Website with Joombah Jobs Hacked

Discussion regarding Joomla! 2.5 security issues.

Moderators: mandville, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
robertsm
Joomla! Apprentice
Joomla! Apprentice
Posts: 42
Joined: Wed Sep 07, 2005 1:36 pm

Website with Joombah Jobs Hacked

Post by robertsm » Wed Nov 14, 2012 7:07 pm

I am running a Joombah site (not listed as a vulnerable extension: http://docs.joomla.org/Vulnerable_Extensions_List) that was recently hacked. The hacker registered as a job seeker, then proceeded to upload files using the resumé upload feature. In my case the hacker uploaded a PHP script, using a JPG extension for the script, that he was then able to exploit using the PHP interpreter. My host has informed me that this is possible using other file extensions as well (.doc, .docx, etc), depending on how rewrite is implemented in htaccess (the htaccess file that was in place at time of attack is attached).

Edit: The hacker did upload a php script with a JPG extension, but that is not the complete story of how he did the hack. For security reasons, I am not going to post more about the actual exploit.

It appears that the hacker was then able to upload a separate PHP script that he used to send out spam.

I was running Joombah 1.3.3 and, admittedly, Joomla 2.5.4 (which I have since updated to 2.5.8). I have PM'd the Admin of the Joombah forums (approx 15 hours ago) and posted on their forums but still have not received a response.
Problem Description :: Forum Post Assistant (v1.2.3) : 14th November 2012 wrote:Site hacked by uploading PHP script disguised as JPG or possibly DOC/DOCX file
Actions Taken To Resolve by Forum Post Assistant (v1.2.3) 14th November 2012 wrote:Site taken offiline.
Upgraded Joomla from 2.5.4 to 2.5.8
Contacted (and still awaiting response) Joombah RE the hack
Forum Post Assistant (v1.2.3) : 14th November 2012 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 2.5.8-Stable (Ember) 8-November-2012
Joomla! Platform :: Joomla Platform 11.4.0-Stable (Brian Kernighan) 03-Jan-2012
Joomla! Configured :: Yes | Read-Only (444) | Owner: WEBSITE (uid: 1/gid: 1) | Group: WEBSITE (gid: 1) | Valid For: 2.5
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 1 | .htaccess/web.config: Yes | GZip: 1 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.32.49-grsec | Technology: x86_64 | Web Server: Apache | Encoding: gzip,deflate,sdch | Doc Root: /home/WEBSITE/www/www | System TMP Writable: Yes

PHP Configuration :: Version: 5.3.17 | PHP API: cgi-fcgi | Session Path Writable: Unknown | Display Errors: | Error Reporting: 22519 | Log Errors To: | Last Known Error: | Register Globals: | Magic Quotes: 1 | Safe Mode: 0 | Open Base: | Uploads: 1 | Max. Upload Size: 20M | Max. POST Size: 20M | Max. Input Time: -1 | Max. Execution Time: 120 | Memory Limit: 80M

MySQL Configuration :: Version: 5.5.27-percona-sure1-log (Client:5.5.27-percona-sure1) | Host: --protected-- (--protected--) | Collation: utf8_general_ci (Character Set: utf8) | Database Size: 17.36 MiB | #of Tables:  180
Detailed Environment :: wrote:PHP Extensions :: Core (5.3.17) | date (5.3.17) | ereg () | libxml () | openssl () | pcre () | sqlite3 (0.7-dev) | zlib (1.1) | bcmath () | bz2 () | calendar () | ctype () | curl () | dom (20031129) | hash (1.0) | fileinfo (1.0.5-dev) | filter (0.11.0) | ftp () | gd () | gettext () | SPL (0.2) | iconv () | session () | intl (1.1.0) | json (1.2.1) | ldap () | mbstring () | mcrypt () | mysql (1.0) | mysqli (0.1) | pcntl () | standard (5.3.17) | PDO (1.0.4dev) | pdo_mysql (1.0.2) | pdo_sqlite (1.0.1) | Phar (2.0.1) | posix () | pspell () | Reflection ($Id: 593a0506b01337cfaf9f63ebc12cd60523fc2c41 $) | imap () | SimpleXML (0.1) | soap () | sockets () | SQLite (2.0-dev) | exif (1.4 $Id$) | sureacct (0.1) | tidy (2.0) | tokenizer (0.1) | xml () | xmlreader (0.1) | xmlwriter (0.1) | xsl (0.1) | zip (1.11.0) | cgi-fcgi () | mhash () | ionCube Loader () | Zend Engine (2.3.0) |
Potential Missing Extensions :: suhosin |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No
Folder Permissions :: wrote:Core Folders :: --protected-- (755) | --protected-- (755) | --protected-- (755) | --protected-- (755) | --protected-- (755) | --protected-- (755) | --protected-- (755) | --protected-- (755) | --protected-- (755) | --protected-- (755) | --protected-- (755) | --protected-- (755) | --protected-- (755) |

Elevated Permissions (First 10) :: --protected-- (775) | --protected-- (775) | --protected-- (775) | --protected-- (775) | --protected-- (775) |
Extensions Discovered :: wrote:Strict Information Privacy was selected. Nothing to display.
Templates Discovered :: wrote:_FPA_STRICT Information Privacy Nothing to display.
Additional log information below (with hacker's IP and my domain obfuscated)
www-02.log.gz:12.345.678.90 - - [02/Nov/2012:21:58:50 -0400] "POST /jobs/index.php?option=com_jbjobs&task=checkuser HTTP/1.1" 200 14 "http://www.website.org/jobs/index.php?o ... bseekernew" "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20100101 Firefox/15.0.1"

www-02.log.gz:12.345.678.90 - - [02/Nov/2012:21:59:34 -0400] "POST /jobs/index.php HTTP/1.1" 303 5 "http://www.website.org/jobs/index.php?o ... bseekernew" "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20100101 Firefox/15.0.1"

