Discuss: A long day...

A place to discuss recent announcements made by the Joomla! Core Team. Let's hear what you have to say.
User avatar
louis.landry
Joomla! Ace
Joomla! Ace
Posts: 1388
Joined: Wed Aug 17, 2005 11:03 pm
Location: San Jose, California
Contact:

Discuss: A long day...

Post by louis.landry » Sun Aug 19, 2007 9:40 am

In reference to: http://forum.joomla.org/index.php/topic,203290.0.html

Discuss here.

Thanks,

Louis
Joomla Platform Maintainer
A hacker does for love what others would not do for money.

User avatar
infograf768
Joomla! Master
Joomla! Master
Posts: 18729
Joined: Fri Aug 12, 2005 3:47 pm
Location: **Translation Matters**

Re: Discuss: A long day...

Post by infograf768 » Sun Aug 19, 2007 9:46 am

A long day indeed... and night... hehe  :laugh:
Jean-Marie Simonet / infograf · http://www.info-graf.fr
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group

User avatar
louis.landry
Joomla! Ace
Joomla! Ace
Posts: 1388
Joined: Wed Aug 17, 2005 11:03 pm
Location: San Jose, California
Contact:

Re: Discuss: A long day...

Post by louis.landry » Sun Aug 19, 2007 9:47 am

Yes ... it is nearly 5am now ... and I am exhausted .... we will be working to bring back as much as we can in the next few hours.

Louis
Joomla Platform Maintainer
A hacker does for love what others would not do for money.

User avatar
Rochen
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 142
Joined: Wed Aug 17, 2005 3:19 pm
Location: United Kingdom
Contact:

Re: Discuss: A long day...

Post by Rochen » Sun Aug 19, 2007 9:48 am

As Louis says it has been a long day but I am glad the problem has been tracked down and isolated.

I think we are lucky that the particular component that was exploited is only used on the Joomla shop site and not by the community at large or this could be a much more serious problem.

You will see the main Joomla site coming up shortly and the others will follow not far behind. We are just sorting out the backups and then a final security sweep will be done before going live again.

- Chris
Chris Adams - CEO - Rochen Ltd.
http://www.rochen.com - Performance Joomla Hosting Solutions - Make your Joomla! install fly.
http://blog.rochen.com - Great security tips and more for Joomla!
Follow us on Twitter @rochenhost

User avatar
LorenzoG
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3011
Joined: Fri Aug 19, 2005 8:46 am
Location: Stockholm, Sweden

Re: Discuss: A long day...

Post by LorenzoG » Sun Aug 19, 2007 9:51 am

Thanks Louis and the rest of the team.

Nice to hear that it seems to be a custom component that is the culprit and not the core itself.
I also think it's important to stress that we never should post who did it or any references and in this way give those hackers and script-kids any credits.

User avatar
Robin
Joomla! Master
Joomla! Master
Posts: 15753
Joined: Thu Aug 18, 2005 10:41 am

Re: Discuss: A long day...

Post by Robin » Sun Aug 19, 2007 9:54 am

Thanks everyone, for all the hard work!

User avatar
infograf768
Joomla! Master
Joomla! Master
Posts: 18729
Joined: Fri Aug 12, 2005 3:47 pm
Location: **Translation Matters**

Re: Discuss: A long day...

Post by infograf768 » Sun Aug 19, 2007 9:55 am

LorenzoG wrote: I also think it's important to stress that we never should post who did it or any references and in this way give those hackers and script-kids any credits.
Can't agree more!
When reporting such events, the best way to act is to propose to mods in the forum concerned to send a pm with the details if these are no more available.
Jean-Marie Simonet / infograf · http://www.info-graf.fr
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group

User avatar
JacquesR
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 183
Joined: Tue May 19, 2009 3:00 pm
Location: Cape Town, South Africa
Contact:

Re: Discuss: A long day...

Post by JacquesR » Sun Aug 19, 2007 9:56 am

Thank you Louis for your open and frank announcement.

It does however still concern me that various other Joomla sites (mostly foreign language) were also defaced yesterday and today by the same person/group.

