Pharmacy Hack aicontactsafe and xcalendar

Discussion regarding Joomla! 2.5 security issues.

Moderators: Bernard T, mandville, fcoulter, PhilD, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Locked
mavaughan
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Thu Aug 23, 2012 6:01 pm

Pharmacy Hack aicontactsafe and xcalendar

Post by mavaughan » Tue Aug 19, 2014 5:44 pm

I had a new intrusion loaded on my site yesterday, Somehow someone was able to install a plugin called xcalendar, it was installed in > plugins/system/xcalendar/.

It only appeared on the pages delivered by aicontactsafe. I notified the developer today.

It placed a new class file in the header, and injected "Canada Pharmacy" test in my <h1> tag. In the code I could see href tag that linked to the hacker site.

I found it by going to Manage Extensions and was looking for items that had no vendor names, install dates etc. Or information about it.

I unpublished it, and found the folder and set permissions to 000, that made it disappear from the site.

I am looking into the DB to see if anything is there.

I wanted to give folks heads up since it just happened yesterday, and others may have been affected.

I will post more as I find new info.

Joomla version 2.5.24.
aiContactSafe v.2.0.21c.stable

User avatar
Bernard T
Joomla! Guru
Joomla! Guru
Posts: 782
Joined: Thu Jun 29, 2006 11:44 am
Location: Hrvatska
Contact:

Re: Pharmacy Hack aicontactsafe and xcalendar

Post by Bernard T » Tue Aug 19, 2014 7:42 pm

VEL Team || Security Forum || PHP/Web Security Specialist || OWASP member
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak

mavaughan
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Thu Aug 23, 2012 6:01 pm

Re: Pharmacy Hack aicontactsafe and xcalendar

Post by mavaughan » Wed Aug 20, 2014 4:05 pm

Bernard

I tried to run and it just hangs on the first screen and does not give a report... probably not good huh...

User avatar
Bernard T
Joomla! Guru
Joomla! Guru
Posts: 782
Joined: Thu Jun 29, 2006 11:44 am
Location: Hrvatska
Contact:

Re: Pharmacy Hack aicontactsafe and xcalendar

Post by Bernard T » Wed Aug 20, 2014 4:12 pm

mavaughan wrote:Bernard
I tried to run and it just hangs on the first screen and does not give a report... probably not good huh...
That's not a good sign. Please ask your hosting provider for assistance.
VEL Team || Security Forum || PHP/Web Security Specialist || OWASP member
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak

mavaughan
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Thu Aug 23, 2012 6:01 pm

Re: Pharmacy Hack aicontactsafe and xcalendar

Post by mavaughan » Wed Aug 20, 2014 5:30 pm

Ok, I tried this located here.

http://forum.joomla.org/viewtopic.php?t=656394#p2766599

An now I get this error.

Warning: readdir() expects parameter 1 to be resource, boolean given in /services/webpages/html/sitename.com/fpa-en.php on line 1484

So I looked at line 1484 got this line of code:

// loop through the directory
while ( false !== ( $file = readdir( $dh ) ) ) {

Which was referenced with this comment box:

/** getDirectory FUNCTION TO RECURSIVELY READ THROUGH LOOKING FOR PERMISSIONS ************
** this is used to read the directory structure and return a list of folders with 'elevated'
** mode-sets ( -7- or --7 ) ignoring the first position as defaults folders are normally 755.
** $dirCount is applied when the folder list is excessive to reduce unnecessary processing
** on really sites with 00's or 000's of badly configured folder modes. Limited to displaying
** the first 10 only.
*****************************************************************************************/

Then I realized I wrote 000 over the permissions from the hacked directory. I changed these to 755 and it ran, will post. Just posting this in case someone else has the same self induced fail issue that I had...

mavaughan
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Thu Aug 23, 2012 6:01 pm

