Advertisement
[Fixed]Index Page hacked using "Confirm Your Account" Page??
Moderator: General Support Moderators
Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
-
- Joomla! Intern
- Posts: 50
- Joined: Sun Nov 22, 2009 8:23 pm
[Fixed]Index Page hacked using "Confirm Your Account" Page??
Site on Joomla 1.5. Total novice.
Website index page was hacked last night and I found the possible source on Stat Counter. Its a Turkish IP address and the text on the hacked page was all Turkish.
The first page they accessed was the "Confirm Your Account". Then "Forgot Your Password" and then the "Login" page.
1st February 2010 18:20:25 Page View localhost/memo.php
http://www.slow########.com//?option=co ... ut=confirm
1st February 2010 18:20:36 Page View http://www.slow########.com//?option=co ... ut=confirm
http://www.slow#########.com/index.php? ... t=complete
1st February 2010 18:20:45 Page View http://www.slow#########.com/index.php? ... t=complete
http://www.slow#########.com/index.php? ... view=login
1st February 2010 19:55:34 Page View No referring link
http://www.slow#########.com/
This was a return visit. I can only assume that they somehow got a login. The user settings don't allow registration or account activation. I don't understand how this was done. I also was not aware that these pages were accessible.
Can I do anything to close this down? After reading other posts I am going through Security Checklist 7, but I honestly don't know what most of it means.
PD
Website index page was hacked last night and I found the possible source on Stat Counter. Its a Turkish IP address and the text on the hacked page was all Turkish.
The first page they accessed was the "Confirm Your Account". Then "Forgot Your Password" and then the "Login" page.
1st February 2010 18:20:25 Page View localhost/memo.php
http://www.slow########.com//?option=co ... ut=confirm
1st February 2010 18:20:36 Page View http://www.slow########.com//?option=co ... ut=confirm
http://www.slow#########.com/index.php? ... t=complete
1st February 2010 18:20:45 Page View http://www.slow#########.com/index.php? ... t=complete
http://www.slow#########.com/index.php? ... view=login
1st February 2010 19:55:34 Page View No referring link
http://www.slow#########.com/
This was a return visit. I can only assume that they somehow got a login. The user settings don't allow registration or account activation. I don't understand how this was done. I also was not aware that these pages were accessible.
Can I do anything to close this down? After reading other posts I am going through Security Checklist 7, but I honestly don't know what most of it means.
PD
Last edited by biablasta on Fri Feb 05, 2010 3:53 pm, edited 2 times in total.
Advertisement
- mandville
- Joomla! Master
- Posts: 15157
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: Index Page hacked using "Confirm Your Account" Page??
start with the first steps
[ ] Run the forum post assistant and security tool Instructions available here and post your results.
if you have questions on anything in those checklists please ask.
have you also looked at the vulnerable extension list? http://docs.joomla.org/Vulnerable_Extensions_List what you describe sounds like an VE attack
[ ] Run the forum post assistant and security tool Instructions available here and post your results.
if you have questions on anything in those checklists please ask.
have you also looked at the vulnerable extension list? http://docs.joomla.org/Vulnerable_Extensions_List what you describe sounds like an VE attack
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
portable mini golf https://www.puttersminigolf.co.uk/
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
portable mini golf https://www.puttersminigolf.co.uk/
- ilox
- Joomla! Explorer
- Posts: 444
- Joined: Thu Aug 25, 2005 3:29 pm
- Location: Adelaide, South Australia
- Contact:
Re: Index Page hacked using "Confirm Your Account" Page??
This seems to be an old hack identified back in 2008...
http://forum.joomla.org/viewtopic.php?f=432&t=317576
and fixed with the release of 1.5.6.
Please run the Forum Posts Asistant to give us a look at the settings on your system: http://forum.joomla.org/viewtopic.php?f=428&t=272481
Also check what Joomla version you are using. It should be 1.5.15. If it isn't, then immediately make it so!
Another quick step you can do is make certain that the Administrator account is unguessable as admin, make it something, anything, but something that might look like it is an admin account.
http://forum.joomla.org/viewtopic.php?f=432&t=317576
and fixed with the release of 1.5.6.
Please run the Forum Posts Asistant to give us a look at the settings on your system: http://forum.joomla.org/viewtopic.php?f=428&t=272481
Also check what Joomla version you are using. It should be 1.5.15. If it isn't, then immediately make it so!
Another quick step you can do is make certain that the Administrator account is unguessable as admin, make it something, anything, but something that might look like it is an admin account.
Cheers, Ian
"Always remember. Love is the purest feeling, the wisest thought and the strongest reason. Always!"
by Sea-Life
"Always remember. Love is the purest feeling, the wisest thought and the strongest reason. Always!"
by Sea-Life
-
- Joomla! Intern
- Posts: 50
- Joined: Sun Nov 22, 2009 8:23 pm
Re: Index Page hacked using "Confirm Your Account" Page??
Thanks for the prompt replies.
