A hacked scenario that happened to me

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, fcoulter, PhilD, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Post Reply
User avatar
mojito
Joomla! Guru
Joomla! Guru
Posts: 703
Joined: Wed Sep 07, 2005 10:18 pm
Location: London
Contact:

A hacked scenario that happened to me

Post by mojito » Sun Nov 05, 2017 3:48 pm

Hi Guys

I am posting here for insight and also to share my experience.
I found that I was hacked on one of my sites. What was happening was js was getting inserted in the articles. I suspected first that this could have been a remote sql injection into the intro article field of articles. The js was not at all hidden either it seems more to want to vandalise the site rather than hide links for seo..

Did someone get my database password as it is listed in the configuration file..always worries me how shared hosting is a bit blase about setting permissions etc...I am on a shared host. If they did I am still told that a remote attack is not possible and since changing the db password and also the site password. All the bad data is back.

One interesting thing was that it seemed that my latest 2 articles were not affected, that I added. So did the hack get inserted at a time when they knew which articles they could alter, so not looping through all? Maybe some kind of clue.

Has anyone seen this. I have had hacked sites that I managed to clean in the past but this one seems to be recurring suggesting the hack is a local script that is acting on the behalf of joomla, ie has control...unless I can find what got changed then I wont be able to. So I am happy to start to look to get my host to rewind my site...or I start from a new joomla install and spend the time to rebuild the site. Of course that is safer..

What I would have liked is some way I can run a check on the php files like checksums used to look at installers for programs to check for mods. Does this exist? I have looked through the most obvious places where a script could have been inserted but it really could be anywhere I suppose.

I have checked my local mac for virus and stuff and it comes back clean so I am somewhat confident that people don't have my constant changed passwords.

If there was some kind of way I can set up SQL log that gave me the script path that made the call this would be helpful. My host tells me this doesn't exist. I am not sure I always have confidence in shared hosting help, sometimes they leave files and lines of code.

So advice for people or if they heard of this kind of hack too.

Thanks
Check out the 'bad toilet' online !

User avatar
dhuelsmann
Joomla! Master
Joomla! Master
Posts: 19656
Joined: Sun Oct 02, 2005 12:50 am
Location: Omaha, NE
Contact:

Re: A hacked scenario that happened to me

Post by dhuelsmann » Sun Nov 05, 2017 7:21 pm

There really is only one sure way to ensure you really have cleaned up your site.
Webdongle wrote:Your database is your site ... first and foremost make a backup of your database.

All the files do is put/get data to/from the database and display the data on the screen.

Cleaning the site is easy ... just delete all the folders/files. Rebuilding the site is easy ... just install a fresh Joomla to a empty database and install 3rd party extensions then edit the configuration.php.

Before you ask what other users ask. No there is no real alternative ... you need to delete all folders/files.

Here is a summary of what you need to do

  1. Run the fpa and post the results in this forum
  2. Uninstall any untrusted/unwanted 3rd party extensions and Templates https://vel.joomla.org/live-vel
  3. Delete all the files on the server
  4. Scan your computer and all computers that have server or Joomla admin access
  5. Change Passwords
  6. Install Joomla (of the same version) to a new database. Install up to date 3rd party extensions (that are not on the VEL) then edit the configuration.php to connect to the original database. Update Joomla if you have and old version
  7. Change your Joomla SU/Admin Passwords and check the users/groups/access levels are correct and not been tampered with. Update your Joomla and run the fpa again
Step #f is simply installing Joomla and 3rd party extensions to an empty database so you get fresh files. Then connect the files to the database that has your data. That gives you your site back. The rest cleans the site and helps keep it secure.

Full details http://forum.joomla.org/viewtopic.php?f=714&t=757645
Regards, Dave
Past Treasurer Open Source Matters, Inc.
Past Global Moderator
http://www.kiwaniswest.org

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 36918
Joined: Sat Apr 05, 2008 9:58 pm

Re: A hacked scenario that happened to me

Post by Webdongle » Sun Nov 05, 2017 8:41 pm

mojito wrote:...
I have checked my local mac for virus and stuff and it comes back clean so I am somewhat confident that people don't have my constant changed passwords....
If your site has been hacked then they don't need your passwords. They will have full access to your server.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein
Member of the CMS Release Team

User avatar
effrit
Joomla! Guru
Joomla! Guru
Posts: 846
Joined: Sun Nov 12, 2017 2:21 pm
Location: middle of Russia
Contact:

Re: A hacked scenario that happened to me

Post by effrit » Sun Nov 12, 2017 5:49 pm

if it just JS in articles there is hight possibility you have infected/bad extension in your browser.
something like alldownloads crap. so additionally to other suggestions - try use clean browser without any extensions.

