Suddenly, accounts don't require a password

Discussion regarding Joomla! 1.5 security issues.
Joomla! Vulnerable Extensions: http://feeds.joomla.org/JoomlaSecurityV ... Extensions

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
SamD
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Thu Jun 28, 2018 6:33 pm

Suddenly, accounts don't require a password

Post by SamD » Thu Jun 28, 2018 7:08 pm

I was made aware today that suddenly, none of the accounts on our site require a password to login. All you need is the username and the ability to hit the Enter key. To be clear, this is all account (except for the Administrator account, apparently) and all of the accounts have passwords set. Joomla is just ignoring them. I don't really have a good idea on where to start looking to fix this. Anyone have any ideas?

Thanks,
Sam

User avatar
toivo
Joomla! Master
Joomla! Master
Posts: 17370
Joined: Thu Feb 15, 2007 5:48 am
Location: Sydney, Australia

Re: Suddenly, accounts don't require a password

Post by toivo » Thu Jun 28, 2018 7:33 pm

Your version of Joomla was out of date and out of support almost six years ago, therefore it has been vulnerable and you have been lucky. Of course there could be other reasons but it is likely that your site has been hacked.

Please post the output from the Forum Post Assistsnt (FPA) by following the instructions at
viewtopic.php?f=621&t=582860 so that others can see if there is something else in the configuration that could explain the issue.
Toivo Talikka, Global Moderator

SamD
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Thu Jun 28, 2018 6:33 pm

Re: Suddenly, accounts don't require a password

Post by SamD » Thu Jun 28, 2018 7:47 pm

Thanks. Yeah, it's WAY out of date. I inherited the system a few years ago and it was out of date then. I tried once to clone the VM it's running on and doing all of the updates it would take to get things current but I only got a couple of iterations in before it wouldn't go any further successfully. Since then, I've just been trying to keep things running as best as possible. I'll run the FPA thing and post the results ASAP.

Thanks again!
-Sam

SamD
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Thu Jun 28, 2018 6:33 pm

Re: Suddenly, accounts don't require a password

Post by SamD » Fri Jun 29, 2018 1:19 pm

Problem Description :: Forum Post Assistant (v1.4.3 (Frosty)) : 29th June 2018 wrote:No passwords required to enter site
Forum Post Assistant (v1.4.3 (Frosty)) : 29th June 2018 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 1.5.17-Stable (Wojmamni ama woobusani) 27-April-2010
Joomla! Configured :: Yes | Read-Only (444) | Owner: --protected-- . (uid: 1/gid: 1) | Group: --protected-- (gid: 1) | Valid For: 1.5
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 1 | .htaccess/web.config: Yes | GZip: 1 | Cache: 0 | CacheTime: 30 | CacheHandler: file | CachePlatformPrefix: N/A | FTP Layer: 0 | Proxy: N/A | LiveSite: | Session lifetime: 180 | Session handler: none | Shared sessions: N/A | SSL: 1 | Error Reporting: 6143 | Site Debug: 0 | Language Debug: 0 | Default Access: N/A | Unicode Slugs: N/A | dbConnection Type: mysqli | PHP Supports J! 1.5.17: Yes | Database Credentials Present: Yes |

Host Configuration :: OS: Linux | OS Version: 2.6.28-19-server | Technology: x86_64 | Web Server: Apache | Encoding: gzip, deflate | Doc Root: --protected-- | System TMP Writable: Yes | Free Disk Space : 10.47 GiB |

PHP Configuration :: Version: 5.2.6-3ubuntu4.6 | PHP API: apache2handler | Session Path Writable: Yes | Display Errors: 0 | Error Reporting: 6135 | Log Errors To: | Last Known Error: | Register Globals: | Magic Quotes: 1 | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 10M | Max. POST Size: 8M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 67108864

