

Post by mandville » Wed Feb 03, 2010 1:49 pm

The people who do these normally use either zombied computers or floating IP ranges so unless you want to block the whole country there is not much point
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
portable mini golf https://www.puttersminigolf.co.uk/

biablasta
Joomla! Intern
Joomla! Intern
Posts: 50
Joined: Sun Nov 22, 2009 8:23 pm

Re: Index Page hacked using "Confirm Your Account" Page??

Post by biablasta » Wed Feb 03, 2010 2:21 pm

Point taken. Both of them. Just ran a quick google search for the hackers and there 4150 sites that have been hacked by them. I don't feel so alone now. I tried a few and not all are joomla.

I have deleted the offending files.
I have installed 1.5.15
Changed admin username and password.
Downloaded the whole site by ftp and virus checked it.
Run the forum post assistant.
Checked the vulnerable extension list.
Changed the permissions of the root folders and files (have no idea how to chmod for all of the subfolders/files).

Is there anything else I can do to close down this hole in my security.

Thanks

PD

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15157
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Index Page hacked using "Confirm Your Account" Page??

Post by mandville » Thu Feb 04, 2010 12:54 am

biablasta wrote:Point taken. Both of them. Just ran a quick google search for the hackers and there 4150 sites that have been hacked by them. I don't feel so alone now. I tried a few and not all are joomla.
I have deleted the offending files.
good
I have installed 1.5.15
and please subscribe to the security or annoucements feed to be alerted of any new releases
Changed admin username and password.
the other option is to diable the original admin user and use a new one whose id is not 62.
Downloaded the whole site by ftp and virus checked it.
reasonable move
Run the forum post assistant.
did it give any warnings or errors
Checked the vulnerable extension list.
smart move
Changed the permissions of the root folders and files (have no idea how to chmod for all of the subfolders/files).
good, and your host can do that. most ftp can do a recursive bt your host will now you are seriousif you ask them to do it.
Is there anything else I can do to close down this hole in my security.
check warnings from the post tool, keep an eye on the VEL and this forum. atch your logs for suspicious activity, use a file change monitor script
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
portable mini golf https://www.puttersminigolf.co.uk/

biablasta
Joomla! Intern
Joomla! Intern
Posts: 50
Joined: Sun Nov 22, 2009 8:23 pm

Re: Index Page hacked using "Confirm Your Account" Page??

Post by biablasta » Fri Feb 05, 2010 3:04 pm

Hello again,

Don't wish to take up anymore of your time.

Forum Post assistant reports that magic quotes is disabled and that is highlighted red. Don't know what could be wrong with that. I thought it was dumped anyway.

Everything else seems ok.

I will implement your other recommendations. Thanks again for the comprehensive response. Perhaps I'll stick with Joomla after all.

PD

User avatar
ilox
Joomla! Explorer
Joomla! Explorer
Posts: 444
Joined: Thu Aug 25, 2005 3:29 pm
Location: Adelaide, South Australia
Contact:

Re: Index Page hacked using "Confirm Your Account" Page??

Post by ilox » Fri Feb 05, 2010 3:47 pm

PD, if this topic has been resolved to you satisfaction could you please amend the original post to add a green tick icon and the words [SOLVED] or else [FIXED] to the front of the thread title. That will help others who might come across your thread and might wonder if there was a solution to a similar problem.

Glad things got sorted out for you.
Cheers, Ian
"Always remember. Love is the purest feeling, the wisest thought and the strongest reason. Always!"
by Sea-Life

biablasta
Joomla! Intern
Joomla! Intern
Posts: 50
Joined: Sun Nov 22, 2009 8:23 pm

Re: [Fixed]Index Page hacked using "Confirm Your Account" Page??

Post by biablasta » Thu Feb 18, 2010 6:39 pm

Hello,

The nice gentlemen who hacked my website have had another go, obviously out to exploit the same vulnerability, but I am happy to say they didn't get in.

18th February 2010 15:55:22 Page View No referring link
www.#######.com/index.php?option=com_us ... ut=confirm
18th February 2010 15:55:25 Page View www.#######.com/index.php?option=com_us ... ut=confirm
www.#######.com/index.php?option=com_us ... ut=confirm


I know no one wants to tip off potential hackers, but can someone, somehow, explain to me what this vulnerability is and why I can't stop someone accessing these pages. Or can I?

PD

User avatar
ilox
Joomla! Explorer
Joomla! Explorer
Posts: 444
Joined: Thu Aug 25, 2005 3:29 pm
Location: Adelaide, South Australia
Contact:

Re: [Fixed]Index Page hacked using "Confirm Your Account" Page??

Post by ilox » Thu Feb 18, 2010 9:44 pm

The attack attempts are sent out randomly by scripts so they are not searching for your site deliberately, just searching for any site that has the same vulnerability. By following the Security Checklist you have removed that vulnerability so their attempt just washes past your site.
Cheers, Ian
"Always remember. Love is the purest feeling, the wisest thought and the strongest reason. Always!"
by Sea-Life

sigman
Joomla! Apprentice
Joomla! Apprentice
Posts: 22
Joined: Mon Oct 12, 2009 2:44 pm
Location: Dublin, Ire
Contact:

Re: [Fixed]Index Page hacked using "Confirm Your Account" Page??

Post by sigman » Wed Mar 31, 2010 8:31 pm

Just to let the you know, I just found out similar attack attempt to my site.

The address from where attacker came from was http://www.{deleted}.com/yaratik.php (turkish IP) and accessed index.php?option=com_user&view=reset&layout=confirm - which is Forgot your password website where token is required.

Apparently this was attept to brake in knowing this bug: http://developer.joomla.org/security/ne ... ality.html

I have the latest Joomla 1.5.15 so attack was unsuccefull. Guys upgrade your Joomlas if you haven't done it yet!

This is translated version on that website (Turhish - English): http://translate.google.com/translate?j ... l=tr&tl=en

I hope no other type of attacks are performed from that site.
Last edited by mandville on Wed Mar 31, 2010 11:48 pm, edited 1 time in total.
Reason: edited due to hacker kudos and linking rules.
http://sierakowski.eu | ActionScript 3 Developer blog

Advertisement

Locked

Return to “Security in Joomla! 1.5”