www-02.log.gz:12.345.678.90 - - [02/Nov/2012:22:04:47 -0400] "POST /jobs/index.php HTTP/1.1" 303 5 "http://www.website.org/jobs/index.php?o ... bseekernew" "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20100101 Firefox/15.0.1"

www-02.log.gz:12.345.678.90 - - [02/Nov/2012:22:04:56 -0400] "POST /jobs/component/jbjobs/jobseeker/index.php?option=com_jbjobs&task=checkuser HTTP/1.1" 200 69 "http://www.website.org/jobs/component/j ... bseekernew" "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20100101 Firefox/15.0.1"

www-02.log.gz:12.345.678.90 - - [02/Nov/2012:22:05:29 -0400] "POST /jobs/component/users/?task=user.login HTTP/1.1" 303 5 "http://www.website.org/jobs/component/users/?view=login" "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20100101 Firefox/15.0.1"

www-02.log.gz:12.345.678.90 - - [02/Nov/2012:22:05:59 -0400] "POST /jobs/open-jobs/employer-logindashboard/jobseeker/index.php HTTP/1.1" 303 5 "http://www.website.org/jobs/open-jobs/e ... gjobseeker" "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20100101 Firefox/15.0.1"

www-02.log.gz:12.345.678.90 - - [02/Nov/2012:22:06:28 -0400] "POST /jobs/open-jobs/employer-logindashboard/jobseeker/index.php HTTP/1.1" 303 5 "http://www.website.org/jobs/open-jobs/e ... editresume" "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20100101 Firefox/15.0.1"

www-02.log.gz:12.345.678.90 - - [02/Nov/2012:22:06:43 -0400] "POST /jobs/open-jobs/employer-logindashboard/jobseeker/index.php HTTP/1.1" 303 5 "http://www.website.org/jobs/open-jobs/e ... editresume" "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20100101 Firefox/15.0.1"

www-02.log.gz:12.345.678.90 - - [02/Nov/2012:22:34:28 -0400] "POST /jobs/images/jbjobs/pf/p_259_1351908403.php HTTP/1.1" 200 358 "http://www.website.org/jobs/images/jbjo ... 908403.php" "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20100101 Firefox/15.0.1"
MODS: I have a copy of the fake JPG file/PHP Script. If you would like I can PM the contents of it to you.

Any help/advice on where to go next to button this issue down would be greatly appreciated.
You do not have the required permissions to view the files attached to this post.
Last edited by robertsm on Mon Nov 19, 2012 12:18 am, edited 2 times in total.

robertsm
Joomla! Apprentice
Joomla! Apprentice
Posts: 42
Joined: Wed Sep 07, 2005 1:36 pm

Re: Website with Joombah Jobs Hacked

Post by robertsm » Wed Nov 14, 2012 8:38 pm

Not sure if it matters (for use with extensions), but "Check MIME Types" is enabled in the media manager.

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Website with Joombah Jobs Hacked

Post by mandville » Wed Nov 14, 2012 9:21 pm

looking at your fpa results (please repost with extensions viewable) i was concerned over the use of the 775 folders - why?
the extension is two versions behind, assuming you are using the proper un nulled version.
the dev may need to include a htaccess similar to checklist 7 that prevents scripts running in folders
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

robertsm
Joomla! Apprentice
Joomla! Apprentice
Posts: 42
Joined: Wed Sep 07, 2005 1:36 pm

Re: Website with Joombah Jobs Hacked

Post by robertsm » Wed Nov 14, 2012 9:47 pm

mandville - thank you for the reply. I really appreciate the help. I've created a new directory to work on an upgrade of this extension and I have run an FPA on the latest release. I will post that in the next response.
Here's an FPA without restrictions (only my domain changed).
Forum Post Assistant (v1.2.3) : 14th November 2012 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 2.5.8-Stable (Ember) 8-November-2012
Joomla! Platform :: Joomla Platform 11.4.0-Stable (Brian Kernighan) 03-Jan-2012
Joomla! Configured :: Yes | Read-Only (444) | Owner: WEBSITE (uid: 1/gid: 1) | Group: WEBSITE (gid: 1) | Valid For: 2.5
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 1 | .htaccess/web.config: Yes | GZip: 1 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.32.49-grsec | Technology: x86_64 | Web Server: Apache | Encoding: gzip,deflate,sdch | Doc Root: /home/WEBSITE/www/www | System TMP Writable: Yes

PHP Configuration :: Version: 5.3.17 | PHP API: cgi-fcgi | Session Path Writable: Unknown | Display Errors: | Error Reporting: 22519 | Log Errors To: | Last Known Error: | Register Globals: | Magic Quotes: 1 | Safe Mode: 0 | Open Base: | Uploads: 1 | Max. Upload Size: 20M | Max. POST Size: 20M | Max. Input Time: -1 | Max. Execution Time: 120 | Memory Limit: 80M

MySQL Configuration :: Version: 5.5.27-percona-sure1-log (Client:5.5.27-percona-sure1) | Host: --protected-- (--protected--) | Collation: utf8_general_ci (Character Set: utf8) | Database Size: 17.36 MiB | #of Tables:  180
Detailed Environment :: wrote:PHP Extensions :: Core (5.3.17) | date (5.3.17) | ereg () | libxml () | openssl () | pcre () | sqlite3 (0.7-dev) | zlib (1.1) | bcmath () | bz2 () | calendar () | ctype () | curl () | dom (20031129) | hash (1.0) | fileinfo (1.0.5-dev) | filter (0.11.0) | ftp () | gd () | gettext () | SPL (0.2) | iconv () | session () | intl (1.1.0) | json (1.2.1) | ldap () | mbstring () | mcrypt () | mysql (1.0) | mysqli (0.1) | pcntl () | standard (5.3.17) | PDO (1.0.4dev) | pdo_mysql (1.0.2) | pdo_sqlite (1.0.1) | Phar (2.0.1) | posix () | pspell () | Reflection ($Id: 593a0506b01337cfaf9f63ebc12cd60523fc2c41 $) | imap () | SimpleXML (0.1) | soap () | sockets () | SQLite (2.0-dev) | exif (1.4 $Id$) | sureacct (0.1) | tidy (2.0) | tokenizer (0.1) | xml () | xmlreader (0.1) | xmlwriter (0.1) | xsl (0.1) | zip (1.11.0) | cgi-fcgi () | mhash () | ionCube Loader () | Zend Engine (2.3.0) |
Potential Missing Extensions :: suhosin |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No
Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