Re: Pharmacy Hack aicontactsafe and xcalendar

Post by mavaughan » Wed Aug 20, 2014 5:43 pm

Forum Post Assistant (v1.2.4) : 20th August 2014 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 2.5.24-Stable (Ember) 25-July-2014
Joomla! Platform :: Joomla Platform 11.4.0-Stable (Brian Kernighan) 03-Jan-2012
Joomla! Configured :: Yes | Read-Only (444) | Owner: 38207 (uid: /gid: ) | Group: 60 (gid: ) | Valid For: 2.5
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 0 | .htaccess/web.config: Yes | GZip: 0 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 5.0.1.2.With.Authcache+Pxeboot_Cmdline_4096+socket_patch | Technology: i686 | Web Server: Apache | Encoding: gzip,deflate,sdch | Doc Root: /services/webpages/k/n/knowledgebiz.com/public | System TMP Writable: Yes

PHP Configuration :: Version: 5.3.28 | PHP API: apache2handler | Session Path Writable: Yes | Display Errors: | Error Reporting: 1 | Log Errors To: | Last Known Error: | Register Globals: 1 | Magic Quotes: 1 | Safe Mode: 0 | Open Base: | Uploads: 1 | Max. Upload Size: 250000000 | Max. POST Size: 250000000 | Max. Input Time: -1 | Max. Execution Time: 30 | Memory Limit: 128M

MySQL Configuration :: Version: 5.5.32-log (Client:5.1.70) | Host: --protected-- (--protected--) | Collation: latin1_swedish_ci (Character Set: latin1) | Database Size: 28.66 MiB | #of Tables:  134
Detailed Environment :: wrote:PHP Extensions :: Core (5.3.28) | date (5.3.28) | ereg () | libxml () | openssl () | pcre () | sqlite3 (0.7-dev) | zlib (1.1) | calendar () | ctype () | curl () | dba () | dom (20031129) | hash (1.0) | fileinfo (1.0.5-dev) | filter (0.11.0) | ftp () | gd () | gettext () | SPL (0.2) | iconv () | session () | json (1.2.1) | mbstring () | mcrypt () | mssql () | mysql (1.0) | mysqli (0.1) | standard (5.3.28) | PDO (1.0.4dev) | pdo_mysql (1.0.2) | PDO_ODBC (1.0.1) | pdo_sqlite (1.0.1) | Phar (2.0.1) | Reflection ($Id: 4af6c4c676864b1c0bfa693845af0688645c37cf $) | imap () | SimpleXML (0.1) | siteguard () | soap () | sockets () | SQLite (2.0-dev) | exif (1.4 $Id$) | tokenizer (0.1) | wddx () | xml () | xmlreader (0.1) | xmlwriter (0.1) | xsl (0.1) | zip (1.11.0) | apache2handler () | Zend Engine (2.3.0) |
Potential Missing Extensions :: suhosin |

Switch User Environment (Experimental) :: PHP CGI: No | Server SU: No | PHP SU: No | Custom SU (LiteSpeed/Cloud/Grid): No
Potential Ownership Issues: Maybe

Apache Modules :: core | mod_authn_file | mod_authn_default | mod_authz_host | mod_authz_groupfile | mod_authz_user | mod_authz_default | mod_auth_basic | mod_include | mod_filter | mod_deflate | mod_log_config | mod_env | mod_expires | mod_headers | mod_setenvif | mod_version | mod_proxy | mod_proxy_connect | mod_proxy_ftp | mod_proxy_http | mod_proxy_scgi | mod_proxy_ajp | mod_proxy_balancer | mod_ssl | prefork | http_core | mod_mime | mod_autoindex | mod_asis | mod_cgi | mod_vhost_alias | mod_negotiation | mod_dir | mod_actions | mod_speling | mod_userdir | mod_alias | mod_rewrite | mod_so | mod_php5 | mod_substitute | mod_fpcgid | mod_wiredminds | Apache |
Potential Missing Modules :: mod_security | mod_evasive | mod_dosevasive | mod_qos | mod_userdir |
Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