Since you state that the suspected component was (to your knowledge) never publicly released, was other exploits used for those sites, or do other components share a similar vulnerability?

regards,
Jacques
Jacques Rentzke
New Web Consulting
http://www.new-web-consulting.co.za/ -- http://twitter.com/JacquesRentzke
Joomla Community Magazine Co-Lead Editor -- Joomla! Bug Squad

User avatar
RussW
Joomla! Exemplar
Joomla! Exemplar
Posts: 9352
Joined: Sun Oct 22, 2006 4:42 am
Location: Sunshine Coast, Queensland, Australia
Contact:

Re: Discuss: A long day...

Post by RussW » Sun Aug 19, 2007 9:56 am

Louis

Thanks for the prompt and detailed announcement, I am sure it will put a lot of peoples minds at rest.

Also, a massive thank you to those "at-the-coal-face" behind the scenes .....


Maybe we can take some good away from this unfortunate occurrence and take this opportunity to remind the Joomla! Community at large to be vigilant in their configurations and mindful of their sites' security.

  - Joomla! Security Announcements
  - Joomla! Security Forum
  - Joomla! Administrators' Security Guide
  - Joomla! Security and Performance FAQ's Index
  - 3rd Party Extensions Security Forum
Joomla! on the fabulous Sunshine Coast...
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/

Kursat
Joomla! Explorer
Joomla! Explorer
Posts: 316
Joined: Thu Nov 09, 2006 5:56 pm

Re: Discuss: A long day...

Post by Kursat » Sun Aug 19, 2007 9:58 am

Now it is time to see these guys in jail.

I know Turkish Police Department has an efficient impact on hackers.
Most hackers are catch in 24-36 hours and put in to jail at least 2+ years.


Here some evidences to go hackers.


I http://forum.joomla.org/index.php/topic ... #msg954536

I have also contact phone numbers to help to reach these,
i can give them to joomla officials if needed.
Last edited by Kursat on Sun Aug 19, 2007 10:13 am, edited 1 time in total.
Generaldots.com

User avatar
Wendy
Joomla! Hero
Joomla! Hero
Posts: 2008
Joined: Tue Nov 22, 2005 5:20 pm
Location: British Columbia, Canada

Re: Discuss: A long day...

Post by Wendy » Sun Aug 19, 2007 9:59 am

Many thanks to you all for the work and time you are putting in to this.  :)
Wendy Robinson
Joomla! Community Leadership Team member

User avatar
louis.landry
Joomla! Ace
Joomla! Ace
Posts: 1388
Joined: Wed Aug 17, 2005 11:03 pm
Location: San Jose, California
Contact:

Re: Discuss: A long day...

Post by louis.landry » Sun Aug 19, 2007 10:01 am

JacquesR wrote: Thank you Louis for your open and frank announcement.

It does however still concern me that various other Joomla sites (mostly foreign language) were also defaced yesterday and today by the same person/group.

Since you state that the suspected component was (to your knowledge) never publicly released, was other exploits used for those sites, or do other components share a similar vulnerability?

regards,
Jacques
I am sorry but I have no way of knowing what exploits may have been used to attack other sites.  There is just no way for me to know.  It does seem, however that the recent wave of vain and childish defacing is much bigger than just the Joomla! world.  I am guessing that this is a concerted effort that has been planned.

These site owners have IPs and such in logs, they should contact the ISPs and file complaints.  It is possible that nothing comes of it, probable in fact ... but it is something.

Louis
Joomla Platform Maintainer
A hacker does for love what others would not do for money.

User avatar
JacquesR
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 183
Joined: Tue May 19, 2009 3:00 pm
Location: Cape Town, South Africa
Contact:

Re: Discuss: A long day...

Post by JacquesR » Sun Aug 19, 2007 10:10 am

louis.landry wrote: I am sorry but I have no way of knowing what exploits may have been used to attack other sites.  There is just no way for me to know.  It does seem, however that the recent wave of vain and childish defacing is much bigger than just the Joomla! world.  I am guessing that this is a concerted effort that has been planned.
I appreciate that you cannot possibly know the cause of the other sites's hacking.

There does seem to be a focus by this person on Joomla sites, and even though we now know how access was gained to joomla.org sites, it is still not clear how the other sites was hacked, and therefore the real concern remains that more sites could follow using a possible similar exploit.

In trying to find a common exploit, I'm trying to help to prevent this person (or copy-cats) from affecting other Joomla-based sites.