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 19494
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: A hacked scenario that happened to me

Post by leolam » Mon Nov 13, 2017 5:24 am

effrit wrote:if it just JS in articles there is hight possibility you have infected/bad extension in your browser.
just a small option. See my post viewtopic.php?f=714&t=784055

Leo 8)
Joomla's #1 Professional Support Provider:
-> Joomla Professional Support: https://gws-desk.com -
-> Joomla Specialized Hosting Solutions: https://gws-host.com -
-> Joomla Webmaster Services: gws-webmaster.services

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 19494
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: A hacked scenario that happened to me

Post by leolam » Mon Nov 13, 2017 5:26 am

mojito wrote: If there was some kind of way I can set up SQL log that gave me the script path that made the call this would be helpful. My host tells me this doesn't exist. I am not sure I always have confidence in shared hosting help, sometimes they leave files and lines of code.
I would subscribe at myjoomla.com. This will give you all the info and restores properly. First scan is free

Leo 8)
Joomla's #1 Professional Support Provider:
-> Joomla Professional Support: https://gws-desk.com -
-> Joomla Specialized Hosting Solutions: https://gws-host.com -
-> Joomla Webmaster Services: gws-webmaster.services

User avatar
mojito
Joomla! Guru
Joomla! Guru
Posts: 703
Joined: Wed Sep 07, 2005 10:18 pm
Location: London
Contact:

Re: A hacked scenario that happened to me

Post by mojito » Mon Nov 13, 2017 3:11 pm

Thanks Leo, really intrigued by the notion that a chrome extension might get access to the site admin password perhaps..and make the changes..trying to imagine how that could work. I have spent a week trying to track down the code and its well hidden. Have removed a lot of redundant code too. I am rebuilding my site on the side and will switch eventually but I am still kind of keen to find the code to learn and see where the security flaw was..

So it is javascript inserted in most every article but curiously seems to not do the first article! I have SQL which cleans this now when it happens and it is allowing me to keep my site online. Also have found other sites with the same javascript in the source. Turn off the js in chrome so I can get to their contact page and alert the website owner who might be wondering why they are not getting enquiries.

I am now going to check out myjoomla.
Check out the 'bad toilet' online !

User avatar
mojito
Joomla! Guru
Joomla! Guru
Posts: 703
Joined: Wed Sep 07, 2005 10:18 pm
Location: London
Contact:

Re: A hacked scenario that happened to me

Post by mojito » Mon Nov 13, 2017 3:42 pm

I have run the myjoomla tool and found same lines that I did when I was grepping for evals like
eval ($filecontent);
This is by a well known template developer and is it possible to have a joomla line that emails me via the framework If this line gets executed so I can get the content of $filecontent...then I can rule out that file...
Check out the 'bad toilet' online !

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 36918
Joined: Sat Apr 05, 2008 9:58 pm

Re: A hacked scenario that happened to me

Post by Webdongle » Mon Nov 13, 2017 4:59 pm

mojito wrote:... I have spent a week trying to track down the code and its well hidden. Have removed a lot of redundant code too. ...
You will be running around in circles. You might miss some hacked files and even if you don't then the hackers can put more up while you are running around in circles. Suggest that you follow posting.php?mode=quote&f=714&p=3502069#pr3500902 or Leo's advice and get it done professionally https://myjoomla.com/site/is/hacked
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein
Member of the CMS Release Team

User avatar
mojito
Joomla! Guru
Joomla! Guru
Posts: 703
Joined: Wed Sep 07, 2005 10:18 pm
Location: London
Contact:

Re: A hacked scenario that happened to me

Post by mojito » Mon Nov 13, 2017 5:23 pm

If I have blocked the hackers original access then I will be able to find everything I would have thought. I am doing a rebuild as every good professional should on the side (I am curious to track down the exploit or at least the files). I am not sure what a different professional will do than myself. Yes there are people better than me but just paying someone does make them a professional unfortunately and there are no guarantees they will do a better job than me. I could pay a pro and the hack back I go back to the 'pro' and they can say anything to not refund me like, its your host etc...
Check out the 'bad toilet' online !

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 36918
Joined: Sat Apr 05, 2008 9:58 pm

Re: A hacked scenario that happened to me

Post by Webdongle » Mon Nov 13, 2017 5:35 pm

mojito wrote:If I have blocked the hackers original access then I will be able to find everything I would have thought.....
You think wrong because one of the first things a hacker does is upload several files (in various places) so that they access the server when you shout their first point of entry
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein
Member of the CMS Release Team

User avatar
mojito
Joomla! Guru
Joomla! Guru
Posts: 703
Joined: Wed Sep 07, 2005 10:18 pm
Location: London
Contact:

Re: A hacked scenario that happened to me

Post by mojito » Mon Nov 13, 2017 5:49 pm

So mr pro what does a pro do then if this is an impossible way? I think you are trying to say that they can hit my page from a remote server calling their own malicious code in my files..yes I understand this scenario..removing that code stops them. If they have multiple I will need to find them all at once. How will a pro do this differently. I'm clearly an amateur.
The other scenario is their code is being called in the natural run through of the joomla application. I saw no suspicious POST requests for the first scenario making me think that it is happening as the site does its normal thing..