Elevated Permissions (First 10) ::
Extensions Discovered :: wrote:Components :: SITE :: WF_AGGREGATOR_VIMEO_TITLE (2.4.2) | WF_AGGREGATOR_[youtube]_TITLE (2.4.2) | WF_AGGREGATOR_VINE_TITLE (2.4.2) | WF_FILESYSTEM_JOOMLA_TITLE (2.4.2) | WF_LINKS_JOOMLALINKS_TITLE (2.4.2) | K2 Links for JCE Link (2.2) | WF_MEDIAPLAYER_JCEPLAYER_TITLE (2.4.2) | WF_POPUPS_JCEMEDIABOX_TITLE (2.4.2) | WF_POPUPS_WINDOW_TITLE (2.4.2) | WF_LINK_SEARCH_TITLE (2.4.2) | WF_ANCHOR_TITLE (2.4.2) | WF_ARTICLE_TITLE (2.4.2) | WF_AUTOSAVE_TITLE (2.4.2) | WF_BROWSER_TITLE (2.4.2) | WF_CHARMAP_TITLE (2.4.2) | WF_CLEANUP_TITLE (2.4.2) | WF_CLIPBOARD_TITLE (2.4.2) | WF_CONTEXTMENU_TITLE (2.4.2) | WF_DIRECTIONALITY_TITLE (2.4.2) | WF_FONTCOLOR_TITLE (2.4.2) | WF_FULLSCREEN_TITLE (2.4.2) | WF_IMGMANAGER_TITLE (2.4.2) | WF_INLINEPOPUPS_TITLE (2.4.2) | WF_KITCHENSINK_TITLE (2.4.2) | WF_LAYER_TITLE (2.4.2) | WF_LINK_TITLE (2.4.2) | WF_LISTS_TITLE (2.4.2) | WF_MEDIA_TITLE (2.4.2) | WF_NONBREAKING_TITLE (2.4.2) | WF_PREVIEW_TITLE (2.4.2) | WF_PRINT_TITLE (2.4.2) | WF_SEARCHREPLACE_TITLE (2.4.2) | WF_SOURCE_TITLE (2.4.2) | WF_SPELLCHECKER_TITLE (2.4.2) | WF_STYLE_TITLE (2.4.2) | WF_TABLE_TITLE (2.4.2) | WF_TEXTCASE_TITLE (2.4.2) | WF_VISUALBLOCKS_TITLE (2.4.2) | WF_VISUALCHARS_TITLE (2.4.2) | WF_XHTMLXTRAS_TITLE (2.4.2) | WF_FONTSELECT_TITLE (2.4.2) | WF_FONTSIZESELECT_TITLE (2.4.2) | WF_FORMATSELECT_TITLE (2.4.2) | WF_STYLESELECT_TITLE (2.4.2) | com_mailto (2.5.0) | com_wrapper (2.5.0) | iC rounded - iCagenda Theme (3.3.7) | CB Mamblog Tab (1.2) | CB Mambo Author Tab (1.2) | Yanc Integration (1.2) | CB Captcha (1.3) |
Components :: ADMIN :: com_admin (2.5.0) | aiContactSafe (1.0.0) | aiContactSafe module (1.0.13.stable) | aiContactSafe - Form (1.0.15.stable) | aiContactSafe - Link (1.0.10.stable) | aiContactSafe (2.0.21c.stabl) | Akeeba (3.11.3) | com_banners (2.5.0) | com_cache (2.5.0) | com_categories (2.5.0) | com_checkin (2.5.0) | com_config (2.5.0) | com_content (2.5.0) | com_cpanel (2.5.0) | com_finder (2.5.0) | Gantry (4.1.25) | com_installer (2.5.0) | Unknown (-) | JCE (2.4.2) | com_joomlaupdate (2.5.0) | mod_k2_comments (-) | mod_k2_comments (-) | COM_K2 (2.6.8) | K2 (2.5.4) | com_languages (2.5.0) | com_login (2.5.0) | com_media (2.5.0) | com_menus (2.5.0) | com_messages (2.5.0) | com_modules (2.5.0) | com_newsfeeds (2.5.0) | com_plugins (2.5.0) | com_redirect (2.5.0) | RokCandy (1.5.0) | com_search (2.5.0) | com_templates (2.5.0) | com_users (2.5.0) | com_weblinks (2.5.0) | iCagenda (3.3.8) | Admintools (3.0.3) | comprofiler (1.9.1) | comprofiler (1.9.1) |