Database Configuration :: Version: 5.0.75-0ubuntu10.5 (Client:5.0.75) | Host: --protected-- (--protected--) | Localhost: Yes | Collation: latin1_swedish_ci (Character Set: latin1) | Database Size: 91.69 MiB | #of Tables: 93
Detailed Environment :: wrote:PHP Extensions :: zip (2.0.0) | xmlwriter (0.1) | libxml () | xml () | wddx () | tokenizer (0.1) | sysvshm () | sysvsem () | sysvmsg () | session () | SimpleXML (0.1) | sockets () | soap () | SPL (0.2) | shmop () | standard (5.2.6-3ubuntu4.6) | Reflection (0.1) | posix () | mime_magic (0.1) | mbstring () | json (1.2.1) | iconv () | hash (1.0) | gettext () | ftp () | filter (0.11.0) | exif (1.4 $Id: exif.c,v 1.173.2.5.2.25 2008/03/12 17:33:14 iliaa Exp $) | dom (20031129) | dba () | date (5.2.6-3ubuntu4.6) | ctype () | calendar () | bz2 () | bcmath () | zlib (1.1) | pcre () | openssl () | xmlreader (0.1) | apache2handler () | gd () | mcrypt () | mssql () | mysql (1.0) | mysqli (0.1) | PDO (1.0.4dev) | pdo_dblib (1.0.1) | pdo_mysql (1.0.2) | Zend Engine (2.2.0) |
Potential Missing Extensions :: curl |

Switch User Environment (Experimental) :: PHP CGI: No | Server SU: No | PHP SU: No | Custom SU (LiteSpeed/Cloud/Grid): No
Potential Ownership Issues: Maybe

Apache Modules :: core | mod_log_config | mod_logio | prefork | http_core | mod_so | mod_alias | mod_auth_basic | mod_authn_file | mod_authz_default | mod_authz_groupfile | mod_authz_host | mod_authz_user | mod_autoindex | mod_cgi | mod_deflate | mod_dir | mod_env | mod_headers | mod_mime | mod_negotiation | mod_php5 | mod_rewrite | mod_setenvif | mod_speling | mod_ssl | mod_status | Apache |
Potential Missing Modules :: mod_expires | mod_security | mod_evasive | mod_dosevasive | mod_qos | mod_userdir |
Folder Permissions :: wrote:Core Folders :: images/ (775) | components/ (775) | modules/ (775) | plugins/ (775) | language/ (775) | templates/ (775) | cache/ (775) | logs/ (775) | tmp/ (775) | administrator/components/ (775) | administrator/modules/ (775) | administrator/language/ (775) | administrator/templates/ (775) | administrator/logs/ (---) |

Elevated Permissions (First 10) :: images/ (775) | images/.svn/ (775) | images/.svn/prop-base/ (775) | images/.svn/props/ (775) | images/.svn/text-base/ (775) | images/.svn/tmp/ (775) | images/.svn/tmp/prop-base/ (775) | images/.svn/tmp/props/ (775) | images/.svn/tmp/text-base/ (775) | images/smilies/ (775) |
Database Information :: wrote:Database statistics :: Uptime: 6302863 | Threads: 1 | Questions: 46144563 | Slow queries: 0 | Opens: 1988 | Flush tables: 1 | Open tables: 64 | Queries per second avg: 7.321 |
Extensions Discovered :: wrote:Components :: SITE ::
Core :: Wrapper (1.5.0) | Wrapper (1.5.0) | User (1.5.0) | User (1.5.0) | MailTo (1.5.0) | MailTo (1.5.0) |
3rd Party::

