New SuperUser appairs

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, fcoulter, PhilD, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Locked
cral
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Fri Sep 06, 2013 12:43 pm

New SuperUser appairs

Post by cral » Wed Dec 23, 2015 1:31 pm

Hi,

A few weeks ago I found a new superuser that should be there. I blocked the user, but I didn't follow up due to too much other things going on.

When entering the site yesterday I saw a new super user, made a few days ago.

Both users have been made with email adresses from the local domain name.

Open for ideas.

Regards

Carl
Last PHP Error(s) Reported :: Forum Post Assistant (v1.2.4) : 23rd December 2015 wrote:[15-Jul-2015 13:21:40 Europe/Oslo] Invalid or no certificate authority found, using bundled information
Forum Post Assistant (v1.2.4) : 23rd December 2015 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 3.4.4-Stable (Ember) 8-September-2015
Joomla! Platform :: Joomla Platform 13.1.0-Stable (Curiosity) 24-Apr-2013
Joomla! Configured :: Yes | Read-Only (444) | Owner: oslohav (uid: 1/gid: 1) | Group: oslohav (gid: 1) | Valid For: 3.4
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 0 | .htaccess/web.config: No | GZip: 0 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.32-504.12.2.el6.x86_64 | Technology: x86_64 | Web Server: Apache | Encoding: gzip, deflate | Doc Root: /home/oslohav/public_html | System TMP Writable: Yes

PHP Configuration :: Version: 5.3.29 | PHP API: cgi-fcgi | Session Path Writable: Yes | Display Errors: | Error Reporting: 30719 | Log Errors To: php_errorlog | Last Known Error: 15th July 2015 13:21:40. | Register Globals: | Magic Quotes: | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 250M | Max. POST Size: 250M | Max. Input Time: 120 | Max. Execution Time: 240 | Memory Limit: 300M

MySQL Configuration :: Version: 5.5.46-cll (Client:5.0.96) | Host: --protected-- (--protected--) | Collation: utf8_general_ci (Character Set: utf8) | Database Size: 15.28 MiB | #of Tables:  176
Detailed Environment :: wrote:PHP Extensions :: Core (5.3.29) | date (5.3.29) | ereg () | libxml () | openssl () | pcre () | sqlite3 (0.7-dev) | zlib (1.1) | bcmath () | bz2 () | calendar () | ctype () | curl () | dba () | dom (20031129) | enchant (1.1.0) | hash (1.0) | fileinfo (1.0.5-dev) | filter (0.11.0) | ftp () | gd () | gettext () | SPL (0.2) | iconv () | session () | intl (1.1.0) | json (1.2.1) | ldap () | mbstring () | mcrypt () | mysql (1.0) | mysqli (0.1) | pcntl () | standard (5.3.29) | PDO (1.0.4dev) | pdo_mysql (1.0.2) | pdo_pgsql (1.0.2) | pdo_sqlite (1.0.1) | pgsql () | Phar (2.0.1) | posix () | pspell () | readline () | Reflection ($Id: 4af6c4c676864b1c0bfa693845af0688645c37cf $) | imap () | shmop () | SimpleXML (0.1) | soap () | sockets () | SQLite (2.0-dev) | exif (1.4 $Id$) | sysvmsg () | sysvsem () | tidy (2.0) | tokenizer (0.1) | wddx () | xml () | xmlreader (0.1) | xmlrpc (0.51) | xmlwriter (0.1) | xsl (0.1) | zip (1.11.0) | cgi-fcgi () | bz2_filter (0.1) | http (1.6.5) | mailparse (2.1.5) | memcache (2.2.5) | stats (1.1) | xattr (1.1.0) | SourceGuardian (9.0.4) | ssh2 (0.11.3-dev) | mhash () | ionCube Loader () | Zend Guard Loader () | Zend Engine (2.3.0) |
Potential Missing Extensions :: suhosin |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No
Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