Modules :: SITE :: mod_articles_archive (2.5.0) | mod_articles_categories (2.5.0) | mod_articles_category (2.5.0) | mod_articles_latest (2.5.0) | mod_articles_news (2.5.0) | mod_articles_popular (2.5.0) | mod_banners (2.5.0) | mod_breadcrumbs (2.5.0) | mod_custom (2.5.0) | mod_feed (2.5.0) | mod_finder (2.5.0) | mod_footer (2.5.0) | K2 Comments (2.6.8) | K2 Content (2.6.8) | K2 Tools (2.6.8) | K2 User (2.6.8) | K2 Users (2.6.8) | mod_languages (2.5.0) | mod_login (2.5.0) | mod_menu (2.5.0) | mod_random_image (2.5.0) | mod_related_items (2.5.0) | RokAjaxSearch (2.0.3) | RokNavMenu (2.0.7) | mod_search (2.5.0) | mod_stats (2.5.0) | mod_syndicate (2.5.0) | mod_users_latest (2.5.0) | mod_weblinks (2.5.0) | mod_whosonline (2.5.0) | mod_wrapper (2.5.0) | Social Media Icon Links (1.6.0) | iCagenda - Calendar (3.3.6) | Social Media Links Genius (1.001) | CB Login (1.9.1) | CB Workflows (1.9.1) | CB Online (1.9.1) |
Modules :: ADMIN :: mod_custom (2.5.0) | mod_feed (2.5.0) | K2 Quick Icons (admin) (2.6.8) | K2 Stats (admin) (2.6.8) | mod_latest (2.5.0) | mod_logged (2.5.0) | mod_login (2.5.0) | mod_menu (2.5.0) | mod_multilangstatus (2.5.0) | mod_popular (2.5.0) | mod_quickicon (2.5.0) | mod_status (2.5.0) | mod_submenu (2.5.0) | mod_title (2.5.0) | mod_toolbar (2.5.0) | mod_version (2.5.0) | Google Analytics Dashboard (2.6) |