I sent a link to RobS (though your site) for your info. (mailboxes are full)

regards,
Jacques
Last edited by Anonymous on Sun Aug 19, 2007 10:16 am, edited 1 time in total.
Jacques Rentzke
New Web Consulting
http://www.new-web-consulting.co.za/ -- http://twitter.com/JacquesRentzke
Joomla Community Magazine Co-Lead Editor -- Joomla! Bug Squad

hornos
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 176
Joined: Fri Aug 19, 2005 7:08 pm
Location: France
Contact:

Re: Discuss: A long day...

Post by hornos » Sun Aug 19, 2007 10:15 am

JacquesR wrote:In trying to find a common exploit, I'm trying to help to prevent this person (or copy-cats) from affecting other Joomla-based sites.
the answer:
Rochen wrote:I think we are lucky that the particular component that was exploited is only used on the Joomla shop site and not by the community at large or this could be a much more serious problem.

User avatar
TomT
Joomla! Ace
Joomla! Ace
Posts: 1264
Joined: Thu Aug 18, 2005 5:50 am
Location: Amsterdam
Contact:

Re: Discuss: A long day...

Post by TomT » Sun Aug 19, 2007 10:16 am

It's such a waist of time for everyone, this vandalism..... I hope you can all get some much deserved rest soon.

Thanks, Tom

User avatar
masterflafer
Joomla! Apprentice
Joomla! Apprentice
Posts: 12
Joined: Tue Aug 07, 2007 8:52 pm

Re: Discuss: A long day...

Post by masterflafer » Sun Aug 19, 2007 10:19 am

I hope they will end up in jail.

Googling their names I found couple sites where they show their "success". WTF ???
They have also site and forum.
There must be way to find them and bring them to justice.

User avatar
JacquesR
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 183
Joined: Tue May 19, 2009 3:00 pm
Location: Cape Town, South Africa
Contact:

Re: Discuss: A long day...

Post by JacquesR » Sun Aug 19, 2007 10:22 am

hornos wrote:
JacquesR wrote:In trying to find a common exploit, I'm trying to help to prevent this person (or copy-cats) from affecting other Joomla-based sites.
the answer:
Rochen wrote:I think we are lucky that the particular component that was exploited is only used on the Joomla shop site and not by the community at large or this could be a much more serious problem.
You may be miss-understanding what I'm saying here.

I won't post the link here that confirms what I'm trying to say, but the same cracker defaced various private sites (yesterday and today) using an unknown exploit. These sites are not related to the joomla.org sites, but are community sites that are built on Joomla.

Though limited in number (currently), it does seem to suggest that this incident is not confined to joomla.org and needs further attention/investigation.

regards,
Jacques

edit: added clarification
Last edited by Anonymous on Sun Aug 19, 2007 10:28 am, edited 1 time in total.
Jacques Rentzke
New Web Consulting
http://www.new-web-consulting.co.za/ -- http://twitter.com/JacquesRentzke
Joomla Community Magazine Co-Lead Editor -- Joomla! Bug Squad

User avatar
fw116
Joomla! Ace
Joomla! Ace
Posts: 1365
Joined: Tue Sep 06, 2005 11:18 am
Location: Germany

Re: Discuss: A long day...

Post by fw116 » Sun Aug 19, 2007 10:33 am

thanx for ur report and nice to hear thats not the joomla core..

User avatar
RobS
Joomla! Ace
Joomla! Ace
Posts: 1367
Joined: Mon Dec 05, 2005 10:17 am
Location: New Orleans, LA, USA
Contact:

Re: Discuss: A long day...

Post by RobS » Sun Aug 19, 2007 10:34 am

Alright, the main sites are up now.  Yes, I know... not all of them.  I am absolutely exhausted, it is 5:30 in the morning and I am going to bed.  We will finish the other sites  in the morning later.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions

User avatar
masterchief
Joomla! Hero
Joomla! Hero
Posts: 2316
Joined: Fri Aug 12, 2005 2:45 am
Location: Brisbane, Australia
Contact:

Re: Discuss: A long day...

Post by masterchief » Sun Aug 19, 2007 10:50 am

Thanks everyone involved for working the problem and sacrificing the better parts of you collective weekends for the benefits of all.
Andrew Eddie - Tweet @AndrewEddie
<><
http://eddify.me
http://www.kiva.org/team/joomla - Got Joomla for free? Pay it forward and help fight poverty.

hornos
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 176
Joined: Fri Aug 19, 2005 7:08 pm
Location: France
Contact:

Re: Discuss: A long day...