Elevated Permissions (First 10) :: administrator/components/com_jbjobs/elements/ (775) | administrator/components/com_jbjobs/elements/js/ (775) | administrator/components/com_jbjobs/language/ (775) | administrator/components/com_jbjobs/language/en-GB/ (775) | cache/Gantry/ (775) |
Extensions Discovered :: wrote:Components :: SITE :: com_mailto (2.5.0) | com_wrapper (2.5.0) | Blackout (2.2.0) | Default (2.2.0) | Blueface (2.2.0) | Bubble (2.2.0) |
Components :: ADMIN :: com_search (2.5.0) | com_plugins (2.5.0) | Gantry (4.1.2) | com_joomlaupdate (2.5.0) | com_modules (2.5.0) | com_messages (2.5.0) | com_templates (2.5.0) | com_cpanel (2.5.0) | RokGallery (1.4) | com_checkin (2.5.0) | COM_FRONTENDUSERACCESS (4.0.0) | User - Frontend-User-Access (4.0.0) | System - Frontend-User-Access (4.0.0) | com_languages (2.5.0) | com_cache (2.5.0) | com_admin (2.5.0) | com_config (2.5.0) | com_banners (2.5.0) | com_users (2.5.0) | com_menus (2.5.0) | RokModule (1.1) | com_content (2.5.0) | com_login (2.5.0) | com_weblinks (2.5.0) | RokCandy (1.1) | com_media (2.5.0) | JomSocial (2.2.4) | com_categories (2.5.0) | com_redirect (2.5.0) | Akeeba (3.6.9) | com_newsfeeds (2.5.0) | COM_JBJOBS (1.3.3) | com_installer (2.5.0) | com_finder (2.5.0) |

Modules :: SITE :: JoomBah Indeed.com (1.3.2) | mod_banners (2.5.0) | JoomBah Jobs Category (1.3.2) | RokTabs (1.5) | mod_search (2.5.0) | RokAjaxSearch (1.0) | RokStats (2.6) | JoomBah Latest Jobs (1.3.2) | JoomBah Latest Jobs Mini (1.3.2) | Login Register (1.5.6) | mod_languages (2.5.0) | mod_frontenduseraccessmenu (4.0.0) | mod_articles_news (2.5.0) | mod_random_image (2.5.0) | JoomBah Jobs Tags (1.3.2 - 04.10) | mod_articles_category (2.5.0) | mod_custom (2.5.0) | mod_whosonline (2.5.0) | mod_articles_latest (2.5.0) | Upcoming Events (2.0.0) | RokTwittie (1.4) | mod_feed (2.5.0) | JoomBah Jobs Search (1.3.2) | mod_stats (2.5.0) | mod_finder (2.5.0) | RokNavMenu (1.6) | mod_login (2.5.0) | RokGallery Module (1.4) | JoomBah Latest Resume (1.3.2) | mod_articles_archive (2.5.0) | RokNewsPager (1.1) | mod_users_latest (2.5.0) | mod_breadcrumbs (2.5.0) | mod_weblinks (2.5.0) | JoomBah Feeds (1.3.2) | mod_articles_categories (2.5.0) | mod_related_items (2.5.0) | mod_footer (2.5.0) | mod_wrapper (2.5.0) | mod_syndicate (2.5.0) | mod_menu (2.5.0) | JoomBah Jobs Statistics (1.3.2) | mod_articles_popular (2.5.0) |
Modules :: ADMIN :: mod_toolbar (2.5.0) | mod_title (2.5.0) | RokUserChart (2.6) | RokAdminAudit (2.6) | mod_status (2.5.0) | mod_latest (2.5.0) | mod_custom (2.5.0) | mod_submenu (2.5.0) | RokQuickLinks (2.6) | mod_feed (2.5.0) | mod_multilangstatus (2.5.0) | mod_quickicon (2.5.0) | RokUserStats (2.6) | mod_logged (2.5.0) | mod_login (2.5.0) | mod_version (2.5.0) | mod_menu (2.5.0) | mod_popular (2.5.0) |