Plugins :: SITE :: plg_authentication_gmail (2.5.0) | plg_authentication_joomla (2.5.0) | plg_authentication_ldap (2.5.0) | plg_captcha_recaptcha (2.5.0) | plg_content_emailcloak (2.5.0) | plg_content_finder (2.5.0) | plg_content_geshi (2.5.0) | plg_content_joomla (2.5.0) | plg_content_loadmodule (2.5.0) | plg_content_pagebreak (2.5.0) | plg_content_pagenavigation (2.5.0) | plg_content_vote (2.5.0) | Content - Login to Read (1.3) | Content - RokBox (2.0.7) | plg_editors_codemirror (1.0) | plg_editors_jce (2.4.2) | plg_editors_tinymce (3.5.4.1) | plg_editors-xtd_article (2.5.0) | plg_editors-xtd_image (2.5.0) | plg_editors-xtd_pagebreak (2.5.0) | plg_editors-xtd_readmore (2.5.0) | Button - RokCandy (1.5.0) | Button - RokBox (2.0.7) | plg_extension_joomla (2.5.0) | plg_finder_categories (2.5.0) | plg_finder_contacts (2.5.0) | plg_finder_content (2.5.0) | plg_finder_k2 (2.6.8) | plg_finder_newsfeeds (2.5.0) | plg_finder_weblinks (2.5.0) | PLG_JMONITORING_AKEEBABACKUP_T (1.0) | Josetta - K2 Categories (2.6.8) | Josetta - K2 Items (2.6.8) | plg_quickicon_extensionupdate (2.5.0) | plg_quickicon_jcefilebrowser (2.4.2) | plg_quickicon_joomlaupdate (2.5.0) | plg_search_categories (2.5.0) | plg_search_contacts (2.5.0) | plg_search_content (2.5.0) | Search - K2 (2.6.8) | plg_search_newsfeeds (2.5.0) | plg_search_weblinks (2.5.0) | ICAGENDA_PLG_SEARCH (1.1) | plg_system_cache (2.5.0) | plg_system_debug (2.5.0) | System - Gantry (4.1.25) | plg_system_highlight (2.5.0) | System - jUpgrade (3.0) | System - K2 (2.6.8) | plg_system_languagecode (2.5.0) | plg_system_languagefilter (2.5.0) | plg_system_log (2.5.0) | plg_system_logout (2.5.0) | plg_system_p3p (2.5.0) | plg_system_redirect (2.5.0) | plg_system_remember (2.5.0) | System - RokCandy (1.5.0) | System - RokExtender (2.0.0) | plg_system_sef (2.5.0) | System - iCagenda :: Autologin (1.2) | System - Google Analytics 4 Jo (1.0) | System - Mootools Upgrade (1.5) | System - RokBox (2.0.7) | plg_system_jlsecuremysite (1.0.2) | System - Admin Tools (3.0.3) | manage.myJoomla.com Secure Plu (n/a) | plg_system_xcalendar (1.5.0) | plg_user_contactcreator (2.5.0) | plg_user_joomla (2.5.0) | User - K2 (2.6.8) | plg_user_profile (2.5.0) | User - MailIPAddress (2.0) |
Templates Discovered :: wrote:Templates :: SITE :: atomic (2.5.0) | beez5 (2.5.0) | beez_20 (2.5.0) | gantry (4.1.8) | JA_Purity (1.2.0) | rhuk_milkyway (1.0.2) | rt_panacea (1.6.6) | rt_panacea_j15 (1.5.3) |
Templates :: ADMIN :: bluestork (2.5.0) | hathor (2.5.0) |
Last edited by mandville on Wed Aug 20, 2014 6:16 pm, edited 1 time in total.
Reason: Disabled smilies for readability

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 19602
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: Pharmacy Hack aicontactsafe and xcalendar

Post by leolam » Thu Aug 21, 2014 6:25 am

@ Mods: Can we please move this to Joomla25 security forum? He runs J25

Leo 8)
Joomla's #1 Professional Support Provider:
-> Joomla Professional Support: https://gws-desk.com -
-> Joomla Specialized Hosting Solutions: https://gws-host.com -
-> Joomla Webmaster Services: gws-webmaster.services

User avatar
Bernard T
Joomla! Guru
Joomla! Guru
Posts: 782
Joined: Thu Jun 29, 2006 11:44 am
Location: Hrvatska
Contact:

Re: Pharmacy Hack aicontactsafe and xcalendar

Post by Bernard T » Fri Aug 22, 2014 5:35 am

There are important issues visible in your FPA report:
  • server where you're hosted at runs PHP as Apache module (apache2handler), which is strongly discouraged for production since it brings user rights issues and you could get hacked through "neighbor" websites on the same server.
  • Register Globals: 1 that's a dangerous setting, should always be off
I would recommend you that you talk with you hoster and change the hosting environment as soon as possible.

We don't have any reports about aiContactSafe 2.0.21c having security issues, but 2.0.19 was vulnerable. If you get any response from the developer let us know.

In the meantime you should take standard steps in cleaning up your website and investigating the source of your website's infection. http://forum.joomla.org/viewtopic.php?f=621&t=582854
VEL Team || Security Forum || PHP/Web Security Specialist || OWASP member
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak

Alex Dobrin
Joomla! Hero
Joomla! Hero
Posts: 2486
Joined: Wed Jun 07, 2006 9:10 am
Location: Brasov - Romania
Contact:

Re: Pharmacy Hack aicontactsafe and xcalendar

Post by Alex Dobrin » Sat Aug 23, 2014 3:40 am

I did reply to mavaughan's emails ( I'm the developer of aiContactSafe ).
He sent me a zip with that plugin and it is a system plugin that modifies the content of the Joomla pages using the "onAfterRender" event of Joomla.
I don't know why those changes are more evident or only evident on the pages generated with aiContactSafe. Could be some key words on those pages that generate that outcome.

