Two of my Joomla 1.0.13 sites have been hacked this week. One exhibited "Not Found" for frontpage files, the other ended up with ringtone junk and nasty references to porn.
I've sent details to the security folks for this site, and I've read through two days of posts looking for background and "the way ahead".
Here's my info: Joomla! Version: Joomla! 1.0.13 Stable [ Sunglow ]
PHP Version: 5.2.4
MySQL client version: 4.1.22
Apache/2.2.6 (Unix)
Shared server
Raw logs (now enabled)
Plug-ins:
ANJEL (Not published yet)
JEvents
phpShop (Not published yet)
Verse of the Day
CoolHits Counter
JoomlaFCK
This hack spews forth .htaccess files in virtually every unlocked directory and sub, and those files call up a numbered php file - similar to what was posted in the threads below. IMHO, it's all too similar to these posts:
http://forum.joomla.org/index.php/topic,11244.0.html
http://forum.joomla.org/index.php/topic ... #msg194500
In trying to remove them from the websites, I quickly noticed that - even though the cPanel indicated I had successfullly deleted the two files (.htaccess and its associated, numbered php), upon returning to any directory or sub - there they were, back again!
It's my own fault, I had left some permissions on 777, and I thereby opened the door to this headache.
Now I've downloaded a backup of one site's root directory, unzipped it, and have removed the offending files (using Windwoes Explorer to search and doublesearch the public_htiml directories and subs. The offending files were dated 5 Jan. 2008.
Soon I'll wipe that affected site, zip the now cleaned files, upload that to the root, and unzip..., whilst praying and hoping for the best.
My latest sites are in Joomla 1.5; so far so good with them.
Let's be careful out there!
Advertisement
Hack Attack; It's Back :-(
Moderator: General Support Moderators
Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
- ptg
- Joomla! Apprentice
- Posts: 25
- Joined: Sat Nov 26, 2005 6:01 pm
- Location: Alberta, Canada
- Contact:
Hack Attack; It's Back :-(
Onward and upward!
Advertisement
- RussW
- Joomla! Exemplar
- Posts: 9349
- Joined: Sun Oct 22, 2006 4:42 am
- Location: Sunshine Coast, Queensland, Australia
- Contact:
Re: Hack Attack; It's Back :-(
You will also need to check for ;
CRONTAB (cron) jobs that maybe re-creating these exploit (not hack!) files everytime you delete them, look for hidden directories (starting with a " . " dot) where the files can be recreatecd from and then delete all the files, or rebuild from a "known good" backup, ensure you do not have 777 permissions set on directories.
In this case, Joomla! was not actually exploited, but your 777 directories were.
CRONTAB (cron) jobs that maybe re-creating these exploit (not hack!) files everytime you delete them, look for hidden directories (starting with a " . " dot) where the files can be recreatecd from and then delete all the files, or rebuild from a "known good" backup, ensure you do not have 777 permissions set on directories.
In this case, Joomla! was not actually exploited, but your 777 directories were.
Joomla! on the fabulous Sunshine Coast...
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/
- RussW
- Joomla! Exemplar
- Posts: 9349
- Joined: Sun Oct 22, 2006 4:42 am
- Location: Sunshine Coast, Queensland, Australia
- Contact:
Re: Hack Attack; It's Back :-(
sorry, in addition to all that,
Please review the following FAQ's ASAP, you will find a wealth of information related to your issues.
Security & Performance FAQ
It is not recommended to leave your sites publicly available and exploited, as it will only serve to promote the offenders ego and kudos and potentially expose the rest of the server to attack.
The above mentioned FAQ will provide with more than enough information to assist you in further securing your sites.
Particular entries of note and to pay attention to, are;
Joomla! Administrator's Security Checklist
Help! My site's been compromised. Now what?
Vulnerable Extension List
Joomla! Tools Suite
How can I check my Joomla! installation's overall security and health?
What does Joomla! have to do with file permissions?
Please review the following FAQ's ASAP, you will find a wealth of information related to your issues.
Security & Performance FAQ
It is not recommended to leave your sites publicly available and exploited, as it will only serve to promote the offenders ego and kudos and potentially expose the rest of the server to attack.
The above mentioned FAQ will provide with more than enough information to assist you in further securing your sites.
Particular entries of note and to pay attention to, are;
Joomla! Administrator's Security Checklist
Help! My site's been compromised. Now what?