Plugins :: SITE :: plg_captcha_recaptcha (2.5.0) | plg_extension_joomla (2.5.0) | plg_search_content (2.5.0) | plg_search_categories (2.5.0) | plg_search_weblinks (2.5.0) | plg_search_newsfeeds (2.5.0) | plg_search_contacts (2.5.0) | plg_quickicon_joomlaupdate (2.5.0) | plg_quickicon_extensionupdate (2.5.0) | PLG_JMONITORING_AKEEBABACKUP_T (1.0) | plg_content_joomla (2.5.0) | plg_content_emailcloak (2.5.0) | plg_content_pagebreak (2.5.0) | plg_content_vote (2.5.0) | plg_content_pagenavigation (2.5.0) | plg_content_loadmodule (2.5.0) | plg_content_geshi (2.5.0) | plg_content_finder (2.5.0) | Content - RokBox (1.1) | plg_editors-xtd_readmore (2.5.0) | plg_editors-xtd_pagebreak (2.5.0) | Button - RokCandy (1.1) | plg_editors-xtd_image (2.5.0) | plg_editors-xtd_article (2.5.0) | plg_user_joomla (2.5.0) | User - Jomsocial User (1.8.1) | User - Frontend-User-Access (4.0.0) | plg_user_profile (2.5.0) | plg_user_contactcreator (2.5.0) | User - JoomBah Free Plan On Ex (1.3.2) | plg_finder_content (2.5.0) | plg_finder_categories (2.5.0) | plg_finder_weblinks (2.5.0) | plg_finder_newsfeeds (2.5.0) | plg_finder_contacts (2.5.0) | Unknown (-) | My Contacts (2.0.0) | Walls (2.0.0) | Allvideo (2.0.0) | Invite (2.0.0) | Editor - My Photos (2.0.0) | Latest Photos (2.0.0) | Wordfilter (2.0.0) | System (2.0.0) | plg_editors_tinymce (3.5.4.1) | Editor - RokPad (1.2) | plg_editors_codemirror (1.0) | plg_authentication_joomla (2.5.0) | plg_authentication_ldap (2.5.0) | plg_authentication_gmail (2.5.0) | System - Jomsocial Facebook Co (1.0) | plg_system_cache (2.5.0) | plg_system_sef (2.5.0) | System - JoomBah Force Profile (1.3.2) | System - Frontend-User-Access (4.0.0) | System - Gantry (4.1.2) | System - JoomBah Jobs Redirect (1.3.2) | System - RokTracking (2.6) | System - RokExtender (1.0) | plg_system_log (2.5.0) | plg_system_highlight (2.5.0) | System - RokCandy (1.1) | plg_system_remember (2.5.0) | System - MaQma Social Menu (1.2) | System - Zend Lib (1.11.4) | plg_system_redirect (2.5.0) | System - MissionControl Suppor (2.6) | plg_system_debug (2.5.0) | plg_system_languagefilter (2.5.0) | plg_system_p3p (2.5.0) | System - JoomBah Feeds (1.3.2) | Jomsocial Update (1.5) | System - JoomBah Cron (1.3.2) | System - RokGZipper (1.0) | System - RokBox (1.1) | plg_system_logout (2.5.0) | plg_system_languagecode (2.5.0) | System - osolCaptcha (1.0.6b) | Azrul System Mambot For Joomla (3.3) |
Templates Discovered :: wrote:Templates :: SITE :: beez5 (2.5.0) | beez_20 (2.5.0) | atomic (2.5.0) | rt_camber (1.1) |
Templates :: ADMIN :: hathor (2.5.0) | bluestork (2.5.0) | rt_missioncontrol (2.6) |

robertsm
Joomla! Apprentice
Joomla! Apprentice
Posts: 42
Joined: Wed Sep 07, 2005 1:36 pm

Re: Website with Joombah Jobs Hacked

Post by robertsm » Wed Nov 14, 2012 9:49 pm

Here is an FPA, running the latest release of JoomBah Jobs 1.3.5 RC...
Forum Post Assistant (v1.2.3) : 14th November 2012 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 2.5.8-Stable (Ember) 8-November-2012
Joomla! Platform :: Joomla Platform 11.4.0-Stable (Brian Kernighan) 03-Jan-2012
Joomla! Configured :: Yes | Read-Only (444) | Owner: WEBSITE (uid: 1/gid: 1) | Group: WEBSITE (gid: 1) | Valid For: 2.5
Configuration Options :: Offline: 0 | SEF: 0 | SEF Suffix: 0 | SEF ReWrite: 0 | .htaccess/web.config: Yes | GZip: 1 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.32.49-grsec | Technology: x86_64 | Web Server: Apache | Encoding: gzip,deflate,sdch | Doc Root: /home/WEBSITE/www/www | System TMP Writable: Yes

PHP Configuration :: Version: 5.3.17 | PHP API: cgi-fcgi | Session Path Writable: Unknown | Display Errors: | Error Reporting: 22519 | Log Errors To: | Last Known Error: | Register Globals: | Magic Quotes: 1 | Safe Mode: 0 | Open Base: | Uploads: 1 | Max. Upload Size: 20M | Max. POST Size: 20M | Max. Input Time: -1 | Max. Execution Time: 120 | Memory Limit: 80M

MySQL Configuration :: Version: 5.5.27-percona-sure1-log (Client:5.5.27-percona-sure1) | Host: --protected-- (--protected--) | Collation: utf8_general_ci (Character Set: utf8) | Database Size: 6.00 MiB | #of Tables:  180
Detailed Environment :: wrote:PHP Extensions :: Core (5.3.17) | date (5.3.17) | ereg () | libxml () | openssl () | pcre () | sqlite3 (0.7-dev) | zlib (1.1) | bcmath () | bz2 () | calendar () | ctype () | curl () | dom (20031129) | hash (1.0) | fileinfo (1.0.5-dev) | filter (0.11.0) | ftp () | gd () | gettext () | SPL (0.2) | iconv () | session () | intl (1.1.0) | json (1.2.1) | ldap () | mbstring () | mcrypt () | mysql (1.0) | mysqli (0.1) | pcntl () | standard (5.3.17) | PDO (1.0.4dev) | pdo_mysql (1.0.2) | pdo_sqlite (1.0.1) | Phar (2.0.1) | posix () | pspell () | Reflection ($Id: 593a0506b01337cfaf9f63ebc12cd60523fc2c41 $) | imap () | SimpleXML (0.1) | soap () | sockets () | SQLite (2.0-dev) | exif (1.4 $Id$) | sureacct (0.1) | tidy (2.0) | tokenizer (0.1) | xml () | xmlreader (0.1) | xmlwriter (0.1) | xsl (0.1) | zip (1.11.0) | cgi-fcgi () | mhash () | ionCube Loader () | Zend Engine (2.3.0) |
Potential Missing Extensions :: suhosin |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No
Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