If I follow the pro course of action then they rebuild it? That is what I am already doing on the side, but I am still asking for help here because I want to learn and be less amateur. But I am not convinced that a pro will be able to do much that I myself cannot do at this stage and yes I may be wrong again.
Check out the 'bad toilet' online !

User avatar
dhuelsmann
Joomla! Master
Joomla! Master
Posts: 19656
Joined: Sun Oct 02, 2005 12:50 am
Location: Omaha, NE
Contact:

Re: A hacked scenario that happened to me

Post by dhuelsmann » Mon Nov 13, 2017 5:59 pm

mojito wrote:So mr pro what does a pro do then if this is an impossible way?
As I pointed out to you earlier in this thread follow the step I posted from Webdongle to complete remove ALL files. Your website is really your database. Once you remove all files you reinstall Joomla in your original version and create a blank database. Once reinstalled you re point Joomla back to your original database. Trying to hunt your way through all the files to find the hacked portions is not going to be successful period.
Regards, Dave
Past Treasurer Open Source Matters, Inc.
Past Global Moderator
http://www.kiwaniswest.org

User avatar
mojito
Joomla! Guru
Joomla! Guru
Posts: 703
Joined: Wed Sep 07, 2005 10:18 pm
Location: London
Contact:

Re: A hacked scenario that happened to me

Post by mojito » Mon Nov 13, 2017 6:49 pm

I have managed to clean files successfully for a site in the past. So it has already worked out for me before. As I have stated I am doing a rebuild in parallel. The reason I want to find the script is to get a clue (thought that is unlikely) where the weakness was. BECAUSE even with a rebuild if the weakness is still there then you can simply get reinfected.
I have minimally used just a template and a couple of plugins to minimise risk. I will be going to use akeeba to monitor the file system in future.

I also have a t3 assets folder with js files which could be malicious indeed the vandalism is js but what is writing the js cannot exist in the js. It is quite an amount of js which I am surprised that no tools have yet found even long hex or other options makes me think that the js comes in remotely. I would have thought that I could find calls somewhere.
Is there no quick framework way to email myself any eval code which I suspect on the line before the eval?
Check out the 'bad toilet' online !

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 36918
Joined: Sat Apr 05, 2008 9:58 pm

Re: A hacked scenario that happened to me

Post by Webdongle » Mon Nov 13, 2017 7:55 pm

mojito wrote:So mr pro what does a pro do then if this is an impossible way? I think you are trying to say that they can hit my page from a remote server calling their own malicious code in my files..yes I understand this scenario..removing that code stops them. If they have multiple I will need to find them all at once. How will a pro do this differently. I'm clearly an amateur.....
A security professional has many tools and years of experience to chase/eradicate malicious code.

Once a hacker has hacked your site they have as much control over your ser as you do. They can navigate the server (using the GUI of the script that they uploaded) and edit any file in any folder on your server. If you have more than one site they can infect all the sites. They can put files on your site that infect visiting computers. They can infect your image files (including ones on other sites).

So even if you find the initial files you also have to find the genuine files that they have infected. Even if you manage to do that ... by the time you have done that they have your ftp passwords. You can change your passwords but if you do that when they still have hacks hidden then they just steal your new passwords. If you don't change your passwords soon after deleting the files (and checking the computers) they just upload their hack files again.

Hackers love users who 'cherry pick' the hacks because it gives them time to post the hacks on hack forums. Then other hackers access your site to 'play' on your server. And all the time that is going on increases the chance of your Host closing your site. That's why inexperienced users are advised to delete ALL the files.




mojito wrote:...
If I follow the pro course of action then they rebuild it? That is what I am already doing on the side, but I am still asking for help here because I want to learn and be less amateur. ...
While you are rebuilding the site the hackers still have access to the server. If you are rebuilding the site in a folder on the server but have not deleted all the files then your new rebuild can be infected. If you want to learn then listen to the advice because it is the best advice that can be given to an inexperienced user.



mojito wrote:.... But I am not convinced that a pro will be able to do much that I myself cannot do at this stage and yes I may be wrong again.
Of course they would because they have years of experience and training to enable them to identify all the compromised files without needing to delete all the files. Those years of experience and training can not be condensed into a few forum posts.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein
Member of the CMS Release Team

User avatar
mojito
Joomla! Guru
Joomla! Guru
Posts: 703
Joined: Wed Sep 07, 2005 10:18 pm
Location: London
Contact:

Re: A hacked scenario that happened to me

Post by mojito » Mon Nov 13, 2017 8:29 pm

So on a shared server any 'new' clients the web host gets and other neighbours can also be infected. Of course they could be if the host is bad and permissions are not well setup. I don't actually think my host is bad. Yes their first and second lines of support are often lacking but I assume it's PROS who setup the security. I have setup VPS with different users per website to stop that very situation that script scan work across 'sites' so the site files belong to the user/group just for that site.
I have created the new site as a different site but it is likely to share the same space on the shared space as are all my neighbours. There are good hosts out there and I am listening to the advice but I am trying to weigh things up and asses the risk. I cannot see how a GUI can be running when there are no foreign files and the images have all been checked.
Why can a forum post not tell us the secrets of cleaning? If there are any. At the end of the day its just files and a database. We can search both of those and find the malicious code, I do accept experience as a factor and learning but training..[cough..cough] not sure I saw any of that in my experience. Again I am probably wrong.
Check out the 'bad toilet' online !

User avatar
effrit
Joomla! Guru
Joomla! Guru
Posts: 846
Joined: Sun Nov 12, 2017 2:21 pm
Location: middle of Russia
Contact:

Re: A hacked scenario that happened to me

Post by effrit » Mon Nov 13, 2017 8:43 pm

@mojito, you can do it by yourself. its just matter of time and effectivity.
for example, we (Russian community) often use scanner https://revisium.com/aibo/
i also try this and it was hard in "paranoid mode" because of large amount of false positive strings.
still you have a chance to help yourself. if you have time and possibility - why not?

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 36918
Joined: Sat Apr 05, 2008 9:58 pm

Re: A hacked scenario that happened to me

Post by Webdongle » Mon Nov 13, 2017 9:39 pm

mojito wrote:... I cannot see how a GUI can be running when there are no foreign files and the images have all been checked....
The operative phrase in that sentence is "when there are no foreign files". Deleting all the files makes sure of that but 'cherry picking' does not always make it so.


mojito wrote:...
Why can a forum post not tell us the secrets of cleaning? If there are any. At the end of the day its just files and a database. We can search both of those and find the malicious code, ...
Because many years of experience can't be condensed into a few posts. Yes it is finding files but knowing how to look for them takes time to learn. Saying 'I can search and delete files please tell me how to find hack files' is like saying I can cook a meal please teach me how to cook in a restaurant for 30 people at each sitting'.


mojito wrote:... I do accept experience as a factor and learning but training..[cough..cough] not sure I saw any of that in my experience. Again I am probably wrong.
You are not wrong per se ... if you want to learn by trial and error that is fine. All I am saying is don't expect to get all the hack files unless you delete the files from the server. When you have learned then tell me which you think is quickest ... deleting the files then installing a fresh Joomla and 3rd party extensions and editing the configuration.php or checking all the files that are on the server and updating the 3rd party extensions.

How long does it take to install Joomla + visit 3rd party sites, download and install the 3rd party extensions
compared to
Check all files .............................. + visit 3rd party sites, check versions, download and update old extensions ?
The difference = the time between installing Joomla and checking all files.
Joomla installs in a few minutes that's much quicker than checking all files !!!
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein
Member of the CMS Release Team

User avatar
mojito
Joomla! Guru
Joomla! Guru
Posts: 703
Joined: Wed Sep 07, 2005 10:18 pm
Location: London
Contact:

Re: A hacked scenario that happened to me

Post by mojito » Mon Nov 13, 2017 10:00 pm

Yes could (is probably) be faster to do the rebuild. I think it becomes an addiction to find the needle. I was worried that a rebuild might not fix it if I was using a weak plugin. Say a form component that is not really doing a great job. It's tough to know how a developer is doing on security. They all get worried/offended when you mention you have had an intrusion..Thanks all for your help. I will get the rebuild done and cross my fingers.
Check out the 'bad toilet' online !

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 36918
Joined: Sat Apr 05, 2008 9:58 pm

Re: A hacked scenario that happened to me

Post by Webdongle » Mon Nov 13, 2017 10:18 pm

mojito wrote:.... I think it becomes an addiction to find the needle. ...
For some people yes :)



mojito wrote:....... I was worried that a rebuild might not fix it if I was using a weak plugin. Say a form component that is not really doing a great job. It's tough to know how a developer is doing on security. They all get worried/offended when you mention you have had an intrusion......
Steps #a and #b deal mostly with that.

A reputable extensions developer will be proud to show they want their extension to be secure.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein
Member of the CMS Release Team

User avatar
mojito
Joomla! Guru
Joomla! Guru
Posts: 703
Joined: Wed Sep 07, 2005 10:18 pm
Location: London
Contact:

Re: A hacked scenario that happened to me

Post by mojito » Mon Nov 13, 2017 10:44 pm

Penetration testing for developer plugins apply here! :)
Check out the 'bad toilet' online !


Post Reply

Return to “Security in Joomla! 3.x”