Components :: ADMIN ::
Core :: Control Panel (1.5.0) | Control Panel (1.5.0) | Template Manager (1.5.0) | Template Manager (1.5.0) | Plugin Manager (1.5.0) | Plugin Manager (1.5.0) | Content Page (1.5.0) | Content Page (1.5.0) | Banners (1.5.0) | Banners (1.5.0) | Configuration Manager (1.5.0) | Configuration Manager (1.5.0) | Cache Manager (1.5.0) | Cache Manager (1.5.0) | Mass Mail (1.5.0) | Mass Mail (1.5.0) | User Manager (1.5.0) | User Manager (1.5.0) | Menus Manager (1.5.0) | Menus Manager (1.5.0) | Language Manager (1.5.0) | Language Manager (1.5.0) | Contact Items (1.0.0) | Contact (1.5.0) | Contact Items (1.0.0) | Module Manager (1.5.0) | Module Manager (1.5.0) | Search (1.5.0) | Search (1.5.0) | Newsfeeds (1.5.0) | Newsfeeds (1.5.0) | Media Manager (1.5.0) | Media Manager (1.5.0) | Frontpage (1.5.0) | Frontpage (1.5.0) | Installation Manager (1.5.0) | Installation Manager (1.5.0) | Messaging (1.5.0) | Messaging (1.5.0) | Trash (1.0.0) | Trash (1.0.0) |
3rd Party:: registerprod (1.0) | eXtplorer (2.1.5) | EnvExp (1.0) | EnvExp (1.0) | Xmap (1.2.2) | Content Plugin (1.0.2) | EnvExp Plugin (1.0.0) | Content Plugin (1.0.2) | EnvExp Plugin (1.0.0) | Xmap (1.2.2) | Chrono Comments (1.2) | jDownloads (1.8.3 Stable ) | Tag Meta (1.2) | ProWeigh (1.00) | vfm (1.0.7dev) | vfm (1.0.7dev) | ccquery (0.1.0) |

Modules :: SITE ::
Core :: Poll (1.5.0) | Poll (1.5.0) | Banner (1.5.0) | Banner (1.5.0) | Custom HTML (1.5.0) | Custom HTML (1.5.0) | Menu (1.5.0) | Menu (1.5.0) | Syndicate (1.5.0) | Syndicate (1.5.0) | Archived Content (1.5.0) | Archived Content (1.5.0) | Statistics (1.5.0) | Statistics (1.5.0) | Most Read Content (1.5.0) | Most Read Content (1.5.0) | Related Items (1.0.0) | Related Items (1.0.0) | Wrapper (1.0.0) | Wrapper (1.0.0) | Search (1.0.0) | Search (1.0.0) | Who\'s Online (1.0.0) | Who\'s Online (1.0.0) | Sections (1.5.0) | Sections (1.5.0) | Login (1.5.0) | Login (1.5.0) | Breadcrumbs (1.5.0) | Breadcrumbs (1.5.0) | Feed Display (1.5.0) | Feed Display (1.5.0) | Random Image (1.5.0) | Random Image (1.5.0) | Latest News (1.5.0) | Latest News (1.5.0) | Footer (1.5.0) | Footer (1.5.0) | Newsflash (1.5.0) | Newsflash (1.5.0) |
3rd Party:: Vinaora Nivo Slider (1.5.0) | EnvExp Questions (1.5.0) | EnvExp Questions (1.5.0) | EnvExp Related Items (1.5.0) | EnvExp Related Items (1.5.0) | EnvExp Product Categories (1.5.0) | EnvExp Product Categories (1.5.0) | mod_coinslider (1.3.1) | Banner Slider (0.2) | Flexi Custom Code (1.0) | ConstantContact (1.0.7) | Nice Social Bookmark (1.5.6) | ARI Image Slider (2.0.5) | Simple File Lister v1.0 (1.0) | EnvExp Featured Items (1.5.0) | EnvExp Featured Items (1.5.0) |