Elevated Permissions (First 10) :: administrator/components/com_jbjobs/elements/ (775) | administrator/components/com_jbjobs/elements/js/ (775) | administrator/components/com_jbjobs/language/ (775) | administrator/components/com_jbjobs/language/en-GB/ (775) | cache/Gantry/ (775) |
Extensions Discovered :: wrote:Components :: SITE :: com_mailto (2.5.0) | com_wrapper (2.5.0) | Blackout (2.2.0) | Default (2.2.0) | Blueface (2.2.0) | Bubble (2.2.0) |
Components :: ADMIN :: com_search (2.5.0) | com_plugins (2.5.0) | Gantry (4.1.2) | com_joomlaupdate (2.5.0) | com_modules (2.5.0) | com_messages (2.5.0) | com_templates (2.5.0) | com_cpanel (2.5.0) | RokGallery (1.4) | com_checkin (2.5.0) | COM_FRONTENDUSERACCESS (4.0.0) | User - Frontend-User-Access (4.0.0) | System - Frontend-User-Access (4.0.0) | com_languages (2.5.0) | com_cache (2.5.0) | com_admin (2.5.0) | com_config (2.5.0) | com_banners (2.5.0) | com_users (2.5.0) | com_menus (2.5.0) | RokModule (1.1) | com_content (2.5.0) | com_login (2.5.0) | com_weblinks (2.5.0) | RokCandy (1.1) | com_media (2.5.0) | JomSocial (2.2.4) | com_categories (2.5.0) | com_redirect (2.5.0) | Akeeba (3.6.9) | com_newsfeeds (2.5.0) | COM_JBJOBS (1.3.5 RC) | com_installer (2.5.0) | com_finder (2.5.0) |

Modules :: SITE :: JoomBah Indeed.com (1.3.5) | mod_banners (2.5.0) | JoomBah Jobs Category (1.3.5) | RokTabs (1.5) | mod_search (2.5.0) | RokAjaxSearch (1.0) | RokStats (2.6) | JoomBah Latest Jobs (1.3.5) | JoomBah Latest Jobs Mini (1.3.5) | Login Register (1.5.6) | mod_languages (2.5.0) | mod_frontenduseraccessmenu (4.0.0) | mod_articles_news (2.5.0) | mod_random_image (2.5.0) | JoomBah Jobs Tags (1.3.2 - 04.10) | mod_articles_category (2.5.0) | mod_custom (2.5.0) | mod_whosonline (2.5.0) | mod_articles_latest (2.5.0) | Upcoming Events (2.0.0) | RokTwittie (1.4) | mod_feed (2.5.0) | JoomBah Jobs Search (1.3.5) | mod_stats (2.5.0) | JoomBah Jobs Top Employer (1.3.5) | mod_finder (2.5.0) | RokNavMenu (1.6) | mod_login (2.5.0) | RokGallery Module (1.4) | JoomBah Latest Resume (1.3.5) | mod_articles_archive (2.5.0) | RokNewsPager (1.1) | mod_users_latest (2.5.0) | mod_breadcrumbs (2.5.0) | mod_weblinks (2.5.0) | JoomBah Feeds (1.3.5) | mod_articles_categories (2.5.0) | mod_related_items (2.5.0) | mod_footer (2.5.0) | mod_wrapper (2.5.0) | mod_syndicate (2.5.0) | mod_menu (2.5.0) | JoomBah Jobs Statistics (1.3.5) | mod_articles_popular (2.5.0) |
Modules :: ADMIN :: mod_toolbar (2.5.0) | mod_title (2.5.0) | RokUserChart (2.6) | RokAdminAudit (2.6) | mod_status (2.5.0) | mod_latest (2.5.0) | mod_custom (2.5.0) | mod_submenu (2.5.0) | RokQuickLinks (2.6) | mod_feed (2.5.0) | mod_multilangstatus (2.5.0) | mod_quickicon (2.5.0) | RokUserStats (2.6) | mod_logged (2.5.0) | mod_login (2.5.0) | mod_version (2.5.0) | mod_menu (2.5.0) | mod_popular (2.5.0) |

Plugins :: SITE :: plg_captcha_recaptcha (2.5.0) | plg_extension_joomla (2.5.0) | plg_search_content (2.5.0) | plg_search_categories (2.5.0) | plg_search_weblinks (2.5.0) | plg_search_newsfeeds (2.5.0) | plg_search_contacts (2.5.0) | plg_quickicon_joomlaupdate (2.5.0) | plg_quickicon_extensionupdate (2.5.0) | PLG_JMONITORING_AKEEBABACKUP_T (1.0) | plg_content_joomla (2.5.0) | plg_content_emailcloak (2.5.0) | plg_content_pagebreak (2.5.0) | plg_content_vote (2.5.0) | plg_content_pagenavigation (2.5.0) | plg_content_loadmodule (2.5.0) | plg_content_geshi (2.5.0) | plg_content_finder (2.5.0) | Content - RokBox (1.1) | plg_editors-xtd_readmore (2.5.0) | plg_editors-xtd_pagebreak (2.5.0) | Button - RokCandy (1.1) | plg_editors-xtd_image (2.5.0) | plg_editors-xtd_article (2.5.0) | plg_user_joomla (2.5.0) | User - Jomsocial User (1.8.1) | User - Frontend-User-Access (4.0.0) | plg_user_profile (2.5.0) | plg_user_contactcreator (2.5.0) | User - JoomBah Free Plan On Ex (1.3.2) | plg_finder_content (2.5.0) | plg_finder_categories (2.5.0) | plg_finder_weblinks (2.5.0) | plg_finder_newsfeeds (2.5.0) | plg_finder_contacts (2.5.0) | Unknown (-) | My Contacts (2.0.0) | Walls (2.0.0) | Allvideo (2.0.0) | Invite (2.0.0) | Editor - My Photos (2.0.0) | Latest Photos (2.0.0) | Wordfilter (2.0.0) | System (2.0.0) | plg_editors_tinymce (3.5.4.1) | Editor - RokPad (1.2) | plg_editors_codemirror (1.0) | plg_authentication_joomla (2.5.0) | plg_authentication_ldap (2.5.0) | plg_authentication_gmail (2.5.0) | System - Jomsocial Facebook Co (1.0) | plg_system_cache (2.5.0) | plg_system_sef (2.5.0) | System - JoomBah Force Profile (1.3.5) | System - Frontend-User-Access (4.0.0) | System - Gantry (4.1.2) | System - JoomBah Jobs Redirect (1.3.5) | System - RokTracking (2.6) | System - RokExtender (1.0) | plg_system_log (2.5.0) | plg_system_highlight (2.5.0) | System - RokCandy (1.1) | plg_system_remember (2.5.0) | System - MaQma Social Menu (1.2) | System - Zend Lib (1.11.4) | plg_system_redirect (2.5.0) | System - MissionControl Suppor (2.6) | plg_system_debug (2.5.0) | plg_system_languagefilter (2.5.0) | plg_system_p3p (2.5.0) | System - JoomBah Feeds (1.3.5) | Jomsocial Update (1.5) | System - JoomBah Cron (1.3.5) | System - RokGZipper (1.0) | System - RokBox (1.1) | plg_system_logout (2.5.0) | plg_system_languagecode (2.5.0) | System - osolCaptcha (1.0.6a) | Azrul System Mambot For Joomla (3.3) |
Templates Discovered :: wrote:Templates :: SITE :: beez5 (2.5.0) | beez_20 (2.5.0) | atomic (2.5.0) | rt_camber (1.1) |
Templates :: ADMIN :: hathor (2.5.0) | bluestork (2.5.0) | rt_missioncontrol (2.6) |