Mea Culpa. I was running an old version of 1.5. It is now up to date. I have checked the vulnerable extensions and I don't believe I have any installed, unless they were installed with Joomla (wouldn't it be great if there was some tool to cross reference the output from the component/module/plugin audit with the VE list. I'm dyslexic).
Below is the output from the forum generator.
I wouldn't have a clue if any of this indicates vulnerability. By the way if I have the {mod deleted}, IP is there a way to block it?
Thanks again.
PD
Mea Culpa. I was running an old version of 1.5. It is now up to date. I have checked the vulnerable extensions and I don't believe I have any installed, unless they were installed with Joomla (wouldn't it be great if there was some tool to cross reference the output from the component/module/plugin audit with the VE list. I'm dyslexic).
Below is the output from the forum generator.
JTS-post Diagnostic Information wrote:Joomla! Version: Joomla! 1.5.15 Stable [ Wojmamni Ama Mamni ] 05-November-2009 04:00 GMT
configuration.php: Not Writable (Mode: 444 ) | Architecture/Platform: Linux 2.6.18-164.11.1.el5 ( x86_64) | Web Server: Zeus/4.3 | PHP Version: 5.2.11
PHP Requirements: register_globals: Disabled | magic_quotes_gpc: Disabled | safe_mode: Disabled | MySQL Support: Yes | XML Support: Yes | zlib Support: Yes
mbstring Support (1.5 or above): Yes | iconv Support (1.5 or above): Yes | save.session_path: Writable | Max.Execution Time: 240 seconds | File Uploads: Enabled
MySQL Version: 4.1.22-standard ( mysql1.mylogin.ie via TCP/IP )
I wouldn't have a clue if any of this indicates vulnerability. By the way if I have the {mod deleted}, IP is there a way to block it?
Thanks again.
PD
Last edited by mandville on Wed Feb 03, 2010 1:25 pm, edited 2 times in total.
Reason: Leave "deliberate spelling mistakes" at the door
Reason: Leave "deliberate spelling mistakes" at the door
- mandville
- Joomla! Master
- Posts: 15157
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: Index Page hacked using "Confirm Your Account" Page??
The people who do these normally use either zombied computers or floating IP ranges so unless you want to block the whole country there is not much point
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
portable mini golf https://www.puttersminigolf.co.uk/
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
portable mini golf https://www.puttersminigolf.co.uk/
-
- Joomla! Intern
- Posts: 50
- Joined: Sun Nov 22, 2009 8:23 pm
Re: Index Page hacked using "Confirm Your Account" Page??
Point taken. Both of them. Just ran a quick google search for the hackers and there 4150 sites that have been hacked by them. I don't feel so alone now. I tried a few and not all are joomla.
I have deleted the offending files.
I have installed 1.5.15
Changed admin username and password.
Downloaded the whole site by ftp and virus checked it.
Run the forum post assistant.
Checked the vulnerable extension list.
Changed the permissions of the root folders and files (have no idea how to chmod for all of the subfolders/files).
Is there anything else I can do to close down this hole in my security.
Thanks
PD
I have deleted the offending files.
I have installed 1.5.15
Changed admin username and password.
Downloaded the whole site by ftp and virus checked it.
Run the forum post assistant.
Checked the vulnerable extension list.
Changed the permissions of the root folders and files (have no idea how to chmod for all of the subfolders/files).
Is there anything else I can do to close down this hole in my security.
Thanks
PD
- mandville
- Joomla! Master
- Posts: 15157
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: Index Page hacked using "Confirm Your Account" Page??
biablasta wrote:Point taken. Both of them. Just ran a quick google search for the hackers and there 4150 sites that have been hacked by them. I don't feel so alone now. I tried a few and not all are joomla.
goodI have deleted the offending files.
and please subscribe to the security or annoucements feed to be alerted of any new releasesI have installed 1.5.15
the other option is to diable the original admin user and use a new one whose id is not 62.Changed admin username and password.
reasonable moveDownloaded the whole site by ftp and virus checked it.
did it give any warnings or errorsRun the forum post assistant.
smart moveChecked the vulnerable extension list.
good, and your host can do that. most ftp can do a recursive bt your host will now you are seriousif you ask them to do it.Changed the permissions of the root folders and files (have no idea how to chmod for all of the subfolders/files).
check warnings from the post tool, keep an eye on the VEL and this forum. atch your logs for suspicious activity, use a file change monitor scriptIs there anything else I can do to close down this hole in my security.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
portable mini golf https://www.puttersminigolf.co.uk/
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
portable mini golf https://www.puttersminigolf.co.uk/
-
- Joomla! Intern
- Posts: 50
- Joined: Sun Nov 22, 2009 8:23 pm
Re: Index Page hacked using "Confirm Your Account" Page??
Hello again,
Don't wish to take up anymore of your time.
Forum Post assistant reports that magic quotes is disabled and that is highlighted red. Don't know what could be wrong with that. I thought it was dumped anyway.
Everything else seems ok.