Post by hornos » Sun Aug 19, 2007 11:15 am

JacquesR wrote:I won't post the link here that confirms what I'm trying to say, but the same cracker defaced various private sites (yesterday and today) using an unknown exploit. These sites are not related to the joomla.org sites, but are community sites that are built on Joomla.
Attacks were not directed to joomla based sites exclusively !!

As mentionned in the annoucement:
Of all of our sites, there was one that still had register globals emulation on.  Of all of our sites there was one that had the htaccess file missing and most importantly ... that one site has a remote file inclusion vulnerability
It just means that the guys in charge of http://shop.joomla.org didn't not follow security baselines :P : http://help.joomla.org/component/option ... temid,268/
Last edited by hornos on Sun Aug 19, 2007 11:18 am, edited 1 time in total.

User avatar
brad
Joomla! Master
Joomla! Master
Posts: 13419
Joined: Fri Aug 12, 2005 12:38 am
Location: Sydney - Australia
Contact:

Re: Discuss: A long day...

Post by brad » Sun Aug 19, 2007 11:17 am

Great work guys. Thanks for picking up the slack while I was busy this weekend.
Brad Baker
https://xyzulu.hosting
https://www.joomlatutorials.com <-- Joomla Help & Tutorials

jmc
Joomla! Guru
Joomla! Guru
Posts: 682
Joined: Thu Aug 18, 2005 9:10 pm
Location: Hey! I'm in Hartlepool! We hang monkeys!!!
Contact:

Re: Discuss: A long day...

Post by jmc » Sun Aug 19, 2007 11:29 am

this incident is not confined to joomla.org and needs further attention/investigation.
Yes. By the site owners. Who are probably (just like every doofus who comes to these forums bleating about a hack/crack) running any number of insecure components, incorrect chmod, globals on ( :-[), Joomla 1.0.4 (upgrade? why would I wanna do that???) and God knows what else. I hope you'll be as diligent in your pursuit of their answers as you seem to be in hounding the Joomla! team.
There's only one sure-fire method of protecting yourself in these cases - backup - regularly and fully! Be ready to take the hit if you don't. And don't blame anyone but yourself!
And one other thing... what's with all of this "He's not a hacker... he's a cracker" crap that I've seen kicking around in the 6+ pages of posts. WTF??? It's almost like we're giving the scumbags recognised levels of professional qualification!
I've decided that, should I ever be a victim to a defacement of one of my sites, I will take this stance - I have NOT been "hacked" or "cracked" - I've been "SCUMMED". Seems a much more fitting term.  ;)
When all of your wishes are granted, many of your dreams will be destroyed...

Kursat
Joomla! Explorer
Joomla! Explorer
Posts: 316
Joined: Thu Nov 09, 2006 5:56 pm

Re: Discuss: A long day...

Post by Kursat » Sun Aug 19, 2007 11:49 am

This morning i spoke with one officer friend at Turkish Police Dep. on joomla case.
He told me that if the attacked server (as a starting point) is staying in Turkey they examine the hacked server with website personel and pick attacker to jail in a few days.

If the server is at EU and USA, these countries police dept.s are in tight connection with Turkish PDs. In this case server (area attacked) is examined by those PDs and evidences
examined by Turkish PDs concurrently. Necessary action is taken to the attacker.

In these cases when website owner claims the police help, the case becomes a public case
in all these countries. So the attacker has no chance to live freely at least a few years of time.

Officer said that police help is a necessary to find attacker because website owners can only investigate their own servers and their ISP's helps, but police depts have power to control all the related routers, equipments, related other ISPs/networks information globally.
Last edited by Kursat on Sun Aug 19, 2007 11:52 am, edited 1 time in total.
Generaldots.com

User avatar
JacquesR
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 183
Joined: Tue May 19, 2009 3:00 pm
Location: Cape Town, South Africa
Contact:

Re: Discuss: A long day...

Post by JacquesR » Sun Aug 19, 2007 12:19 pm

jmc wrote:
this incident is not confined to joomla.org and needs further attention/investigation.
Yes. By the site owners. Who are probably (just like every doofus who comes to these forums bleating about a hack/crack) running any number of insecure components, incorrect chmod, globals on ( :-[), Joomla 1.0.4 (upgrade? why would I wanna do that???) and God knows what else. I hope you'll be as diligent in your pursuit of their answers as you seem to be in hounding the Joomla! team.
Not hounding anyone. Only attempting to gain better understanding of the defacement of various sites built on Joomla, yesterday and today (by a spesific individual/group).