Elevated Permissions (First 10) :: tempcs/ (777) |
Extensions Discovered :: wrote:Components :: SITE :: com_mailto (3.0.0) | WF_POPUPS_WINDOW_TITLE (2.4.6) | WF_POPUPS_JCEMEDIABOX_TITLE (2.4.6) | WF_MEDIAPLAYER_JCEPLAYER_TITLE (2.4.6) | WF_LINKS_JOOMLALINKS_TITLE (2.4.6) | K2 Links for JCE Link (2.2) | WF_FILESYSTEM_JOOMLA_TITLE (2.4.6) | WF_AGGREGATOR_VINE_TITLE (2.4.6) | WF_AGGREGATOR_VIMEO_TITLE (2.4.6) | WF_AGGREGATOR_[youtube]_TITLE (2.4.6) | WF_LINK_SEARCH_TITLE (2.4.6) | WF_BROWSER_TITLE (2.4.6) | WF_MEDIA_TITLE (2.4.6) | WF_PREVIEW_TITLE (2.4.6) | WF_CHARMAP_TITLE (2.4.6) | WF_TEXTCASE_TITLE (2.4.6) | WF_SEARCHREPLACE_TITLE (2.4.6) | WF_STYLESELECT_TITLE (2.4.6) | WF_NONBREAKING_TITLE (2.4.6) | WF_INLINEPOPUPS_TITLE (2.4.6) | WF_STYLE_TITLE (2.4.6) | WF_IMGMANAGER_TITLE (2.4.6) | WF_XHTMLXTRAS_TITLE (2.4.6) | WF_VISUALCHARS_TITLE (2.4.6) | WF_CLIPBOARD_TITLE (2.4.6) | WF_CLEANUP_TITLE (2.4.6) | WF_ANCHOR_TITLE (2.4.6) | WF_FULLSCREEN_TITLE (2.4.6) | WF_KITCHENSINK_TITLE (2.4.6) | WF_PRINT_TITLE (2.4.6) | WF_IMGMANAGER_EXT_TITLE (2.0.28) | WF_SOURCE_TITLE (2.4.6) | WF_FONTSELECT_TITLE (2.4.6) | WF_LAYER_TITLE (2.4.6) | WF_TABLE_TITLE (2.4.6) | WF_CONTEXTMENU_TITLE (2.4.6) | WF_AUTOSAVE_TITLE (2.4.6) | WF_VISUALBLOCKS_TITLE (2.4.6) | WF_LISTS_TITLE (2.4.6) | WF_DIRECTIONALITY_TITLE (2.4.6) | WF_ARTICLE_TITLE (2.4.6) | WF_SPELLCHECKER_TITLE (2.4.6) | WF_FONTSIZESELECT_TITLE (2.4.6) | WF_CAPTION_TITLE (2.1.7) | WF_LINK_TITLE (2.4.6) | WF_FONTCOLOR_TITLE (2.4.6) | WF_FORMATSELECT_TITLE (2.4.6) | os_eway (2.1.0) | os_authnet (1.0) | os_paypal (1.0) | os_offline (1.0) | os_worldpay (1.0) | Default (1.0.0) | com_wrapper (3.0.0) |
Components :: ADMIN :: Smart Slider 2 (2.3.11) | com_categories (3.0.0) | com_checkin (3.0.0) | com_cache (3.0.0) | com_rsform (1.50.24) | com_joomlaupdate (3.0.0) | com_menus (3.0.0) | com_installer (3.0.0) | com_languages (3.0.0) | Unknown (-) | JCE (2.4.6) | com_templates (3.0.0) | Social Backlinks (2.0.38) | com_modules (3.0.0) | com_finder (3.0.0) | com_plugins (3.0.0) | com_ajax (3.2.0) | JEvents (3.1.41) | com_content (3.0.0) | com_media (3.0.0) | Event Booking (2.1.0) | com_banners (3.0.0) | com_messages (3.0.0) | com_redirect (3.0.0) | com_newsfeeds (3.0.0) | com_advancedmodules (4.22.7FREE) | com_tags (3.1.0) | com_login (3.0.0) | com_phocagallery (3.2.6) | com_contenthistory (3.2.0) | RSVP Pro (3.1.15) | pQCE (1) | com_search (3.0.0) | COM_[youtube] (1.3.7) | com_admin (3.0.0) | com_postinstall (3.2.0) | com_config (3.0.0) | com_weblinks (3.0.0) | nextend_installer (1.0) | com_users (3.0.0) | com_cpanel (3.0.0) |

