Website found with hack code Topic is solved

[Achaa]

I'd appreciate some advice please.

(Long story short)
A little reverse engineering has led me to a website with active shell code still online.
The link is accessed via a $_GET call from a script on a compromised site.

The website doesn't have any pages displayed, so you'd have to know the exact link to get to the bad code.
I feel that this should be reported. But to whom?

Advice appreciated.

[sozzled]

I feel that this should be reported. But to whom?

In the first instance, report the issue to the person who owns (or is responsible for managing) the website.

Does it matter to anyone if this website contains a security flaw that has compromised this website? Is there a possibility that this security compromise will affect any of your websites (or any of mine), for that matter? There have got to be hundreds of thousands of websites on the internet that have security issues. I don't know if there's a great deal of benefit to anyone by reporting just another website (wherever there may be registries of compromised websites on the internet) because, frankly, I don't think any of us has the time to check if any of the sites we visit may be on a list.

If the compromised website is indexed by Google, you could report the matter to Google (I guess). Unless this problem is related to Joomla security and, in particular, to the security of websites used by this forum community, I somehow see this as a discussion for "The Lounge". Cheers.

[Achaa]

The compromised website was (is) a Joomla website. It wouldn't have occured to me to ask this question here if it wasn't.

The owner is aware, as he asked me to look into it. I have no idea if (or how) it would affect anyone else as I removed the code.
(I went through the logs and found how it was activated and then replicated it offline.)
After following the trail and finding the code, I went through the usual decoding routines and found the shell code. What they were going to do with it - again, I have no idea.

As far as I am concerned the website is still compromised as I have no idea how they got the initial code onto the server. It's no longer my concern as they will need to get it looked at by a pro.

What I feel is my concern, is that the shell code is just sitting there waiting to be downloaded by more compromised (Joomla?) sites.
Which of course leads me to my initial question.

[AMurray]

On the message list for this sub-form (Security in Joomla) there is a post instructing how to recover from a hack: viewtopic.php?f=714&t=946026 - suggest following that in the first instance.

[Achaa]

Hi A Murray, thanks for your input.

I don't believe this site is compromised. I believe it is deliberately and maliciously serving the code to sites that are compromised.

[annahersh]

If you are concerned that a third party extension is the culprit, report at https://vel.joomla.org/submit-vel

[Webdongle]

Hi A Murray, thanks for your input.

I don't believe this site is compromised. I believe it is deliberately and maliciously serving the code to sites that are compromised.

If it was code added to the site (whether it directly affects the site or serves malicious code to other site) then the site has been compromised.

[Achaa]

Sorry to push this point, I just want to make sure I'm understanding this clearly.

Are you saying that a website, that is set-up with the sole intention of delivering malicious code - is compromised?

[Webdongle]

...
Are you saying that a website, that is set-up with the sole intention of delivering malicious code - is compromised?

I am a little confused here ... is the site you are talking about a site that that you are helping to administrate? Is that the site that is set up to distribute malicious code?

[Achaa]

ok, there are two sites involved.

Site A: Belongs to a friend.
A directory on site A, contained code that led to site B.
The link on site B contains shell code. (This would be downloaded if someone triggered the code by entering a certain string.)

Site B: Appears to be completely blank.
It does however contain the shell code, but you'd only know that by following the path from site A.

As far as I can see, site B only exists to serve up bad code.

[Webdongle]

...
Site A: Belongs to a friend.
A directory on site A, contained code that led to site B....

Then I say again
If it was code added to the site (whether it directly affects the site or serves malicious code to other site) then the site has been compromised.

In other words your friends site that has had code added to it (that may not directly affect his site but serves code to another site) has been compromised. By virtue of the fact that your friends site contains code that was placed by someone else ... then it has been compromised. Follow the instructions and links on viewtopic.php?f=714&t=946026 or hire a professional to clean and secure the site.

[Achaa]

It seems we have severely crossed wires here.

I am aware of what you are saying. Really.

As far as I am concerned the website is still compromised as I have no idea how they got the initial code onto the server. It's no longer my concern as they will need to get it looked at by a pro.

It no longer has anything to do with me.
I was just concerned that Site B is sitting there with code on it ready to infect other sites.

What I feel is my concern, is that the shell code is just sitting there waiting to be downloaded by more compromised (Joomla?) sites.

[Webdongle]

Then use https://centralops.net/co/ to find who their Host is and report it there ?

[sozzled]

I don't think there is a problem for this forum/community. There may be a problem for the owner of the website but as the OP is not the owner of the website then it's stretching a point to ask for advice concerning what might be possible for the OP to consider in these circumstances.

While it is a "community responsibility" to be aware of risks in using the internet there are two matters that, in my opinion, fall outside of the purpose of this forum:

1) This is not a place to publicly name (or shame) other people's websites. Unless the site owners of these websites are also members of the community, it is unfair to publicly criticise someone else's website without offering the owner of that website the opportunity to respond.

2) There is no obligation on anyone to rectify any problem(s)—even problems that may pose a security risk to others—but, if there is a matter of concern, there are other means outside the use of this forum that are available. Websites that are involved with illegal activities (e.g. phishing scams, ransomware, etc.) can be reported to local law enforcement authorities; websites that redirect their visitors to disreputable or unwanted services/providers can be reported to consumer watchdog authorities.

Websites that have been compromised (i.e. hacked without the owner's knowledge) are a different matter. If someone is aware that a website has been compromised like this, then that same "someone" may attempt to contact the site owner to inform them of the matter; it's entirely a matter for the owner of that site to rectify the issue. It is not our task to comment on how to go about making that contact, whether the issue warrants attention or whether the issues raised in this forum have any impact on (a) individual sites, (b) the reputation of a website, or (c) the the community at large unless there is evidence to show how these matters are relevant or important.

Finally, if the OP is not involved with the problem site or is "no longer involved" with the problem site then the OP should probably leave this issue alone. The problem is for someone else—not a member of this forum community—to address or not as they choose.

Not a "Security in J! 3.x" topic, in my opinion; more like a discussion for The Lounge. I've asked the forum moderators to relocate the topic on that basis.

[Achaa]

Then use https://centralops.net/co/ to find who their Host is and report it there ?

Thank you.