The other sites are mostly in Russian or Italian, and I'm unaware if they have forums.

I ask the questions here, since it is a public forum for the Joomla community, and security issues would be of concern to us all.

There is no contradiction in sincerely thanking the Joomla team for all their efforts in restoring the joomla.org sites, and at the same time trying to figure out what commonality there may be between these defacements and those of the other sites.

The knowledge gained could prevent myself and others from falling victim to the same attacks.

I do agree with you that regular backups is a must, since no software or system can ever be 100% secure (mostly due to the human element).

regards,
Jacques
Jacques Rentzke
New Web Consulting
http://www.new-web-consulting.co.za/ -- http://twitter.com/JacquesRentzke
Joomla Community Magazine Co-Lead Editor -- Joomla! Bug Squad

User avatar
cbh
Joomla! Apprentice
Joomla! Apprentice
Posts: 39
Joined: Sun Aug 28, 2005 11:20 pm
Location: Toronto, Ontario, Canada

Re: Discuss: A long day...

Post by cbh » Sun Aug 19, 2007 1:44 pm

Thanks for the detailed information. Just a suggestion - should this announcement not also be posted in the security forum, so that those of use who registered for updates by email can receive it that way as well?

Thanks for all your hard work on this.

Cheers
Chris Hutcheson

User avatar
Tonie
Joomla! Master
Joomla! Master
Posts: 16584
Joined: Thu Aug 18, 2005 7:13 am

Re: Discuss: A long day...

Post by Tonie » Sun Aug 19, 2007 1:59 pm

That's a hard one. Neither Joomla nor an extension has been hacked, so this luckily has no consequence for websites running Joomla. In that regard I would probably not mention it there.

Kursat
Joomla! Explorer
Joomla! Explorer
Posts: 316
Joined: Thu Nov 09, 2006 5:56 pm

Re: Discuss: A long day...

Post by Kursat » Sun Aug 19, 2007 2:01 pm

Tonie wrote: Neither Joomla nor an extension has been hacked, so this luckily has no consequence for websites running Joomla.
very nice for community
this is the best new of the day,
Generaldots.com

User avatar
cbh
Joomla! Apprentice
Joomla! Apprentice
Posts: 39
Joined: Sun Aug 28, 2005 11:20 pm
Location: Toronto, Ontario, Canada

Re: Discuss: A long day...

Post by cbh » Sun Aug 19, 2007 2:06 pm

Tonie wrote: That's a hard one. Neither Joomla nor an extension has been hacked, so this luckily has no consequence for websites running Joomla. In that regard I would probably not mention it there.
I see what you mean,  in terms of making the announcement and of it being a hard call. I'm not much on the technical side, so a lot of what's gone on, beyond the fact that there was a potential issue I should be watching out for. In that sense it some sort of heads up would be good just to make me aware. Perhaps an announcement along the lines of "not a Joomla issue diretly, but could be a problem" might be a good thing.

Cheers
Chris

User avatar
infograf768
Joomla! Master
Joomla! Master
Posts: 18729
Joined: Fri Aug 12, 2005 3:47 pm
Location: **Translation Matters**

Re: Discuss: A long day...

Post by infograf768 » Sun Aug 19, 2007 2:41 pm

cbh wrote:
Tonie wrote: That's a hard one. Neither Joomla nor an extension has been hacked, so this luckily has no consequence for websites running Joomla. In that regard I would probably not mention it there.
I see what you mean,  in terms of making the announcement and of it being a hard call. I'm not much on the technical side, so a lot of what's gone on, beyond the fact that there was a potential issue I should be watching out for. In that sense it some sort of heads up would be good just to make me aware. Perhaps an announcement along the lines of "not a Joomla issue diretly, but could be a problem" might be a good thing.

Cheers
Chris
I posted this as sooon as we got the News concerning the solution of the problem.
http://forum.joomla.org/index.php/topic,203293.0.html
Jean-Marie Simonet / infograf · http://www.info-graf.fr
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group


Locked

Return to “Announcements Discussions”