Modules :: ADMIN ::
Core :: Popular Items (1.0.0) | Popular Items (1.0.0) | Quick Icons (1.0.0) | Quick Icons (1.0.0) | Custom HTML (1.5.0) | Custom HTML (1.5.0) | Logged in Users (1.0.0) | Logged in Users (1.0.0) | Items Stats (1.0.0) | Items Stats (1.0.0) | Admin Menu (1.0.0) | Admin Menu (1.0.0) | Unread Items (1.0.0) | Unread Items (1.0.0) | Toolbar (1.0.0) | Toolbar (1.0.0) | Latest News (1.0.0) | Latest News (1.0.0) | Title (1.0.0) | Title (1.0.0) | Login Form (1.0.0) | Login Form (1.0.0) | Feed Display (1.5.0) | Feed Display (1.5.0) | Admin Submenu (1.0.0) | Admin Submenu (1.0.0) | Online Users (1.0.0) | Online Users (1.0.0) | Footer (1.0.0) | Footer (1.0.0) | User Status (1.5.0) | User Status (1.5.0) |
3rd Party::

Plugins :: SITE ::
Core :: Content - Pagebreak (1.5) | Content - Example (1.0) | Content - Email Cloaking (1.5) | Content - Code Highlighter (Ge (1.5) | Content - Vote (1.5) | Content - Load Modules (1.5) | Content - Page Navigation (1.5) | Content - Load Modules (1.5) | Content - Pagebreak (1.5) | Content - Email Cloaking (1.5) | Content - Vote (1.5) | Content - Example (1.0) | Content - Page Navigation (1.5) | Content - Code Highlighter (Ge (1.5) | System - Log (1.5) | System - Backlinks (1.5) | System - Cache (1.5) | System - Debug (1.5) | System - SEF (1.5) | System - Legacy (1.5) | System - Remember Me (1.5) | System - Debug (1.5) | System - Legacy (1.5) | System - Cache (1.5) | System - SEF (1.5) | System - Backlinks (1.5) | System - Remember Me (1.5) | System - Log (1.5) | User - Joomla! (1.5) | User - Example (1.0) | User - Example (1.0) | User - Joomla! (1.5) | Button - Pagebreak (1.5) | Button - Image (1.0.0) | Button - Readmore (1.5) | Button - Readmore (1.5) | Button - Pagebreak (1.5) | Button - Image (1.0.0) | XML-RPC - Joomla API (1.0) | XML-RPC - Blogger API (1.0) | XML-RPC - Blogger API (1.0) | XML-RPC - Joomla API (1.0) | Search - Newsfeeds (1.5) | Search - Weblinks (1.5) | Search - Categories (1.5) | Search - Sections (1.5) | Search - Contacts (1.5) | Search - Content (1.5) | Search - Newsfeeds (1.5) | Search - Weblinks (1.5) | Search - Sections (1.5) | Search - Categories (1.5) | Search - Contacts (1.5) | Search - Content (1.5) | Authentication - Joomla (1.5) | Authentication - Example (1.5) | Authentication - GMail (1.5) | Authentication - LDAP (1.5) | Authentication - OpenID (1.5) | Authentication - LDAP (1.5) | Authentication - Example (1.5) | Authentication - OpenID (1.5) | Authentication - Joomla (1.5) | Authentication - GMail (1.5) | Editor - XStandard Lite for Jo (1.0) | Editor - XStandard Lite for Jo (1.0) |
3rd Party:: Content - ChronoComments (1.2) | Content - ChronoComments (1.2) | System - SEOSimple (2.0) | jDownloads - System Plugin (1.2) | System - Tag Meta (1.2) | User - EnvExp (1.0) | User - EnvExp (1.0) | Button - Xmap Link (1.0) | Button - Xmap Link (1.0) | Search - EnvExp Products (1.5) | Search - EnvExp Products (1.5) | Authentication - EnvExp (1.5) | Authentication - EnvExp (1.5) | Editor - TinyMCE 3 (3.2.6) | Editor - None (1.0) | Editor - TinyMCE 3 (3.2.6) | Editor - TinyMCE 3.2.2.3 (3.2.2.3) |
Templates Discovered :: wrote:Templates :: SITE :: envexp (1.0) | envexp (1.0) | envexp (1.0) |
Templates :: ADMIN :: Khepri (1.0) | Khepri (1.0) |


Locked

Return to “Security in Joomla! 1.5”