I don't know of any vulnerability in the last version of aiContactSafe and am interested to fix it if any is found. But I don't think the problem described in this topic is generated in it.
My latest project - http://www.extraglaze.co.uk/

User avatar
Bernard T
Joomla! Guru
Joomla! Guru
Posts: 782
Joined: Thu Jun 29, 2006 11:44 am
Location: Hrvatska
Contact:

Re: Pharmacy Hack aicontactsafe and xcalendar

Post by Bernard T » Sat Aug 23, 2014 7:39 am

Hi Alex, and thanks for replying to this topic.

There are too few information from the mavaughan to state aiContactSafe was vulnerable, but it is a suspect according to his statements.

After some googling I found that xcalendar really is a malware. Can someone of you two send me this suspect plugin (xcalendar) so I'll take a closer look on it? Please PM me and I'll give you my email.

@mavaughan - if you did the cleanup and upgraded all extensions that can be upgraded, the entry point for the infection with xcalendar could (maybe) be detected going through access logs.
VEL Team || Security Forum || PHP/Web Security Specialist || OWASP member
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak

User avatar
artshotwell
Joomla! Explorer
Joomla! Explorer
Posts: 304
Joined: Mon May 28, 2007 5:40 pm
Location: Anacortes, Wash.

Re: Pharmacy Hack aicontactsafe and xcalendar

Post by artshotwell » Mon Dec 29, 2014 11:17 pm

This is a few months later...but I have discovered the same plugin on one of my client's Web sites. The client had spotted text changing from a porn link to unlinked when he accessed one of his pages.

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 37263
Joined: Sat Apr 05, 2008 9:58 pm

Re: Pharmacy Hack aicontactsafe and xcalendar

Post by Webdongle » Mon Dec 29, 2014 11:55 pm

mavaughan wrote:I had a new intrusion loaded on my site yesterday, Somehow someone was able to install a plugin called xcalendar, it was installed in > plugins/system/xcalendar/....
Who has admin permissions to upload/install plugins on your site ? Have you scanned all computers that have ftp/Joomla admin/server CP access ?
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

User avatar
artshotwell
Joomla! Explorer
Joomla! Explorer
Posts: 304
Joined: Mon May 28, 2007 5:40 pm
Location: Anacortes, Wash.

Re: Pharmacy Hack aicontactsafe and xcalendar

Post by artshotwell » Mon Dec 29, 2014 11:58 pm

Two other uses had access, one publisher, one registered. I have closed them since they have never used them, far as I can tell. No, I haven't scanned my Mac, the only device with FTP and CP access. Guess that's next on my list. Joomla was on ver 2.5.24. I have just updated it to 2.5.28.

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 37263
Joined: Sat Apr 05, 2008 9:58 pm

Re: Pharmacy Hack aicontactsafe and xcalendar

Post by Webdongle » Tue Dec 30, 2014 12:30 am

artshotwell wrote:... I have just updated it to 2.5.28.
Without deleting all the files on the server you can not be certain you have eradicated the hack
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

User avatar
artshotwell
Joomla! Explorer
Joomla! Explorer
Posts: 304
Joined: Mon May 28, 2007 5:40 pm
Location: Anacortes, Wash.

Re: Pharmacy Hack aicontactsafe and xcalendar

Post by artshotwell » Tue Dec 30, 2014 1:30 am

No, I recon not. But,frankly, I don't know how to proceed if I delete all files on the server, unless I build the site again from the bottom up.