robertsm
Joomla! Apprentice
Joomla! Apprentice
Posts: 42
Joined: Wed Sep 07, 2005 1:36 pm

Re: Website with Joombah Jobs Hacked

Post by robertsm » Thu Nov 15, 2012 1:16 am

Update regarding Joombah Version: 1.3.5 RC (and v 1.3.3)
No MIME Type check seems to be occurring. I was able to upload a PHP script with both a .doc & .jpg file extension without any difficulty using the Joombah Resumé upload feature.

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Website with Joombah Jobs Hacked

Post by mandville » Thu Nov 15, 2012 8:20 am

I would sugest that you add a htaccess file to the upload directory
with the following code
# secure directory by disabling script execution
AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi
Options -ExecCGI

if you contunue to use the script, email your findings to vel@ joomla.org minus space
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

robertsm
Joomla! Apprentice
Joomla! Apprentice
Posts: 42
Joined: Wed Sep 07, 2005 1:36 pm

Re: Website with Joombah Jobs Hacked

Post by robertsm » Thu Nov 15, 2012 12:32 pm

mandville,

I have implemented the htaccess file.

I have also been contacted by the software devs & I am working with them to sort this out. I will post an update here when I know more.

Thank you again.

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Website with Joombah Jobs Hacked

Post by mandville » Thu Nov 15, 2012 7:14 pm

please get the dev to follow the standard vel procedures. their listing has been unpublished from the jed
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

joombah
Joomla! Apprentice
Joomla! Apprentice
Posts: 8
Joined: Fri Nov 16, 2012 1:25 am

Re: Website with Joombah Jobs Hacked

Post by joombah » Fri Nov 16, 2012 1:29 am

Hi,

Zaki here from JoomBah.com, may I get some more information how vulnerability is occuring. Any files that are uploaded are not runnable so if you can forward us any information on this I would greatly appreciate it.

robertsm
Joomla! Apprentice
Joomla! Apprentice
Posts: 42
Joined: Wed Sep 07, 2005 1:36 pm

Re: Website with Joombah Jobs Hacked

Post by robertsm » Fri Nov 16, 2012 3:17 am

Zaki-
I just emailed you a link with additional information (the initial email notification from my host and the chat log for the support ticket that I opened after I was notified of the hack). Perhaps this will help.

Mandville: please let me know if you would like this information sent to you as well.

Matt

joombah
Joomla! Apprentice
Joomla! Apprentice
Posts: 8
Joined: Fri Nov 16, 2012 1:25 am

Re: Website with Joombah Jobs Hacked

Post by joombah » Fri Nov 16, 2012 3:37 am

I can upload the jpg and doc file. But how is it that you were able to upload the php file. The upload feature in joombah jobs only allows certain extensions that are configured from the backend and this only happens if you allow the php file extension.

robertsm
Joomla! Apprentice
Joomla! Apprentice
Posts: 42
Joined: Wed Sep 07, 2005 1:36 pm

Re: Website with Joombah Jobs Hacked

Post by robertsm » Fri Nov 16, 2012 3:45 am

My hosting provider has informed me that...
The extension of the file is .jpg, so the script couldn't be executed as a PHP file. However, with the right rewrite rules in the .htaccess file, .jpg files can be handled by the PHP interpreter, so having such a file in your account is not recommended.
Note: I use the stock Joomla .htaccess file and the recommended PHP settings.

I could be wrong, but it would appear that this is why the Joomla Media Manager checks MIME Types with mime_magic or fileinfo. From the Joomla Docs on Global Configuration and the Media Manager: http://docs.joomla.org/Global_configuration
Restrict Uploads. If set to “Yes” (the default and recommended setting) Joomla will restrict uploads to image file formats only. This restriction applies only to uploads by users with permission levels below Manager. The restriction only applies if the web server does not have installed either of the PHP modules Fileinfo or mime_magic. These modules are used to detect the type of a file independently of its name extension. They are used in Joomla – if available – to enhance site security by confirming that any uploads are not a file format that could be used for malicious purposes.

joombah
Joomla! Apprentice
Joomla! Apprentice
Posts: 8
Joined: Fri Nov 16, 2012 1:25 am

Re: Website with Joombah Jobs Hacked

Post by joombah » Fri Nov 16, 2012 3:53 am

So even your host has recommended that you not use this rewrite rules that is able to handle jpg as if its a php file. JoomBah Jobs has no such file or .htaccess that can do this.

Again let us mentioned back that JoomBah Jobs has the upload feature that only allows certain extensions that are configured from the backend and the php file could only be uploaded if you allow the php file extension.

robertsm
Joomla! Apprentice
Joomla! Apprentice
Posts: 42
Joined: Wed Sep 07, 2005 1:36 pm

Re: Website with Joombah Jobs Hacked

Post by robertsm » Fri Nov 16, 2012 4:28 am

First: Understand that I am not a security expert, nor am I a programmer.