I will implement your other recommendations. Thanks again for the comprehensive response. Perhaps I'll stick with Joomla after all.
PD
Don't wish to take up anymore of your time.
Forum Post assistant reports that magic quotes is disabled and that is highlighted red. Don't know what could be wrong with that. I thought it was dumped anyway.
Everything else seems ok.
I will implement your other recommendations. Thanks again for the comprehensive response. Perhaps I'll stick with Joomla after all.
PD
- ilox
- Joomla! Explorer
- Posts: 444
- Joined: Thu Aug 25, 2005 3:29 pm
- Location: Adelaide, South Australia
- Contact:
Re: Index Page hacked using "Confirm Your Account" Page??
PD, if this topic has been resolved to you satisfaction could you please amend the original post to add a green tick icon and the words [SOLVED] or else [FIXED] to the front of the thread title. That will help others who might come across your thread and might wonder if there was a solution to a similar problem.
Glad things got sorted out for you.
Glad things got sorted out for you.
Cheers, Ian
"Always remember. Love is the purest feeling, the wisest thought and the strongest reason. Always!"
by Sea-Life
"Always remember. Love is the purest feeling, the wisest thought and the strongest reason. Always!"
by Sea-Life
-
- Joomla! Intern
- Posts: 50
- Joined: Sun Nov 22, 2009 8:23 pm
Re: [Fixed]Index Page hacked using "Confirm Your Account" Page??
Hello,
The nice gentlemen who hacked my website have had another go, obviously out to exploit the same vulnerability, but I am happy to say they didn't get in.
18th February 2010 15:55:22 Page View No referring link
www.#######.com/index.php?option=com_us ... ut=confirm
18th February 2010 15:55:25 Page View www.#######.com/index.php?option=com_us ... ut=confirm
www.#######.com/index.php?option=com_us ... ut=confirm
I know no one wants to tip off potential hackers, but can someone, somehow, explain to me what this vulnerability is and why I can't stop someone accessing these pages. Or can I?
PD
The nice gentlemen who hacked my website have had another go, obviously out to exploit the same vulnerability, but I am happy to say they didn't get in.
18th February 2010 15:55:22 Page View No referring link
www.#######.com/index.php?option=com_us ... ut=confirm
18th February 2010 15:55:25 Page View www.#######.com/index.php?option=com_us ... ut=confirm
www.#######.com/index.php?option=com_us ... ut=confirm
I know no one wants to tip off potential hackers, but can someone, somehow, explain to me what this vulnerability is and why I can't stop someone accessing these pages. Or can I?
PD
- ilox
- Joomla! Explorer
- Posts: 444
- Joined: Thu Aug 25, 2005 3:29 pm
- Location: Adelaide, South Australia
- Contact:
Re: [Fixed]Index Page hacked using "Confirm Your Account" Page??
The attack attempts are sent out randomly by scripts so they are not searching for your site deliberately, just searching for any site that has the same vulnerability. By following the Security Checklist you have removed that vulnerability so their attempt just washes past your site.
Cheers, Ian
"Always remember. Love is the purest feeling, the wisest thought and the strongest reason. Always!"
by Sea-Life
"Always remember. Love is the purest feeling, the wisest thought and the strongest reason. Always!"
by Sea-Life
-
- Joomla! Apprentice
- Posts: 22
- Joined: Mon Oct 12, 2009 2:44 pm
- Location: Dublin, Ire
- Contact:
Re: [Fixed]Index Page hacked using "Confirm Your Account" Page??
Just to let the you know, I just found out similar attack attempt to my site.
The address from where attacker came from was http://www.{deleted}.com/yaratik.php (turkish IP) and accessed index.php?option=com_user&view=reset&layout=confirm - which is Forgot your password website where token is required.
Apparently this was attept to brake in knowing this bug: http://developer.joomla.org/security/ne ... ality.html
I have the latest Joomla 1.5.15 so attack was unsuccefull. Guys upgrade your Joomlas if you haven't done it yet!
This is translated version on that website (Turhish - English): http://translate.google.com/translate?j ... l=tr&tl=en
I hope no other type of attacks are performed from that site.
The address from where attacker came from was http://www.{deleted}.com/yaratik.php (turkish IP) and accessed index.php?option=com_user&view=reset&layout=confirm - which is Forgot your password website where token is required.
Apparently this was attept to brake in knowing this bug: http://developer.joomla.org/security/ne ... ality.html
I have the latest Joomla 1.5.15 so attack was unsuccefull. Guys upgrade your Joomlas if you haven't done it yet!
This is translated version on that website (Turhish - English): http://translate.google.com/translate?j ... l=tr&tl=en
I hope no other type of attacks are performed from that site.
Last edited by mandville on Wed Mar 31, 2010 11:48 pm, edited 1 time in total.
Reason: edited due to hacker kudos and linking rules.
Reason: edited due to hacker kudos and linking rules.
http://sierakowski.eu | ActionScript 3 Developer blog
Advertisement