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 19602
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: Pharmacy Hack aicontactsafe and xcalendar

Post by leolam » Tue Dec 30, 2014 11:02 am

artshotwell wrote:No, I recon not. But,frankly, I don't know how to proceed if I delete all files on the server, unless I build the site again from the bottom up.
You do not have to.... Go to https://myjoomla.com/site/is/hacked and have Phil help you so you do not have to redo the site or run at least the free scan so you will know what is hiding where

Leo 8)
Joomla's #1 Professional Support Provider:
-> Joomla Professional Support: https://gws-desk.com -
-> Joomla Specialized Hosting Solutions: https://gws-host.com -
-> Joomla Webmaster Services: gws-webmaster.services

User avatar
artshotwell
Joomla! Explorer
Joomla! Explorer
Posts: 304
Joined: Mon May 28, 2007 5:40 pm
Location: Anacortes, Wash.

Re: Pharmacy Hack aicontactsafe and xcalendar

Post by artshotwell » Tue Dec 30, 2014 3:13 pm

Wow! Thank you... I wasn't aware of Phil or his site. Art

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 37263
Joined: Sat Apr 05, 2008 9:58 pm

Re: Pharmacy Hack aicontactsafe and xcalendar

Post by Webdongle » Tue Dec 30, 2014 5:05 pm

artshotwell wrote:... I don't know how to proceed if I delete all files on the server, unless I build the site again from the bottom up.
The files are not the site ... the database is the site. All the Joomla (and 3rd party extension) files do is put/get data to/from the database and fresh originals of those files are easily uploaded. And you surely have the originals of your image files.

Of course there are excellent services that can audit your site and maintain good security.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

User avatar
artshotwell
Joomla! Explorer
Joomla! Explorer
Posts: 304
Joined: Mon May 28, 2007 5:40 pm
Location: Anacortes, Wash.

Re: Pharmacy Hack aicontactsafe and xcalendar

Post by artshotwell » Tue Dec 30, 2014 8:15 pm

I do have all original files. I have backups from my last update. Running an audit now.

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 37263
Joined: Sat Apr 05, 2008 9:58 pm

Re: Pharmacy Hack aicontactsafe and xcalendar

Post by Webdongle » Wed Dec 31, 2014 12:05 am

artshotwell wrote:I do have all original files. I have backups from my last update. Running an audit now.
The original files that I am referring to are the files from the Joomla full package and the zip files of the 3rd party extensions. Backup files from thje last update are not original files and may contain hacks.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 19602
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: Pharmacy Hack aicontactsafe and xcalendar

Post by leolam » Wed Dec 31, 2014 2:24 am

Webdongle wrote:
artshotwell wrote:I do have all original files. I have backups from my last update. Running an audit now.
The original files that I am referring to are the files from the Joomla full package and the zip files of the 3rd party extensions. Backup files from thje last update are not original files and may contain hacks.
All the files he is auditing will be exposed by Phil Taylor's program if containing any dirt at all. The Suite is extremely powerful and we use it in all site restores from hacks avoiding all these rebuilds. You might want to test this yourself. First scan is free ....

Leo 8)
Joomla's #1 Professional Support Provider:
-> Joomla Professional Support: https://gws-desk.com -
-> Joomla Specialized Hosting Solutions: https://gws-host.com -
-> Joomla Webmaster Services: gws-webmaster.services

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 37263
Joined: Sat Apr 05, 2008 9:58 pm

Re: Pharmacy Hack aicontactsafe and xcalendar

Post by Webdongle » Wed Dec 31, 2014 3:36 am

leolam wrote:... All the files he is auditing will be exposed by Phil Taylor's program if containing any dirt at all. The Suite is extremely powerful and we use it in all site restores from hacks avoiding all these rebuilds. You might want to test this yourself. First scan is free ....
But even if the free scan shows his files are clean there is still the complication of the files from 3rd party extensions. As I have explain several times (in the forum) ... even the extensions that use the same zip file for J2.5 and J3.x sometimes install different files depending on the version of Joomla that they are installed into.

As good as Phil's program is ... it may be an 'overkill' at this moment in time.