Second, regarding this:
So even your host has recommended that you not use this rewrite rules that is able to handle jpg as if its a php file.
As previously mentioned, I am not implementing anything other than the standard joomla .htaccess file and the suggested Joomla server configurations.

At this point, it seems pointless for us to keep going on about this. I cannot with authority say that Joombah is or is not secure. You seem upset, rightfully so, and you seem to want to blame me for this. Again, that is understandable. Please note, however, that I have posted my FPAs & htaccess file above for everyone to scrutinize. Given this, unless you need me to provide additional information I won't be responding to these tit-for-tat postings. I'll let you sort this out with mandville.

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Website with Joombah Jobs Hacked

Post by mandville » Fri Nov 16, 2012 5:15 am

Please screenshot your media upload settings page .
Did you say that a file.php.doc was uploaded and run? What were the full file names of the malicious uploads
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

joombah
Joomla! Apprentice
Joomla! Apprentice
Posts: 8
Joined: Fri Nov 16, 2012 1:25 am

Re: Website with Joombah Jobs Hacked

Post by joombah » Fri Nov 16, 2012 6:27 am

Hi mandville,
attached is the upload configuration that is pre-configured in joombah jobs.
You do not have the required permissions to view the files attached to this post.

robertsm
Joomla! Apprentice
Joomla! Apprentice
Posts: 42
Joined: Wed Sep 07, 2005 1:36 pm

Re: Website with Joombah Jobs Hacked

Post by robertsm » Fri Nov 16, 2012 12:14 pm

mandville wrote:Please screenshot your media upload settings page .
Did you say that a file.php.doc was uploaded and run? What were the full file names of the malicious uploads
What Zaki (Joombah) has posted is the same as my configuration, except that since the hack I have removed the ability to upload image files from the Job Seeker Resume/CV configuration. Prior to this hack I saw no reason to change these settings, let alone to allow PHP scripts to be uploaded.

Regarding the uploads, I should clarify something: My host did delete 2 files from my site that were found in the Joombah Resume/CV upload folder...
/home/WEBSITE/www/www/jobs/images/jbjobs/pf/wp mail.php
/home/WEBSITE/www/www/jobs/images/jbjobs/pf/p_259_1351908403.php

While reviewing my site (after the hack) I found an additional PHP file, masquerading as an image file:
/home/WEBSITE/www/www/jobs/images/jbjobs/pf/p_259_1351908388.jpg

mandville,
About 9 hours ago I sent Zaki a link to download the initial notification from my host and the subsequent tech support chat, that may have more information that you would be interested in. I can also send you a link for the fake image file. Please let me know if you would like me to PM you this information.

Matt
Last edited by robertsm on Mon Nov 19, 2012 12:18 am, edited 1 time in total.

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Website with Joombah Jobs Hacked

Post by mandville » Fri Nov 16, 2012 12:41 pm

Please send relevant files and info to [email protected]
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

robertsm
Joomla! Apprentice
Joomla! Apprentice
Posts: 42
Joined: Wed Sep 07, 2005 1:36 pm

Re: Website with Joombah Jobs Hacked

Post by robertsm » Fri Nov 16, 2012 2:49 pm

mandville wrote:Please send relevant files and info to [email protected]
I just sent additional information to you and Zaki (Joombah). I hope it helps to sort this out.
Thank you again.

robertsm
Joomla! Apprentice
Joomla! Apprentice
Posts: 42
Joined: Wed Sep 07, 2005 1:36 pm

Re: Website with Joombah Jobs Hacked

Post by robertsm » Fri Nov 16, 2012 3:39 pm

Question: globally speaking, if the Media Manager blocks PHP scripts that are disguised as image files (such as by changing the file extension), wouldn't it be best practice for 3rd party extensions to do the same the same MIME Type check?

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Website with Joombah Jobs Hacked

Post by mandville » Fri Nov 16, 2012 8:47 pm

robertsm wrote:wouldn't it be best practice for 3rd party extensions to do the same the same MIME Type check?
very logical

not sure why image files would be uploaded to a resume area.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

robertsm
Joomla! Apprentice
Joomla! Apprentice
Posts: 42
Joined: Wed Sep 07, 2005 1:36 pm

Re: Website with Joombah Jobs Hacked

Post by robertsm » Fri Nov 16, 2012 10:27 pm

mandville - did you get the email from me regarding this issue, and if so is there any other information that I can provide?

joombah
Joomla! Apprentice
Joomla! Apprentice
Posts: 8
Joined: Fri Nov 16, 2012 1:25 am

Re: Website with Joombah Jobs Hacked

Post by joombah » Sat Nov 17, 2012 1:38 am

Email that I have replied to vel@ joomla.org without the space
Whilst the fake image file was found on your server and in the location of a joombah jobs directory I am still unable to repeat your findings. Uploading a php file onto the resume upload section is not possible nor will it be run if the extension is renamed to an allowed extension. The link to the fake image, will only be downloaded by a user (in this case the employer) or if someone knows the link. The image produced will be a broken link for Chrome and Mozilla. For Internet Explorer we have found that it shows the php text file but does not run it.

To our disadvantage I cannot prove that your joombah jobs upload configuration was not modified beforehand to allow php due to whatever reason that may have cause to allow someone access to your joomla admin site.

Thank you for your detailed report and for your host report, but unless we can repeat this or at least be shown how the upload (php file) was able to be uploaded with the joombah jobs upload configuration allowable list which does not include a php extension, we cannot deemed this to be a bug.

To be clear, a php file cannot be uploaded due to the allowed settings as per shown in the attachment. Nor can a fake image or document file can be made runnable on the server (it will only be downloadable).
End email

robertsm
Joomla! Apprentice
Joomla! Apprentice
Posts: 42
Joined: Wed Sep 07, 2005 1:36 pm

Re: Website with Joombah Jobs Hacked

Post by robertsm » Sat Nov 17, 2012 11:40 pm

For those of you following this thread: The developer has acknowledged the vulnerability and is working on a patch/update.