Vulnerable Extension List
Joomla! Tools Suite
How can I check my Joomla! installation's overall security and health?
What does Joomla! have to do with file permissions?
Joomla! on the fabulous Sunshine Coast...
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/
- ptg
- Joomla! Apprentice
- Posts: 25
- Joined: Sat Nov 26, 2005 6:01 pm
- Location: Alberta, Canada
- Contact:
Re: Hack Attack; It's Back :-(
Thanks, Russ. "I sit corrected", this was an exploit of sites, not a "hack" of Joomla. Do you want to change the Subject accordingly?
That's a good guide - all the relevant links for folks iin my shoes.
In a sense, we continue to "do it" to ourselves; but I'm learning!
That's a good guide - all the relevant links for folks iin my shoes.
In a sense, we continue to "do it" to ourselves; but I'm learning!
Onward and upward!
- RussW
- Joomla! Exemplar
- Posts: 9349
- Joined: Sun Oct 22, 2006 4:42 am
- Location: Sunshine Coast, Queensland, Australia
- Contact:
Re: Hack Attack; It's Back :-(
In general, but there are eceptions to these rules, the safest permission Modes are;
Directories : 755
Files : 644
But with some server configurations, this will mean that you will now be unable to upload media/files/images etc.
Directories : 755
Files : 644
But with some server configurations, this will mean that you will now be unable to upload media/files/images etc.
Joomla! on the fabulous Sunshine Coast...
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/
-
- Joomla! Enthusiast
- Posts: 190
- Joined: Sat Jan 14, 2006 1:59 pm
- Location: Sunderland UK
- Contact:
Re: Hack Attack; It's Back :-(
Hi Sorry if I'm teaching my granny to suck eggs here, but Ive had many sites hacked into over the past few weeks, about 12 to be exact and in the end found it was the hosting companies fault as the hacker hid a file that recreated files every time i deleted them in from tmp folder.
This is what i do now to check any sites.
Recreate the best you can on a test site the site you have, install the same components and modules, and then using dream weaver use synchronize looking for "Get new from server", it will list all files on the server that you don't have on your test site. Go through them, of course there may be a lot especially images in virtuemart or galleries, but i found most of the time the little Bas**rds hide the files in there, as you get bored of checking through all the files, but its well worth it.
You will more than likely find a simple file manager script or directory, they even named one of the directories on mine com_uk and added it to
public_html/components/com_uk
Clever sod!!
Then if you have shell access through PuTTY, run these 2 lines of code exactly as i type them from the public_html folder, so you only edit the Joomla files not the public_html folder itself
Command to change the permissions for all directories to 755
----
Command to change the permissions for all files to 644
That will change every single file and folder in your site to the correct permissions, you now need to change back the few you need to keep so Joomla will work. Well it will still work, you just wont be able to add images, components, modules etc. But at least you know you haven't missed any files, and it may be a good idea to leave it all locked up for a while, whilst you sort out the problems.
I produced this flash video this morning whilst waiting for a load of files to download of how to do that exact process.
http://www.joomlamagazine.com/tutorials ... sions.html
it shows you how to do it, very simple, it takes only a few seconds per site to secure up.
Hope this helps a little
regards
Ian
This is what i do now to check any sites.
Recreate the best you can on a test site the site you have, install the same components and modules, and then using dream weaver use synchronize looking for "Get new from server", it will list all files on the server that you don't have on your test site. Go through them, of course there may be a lot especially images in virtuemart or galleries, but i found most of the time the little Bas**rds hide the files in there, as you get bored of checking through all the files, but its well worth it.
You will more than likely find a simple file manager script or directory, they even named one of the directories on mine com_uk and added it to
public_html/components/com_uk
Clever sod!!
Then if you have shell access through PuTTY, run these 2 lines of code exactly as i type them from the public_html folder, so you only edit the Joomla files not the public_html folder itself
Command to change the permissions for all directories to 755
Code: Select all
find . -type d -exec chmod 755 {} \;
Command to change the permissions for all files to 644
Code: Select all
find . -type f -exec chmod 644 {} \;
I produced this flash video this morning whilst waiting for a load of files to download of how to do that exact process.
http://www.joomlamagazine.com/tutorials ... sions.html
it shows you how to do it, very simple, it takes only a few seconds per site to secure up.
Hope this helps a little
regards
Ian
Advertisement