Given
artshotwell obviously has the basic skills of managing folders and exporting/importing sql files from to a database.
And
the site is broke but he still has the original database
And
it is prudent(where possible) to delete all the files on the server replacing them with fresh files
Then
restoring the site with fresh Joomla (and extension's) files before using the free scan would be the logical workflow.

leolam wrote:... The Suite is extremely powerful and we use it in all site restores from hacks avoiding all these rebuilds. ....
Do you get discount for promoting it so frequently in your posts ?

leolam wrote:... You might want to test this yourself. First scan is free ....
If it was not feasible for me to delete the files and replace with clean ones then yes I would use that service. But as my site is a small 'hobby' site then it is easy to delete/replace all the files.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 19602
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: Pharmacy Hack aicontactsafe and xcalendar

Post by leolam » Wed Dec 31, 2014 4:01 am

Webdongle wrote: Do you get discount for promoting it so frequently in your posts ?
No but all the time you posting that they have to rebuild their site is simply plain wrong since it is not needed and yes don't post what you do not know about. (!) Myjoomla scans all files and folders including all extensions installed Kevin so comment when you know where you talk about and No I do not get commissions as you so kindly and offensively suggest (but what is new) but we do happen to use it to great satisfaction in cleansing hacked websites avoiding rebuilds.

And again the first site is free so test and than comment before shooting stray bullets since you clearly have no idea where you talk about as shown in your bold cycle of events as they should be according to Webdongle laws? (which is a misinterpretation of the way Myjoomla works) Example of not knowing:
Then
restoring the site with fresh Joomla (and extension's) files before using the free scan would be the logical workflow.
Myjoomla repairs them for you!

Cheers

Leo 8)
Joomla's #1 Professional Support Provider:
-> Joomla Professional Support: https://gws-desk.com -
-> Joomla Specialized Hosting Solutions: https://gws-host.com -
-> Joomla Webmaster Services: gws-webmaster.services

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 37263
Joined: Sat Apr 05, 2008 9:58 pm

Re: Pharmacy Hack aicontactsafe and xcalendar

Post by Webdongle » Wed Dec 31, 2014 10:17 am

leolam wrote:... but all the time you posting that they have to rebuild their site is simply plain wrong since it is not needed and yes don't post what you do not know about. (!) Myjoomla scans all files and folders including all extensions installed ...

And again the first site is free ... Myjoomla repairs them for you!
The effectiveness of the program is not in question nor is the fact that the first scan is free. But does the free first scan fix the hack for free as well ?

What is in question is whether artshotwell removes the hack by deleting all the files and replacing with fresh or has the free scan and pays for it to be fixed.

Are you saying that the free scan on the first site fixes the site for free as well ?
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

User avatar
artshotwell
Joomla! Explorer
Joomla! Explorer
Posts: 304
Joined: Mon May 28, 2007 5:40 pm
Location: Anacortes, Wash.

Re: Pharmacy Hack aicontactsafe and xcalendar

Post by artshotwell » Fri Jan 02, 2015 12:29 am

I have tried the free scan. It looks like there is a change for fixing. But, the free scan points to suspicious files. Not to guarantee it catches all of them. It reports many files that may be suspicious, but are clean. The website hack I reported on here is not my site, but one I built for a client. Unless I spot a continuing problem, I feel satisfied the site is clean now. But, I do suppose I could replace all files... but it would take me more time that I want to spend on that at this moment...as I say... unless I find a new or repeat problem. I appreciate the conversation here and will take it to heart.

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 37263
Joined: Sat Apr 05, 2008 9:58 pm

Re: Pharmacy Hack aicontactsafe and xcalendar

Post by Webdongle » Fri Jan 02, 2015 1:32 am

Thanks for reporting the results. You may want to look at http://forum.joomla.org/viewtopic.php?f=621&t=582854 ... it will help you keep sites(you administrate) safe.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

User avatar
artshotwell
Joomla! Explorer
Joomla! Explorer
Posts: 304
Joined: Mon May 28, 2007 5:40 pm
Location: Anacortes, Wash.

Re: Pharmacy Hack aicontactsafe and xcalendar

Post by artshotwell » Fri Jan 02, 2015 5:20 am

Thank you. Yes, I have reviewed that link and have, in fact, bookmarked it. Art


Locked

Return to “Security in Joomla! 2.5”