User avatar
sitesrus
Joomla! Ace
Joomla! Ace
Posts: 1469
Joined: Mon Nov 12, 2012 10:48 pm

Re: Website with Joombah Jobs Hacked

Post by sitesrus » Sun Nov 18, 2012 12:21 am

That's good! It's tough with Joomla, extensions, etc. too many wheels in motion...there's only so much you can do with a server so it's up to developers to address security issues and stay ahead of the curve.

I do believe there's security extensions in Joomla aimed at providing some added layers of protection which is nice. I also do all I can on our end to screen out as much as possible to at least limit threats to humans. But again, bad php code the humans will get right in there!
Last edited by mandville on Sun Nov 18, 2012 9:28 am, edited 1 time in total.
Reason: signature against forum rules http://forum.joomla.org/viewtopic.php?f=8&t=65

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Website with Joombah Jobs Hacked

Post by mandville » Sun Nov 18, 2012 9:29 am

[topic locked as under investigation]
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
PhilD
Joomla! Hero
Joomla! Hero
Posts: 2737
Joined: Sat Oct 21, 2006 10:20 pm
Location: Wisconsin USA
Contact:

Re: Website with Joombah Jobs Hacked

Post by PhilD » Sun Nov 18, 2012 12:33 pm

I understand locking the topic during investigation and to prevent unnecessary comments being posted during this time, but I feel the following issue has been ignored in the topic to this point and it is important enough to warrant an additional posting at this time.

An issue in this topic that I think has been ignored is the issue of the file permissions.

I have not seen where the OP has addressed the insecure 775 file permissions on the site(s). The existing permissions are practicality wide open to hackers. This may have been a side effect result (the hacker changed the permissions) of the reported insecurity that is being investigated. I suspect the permissions may have been set this way for some time. Regardless of how the permissions got this way, the permissions issue needs to be addressed properly or you will continue to have issues with the site. Incorrect file permissions may also skew any "tests" performed on the site providing incorrect results.

Giving execute permission to other is just about as good as being wide open (777) as it allows for execution of scripts placed within directories such as the one discussed.

Giving full (777) permissions to Group is just as bad if not worse.

Here is the number system in unix
r w x
4 2 1
This is what the OP site has for file permissions
775 = rwx rwx r-x
Owner has Read, Write and Execute
Group has Read, Write and Execute
Other has Read and Execute only
The permissions on files should be:
644 = rw- r-- r--
Owner has Read and Write
Group has Read only
Other has Read only
Permissions on directories should be:
755 = rwx r-x r-x
Owner has Read, Write and Execute
Group has Read and Execute only
Other has Read and Execute only
I of course would also recommend to the OP that the site be cleaned and repaired properly following the documentation posted here: http://forum.joomla.org/viewtopic.php?f=621&t=582854
PhilD

robertsm
Joomla! Apprentice
Joomla! Apprentice
Posts: 42
Joined: Wed Sep 07, 2005 1:36 pm

Re: Website with Joombah Jobs Hacked

Post by robertsm » Sun Nov 18, 2012 2:46 pm

PhilD wrote:An issue in this topic that I think has been ignored is the issue of the file permissions.

I have not seen where the OP has addressed the insecure 775 file permissions on the site(s). The existing permissions are practicality wide open to hackers. This may have been a side effect result (the hacker changed the permissions) of the reported insecurity that is being investigated. I suspect the permissions may have been set this way for some time. Regardless of how the permissions got this way, the permissions issue needs to be addressed properly or you will continue to have issues with the site. Incorrect file permissions may also skew any "tests" performed on the site providing incorrect results.
PhilD wrote:I of course would also recommend to the OP that the site be cleaned and repaired properly following the documentation posted here: http://forum.joomla.org/viewtopic.php?f=621&t=582854
PhilD,
Thank you for this. Yes, this is an issue that needs to be addressed. When it first came up I thought it might be a Joombah installation issue, but I just installed a test/clean install of Joomla 2.5.8 with current release of Joombah. I then ran the FPA on this test install and I received no report of any elevated permissions. It would be exceedingly stupid of me to have set those permissions manually (there would be no reason to and I assure you I did not), so I'm left to assume that it is left over from the hacker.

Regarding the Security Checklist: I have gone over them, but obviously not addressed the file permissions. I did not change those items prior to running the FPA because I wanted to show as close as possible what the system environment was at the time of the hack (with the exception that I did upgrade Joomla ASAP after the event). Post-event I have also been working with my hosting tech support (ICDSoft) and they have been wonderful at assisting with the scanning & clean up.

Mea Culpa for the above. Those were my issues and not the developers.

Now to the meat & potatoes of the issue: Approximately 35 hours ago (9:30PM CST on Nov 16, 2012) the dev & I exchanged emails regarding this issue, on which [email protected] was CC'd. Have you seen or reviewed those emails? They are relevant to this issue.

Thanks again for bringing the file permission issue to my attention.

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20652
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ Germany/ S'pore/Bogor/ North America
Contact:

Re: Website with Joombah Jobs Hacked

Post by leolam » Mon Nov 19, 2012 6:21 am

I do disagree completely indeed so good you retracted the Joombah finger pointing. Class!. We have multiple sites with Joombah on our owned servers and that extension has not been hacked. (I have send this morning a PMB to Mandville btw related to another huge attack on all Joomla sites).

This described particular hack attempt we see on hourly basis to all servers and it is a very well known exploit (php.hide). We have mechanism in place that intercepts these attempts and quarantines these exploits before they even reach the server.

Simple fact is that if you have the frontdoor wide open and you go out for shopping do not be amazed that the house is empty upon return. Still though with a good hosting setup even with 755-permissions it would not have reached the server if your host would have proper security in place. Phil is 100% right here btw.

Leo 8)
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -


Locked

Return to “Security in Joomla! 2.5”