Modules :: SITE :: mod_articles_archive (3.0.0) | mod_whosonline (3.0.0) | mod_search (3.0.0) | mod_articles_news (3.0.0) | [youtube] Gallery Module (1.3.7) | Events Booking Google Map (2.1.0) | Events Booking Upcoming events (2.1.0) | mod_login (3.0.0) | JEvents Latest Events (3.1.41) | Event Booking Mini Calendar (1.6.1) | mod_banners (3.0.0) | mod_wrapper (3.0.0) | mod_breadcrumbs (3.0.0) | mod_articles_category (3.0.0) | JEvents Legend (3.1.41) | Event Categories (1.6.1) | mod_syndicate (3.0.0) | JEvents Calendar (3.1.41) | mod_users_latest (3.0.0) | mod_tags_popular (3.1.0) | mod_related_items (3.0.0) | mod_languages (3.0.0) | Search Events (1.6.8) | mod_footer (3.0.0) | mod_stats (3.0.0) | JEvents CustomModule (3.1.41) | mod_articles_categories (3.0.0) | mod_menu (3.0.0) | mod_finder (3.0.0) | addthis - Bookmark and Sharing (3.0.0) | mod_random_image (3.0.0) | Events Booking View (2.1.0) | Newsletter Subscriber (1.2) | Events By Location (2.1.0) | mod_custom (3.0.0) | mod_tags_similar (3.1.0) | mod_weblinks (3.0.0) | JEvents Filter (3.1.41) | Smart Slider 2 (2.3.11) | JEvents View Switcher (3.1.41) | mod_articles_popular (3.0.0) | mod_feed (3.0.0) | mod_articles_latest (3.0.0) | EB Cart (2.1.0) |
Modules :: ADMIN :: mod_title (3.0.0) | mod_latest (3.0.0) | mod_version (3.0.0) | mod_popular (3.0.0) | mod_login (3.0.0) | mod_stats_admin (3.0.0) | mod_online (1.6.0) | mod_toolbar (3.0.0) | mod_unread (1.6.0) | mod_menu (3.0.0) | mod_status (3.0.0) | mod_multilangstatus (3.0.0) | mod_custom (3.0.0) | mod_quickicon (3.0.0) | mod_submenu (3.0.0) | mod_logged (3.0.0) | mod_feed (3.0.0) |

Plugins :: SITE :: Open Graph - Content (5.2.0) | Open Graph - Custom Object (5.1.0) | Nextend Smart Slider generator (1.0.0) | Nextend Smart Slider generator (1.0.0) | Nextend Smart Slider generator (1.0.0) | Nextend Smart Slider generator (1.0.0) | Nextend Smart Slider generator (1.0.0) | Nextend Smart Slider generator (1.0.0) | Nextend Smart Slider generator (1.0.0) | Nextend Smart Slider generator (1.0.0) | Nextend Smart Slider generator (1.0.0) | Nextend Smart Slider generator (1.0.0) | Nextend Smart Slider generator (1.0.0) | Nextend Smart Slider generator (1.0.0) | Nextend Smart Slider generator (1.0.0) | Nextend Smart Slider generator (1.0.0) | Nextend Smart Slider generator (1.0.0) | Nextend Smart Slider generator (1.0.0) | Nextend Smart Slider generator (1.0.0) | Nextend Smart Slider generator (1.0.0) | Nextend Smart Slider generator (1.0.0) | plg_socialbacklinks_facebook (2.0.38) | PLG_SOCIALBACKLINKS_VIRTUEMART (2.0.38) | plg_socialbacklinks_linkedin (2.0.38) | PLG_SOCIALBACKLINKS_HIKASHOP (2.0.38) | plg_socialbacklinks_vk (2.0.38) | plg_socialbacklinks_joomla (2.0.38) | plg_socialbacklinks_zoo (2.0.38) | plg_socialbacklinks_twitter (2.0.38) | plg_socialbacklinks_k2 (2.0.38) | PLG_SOCIALBACKLINKS_REDSHOP (2.0.38) | plg_socialbacklinks_facebook2 (2.0.38) | RSVP Pro - Virtuemart - Custom (3.1.15) | JEvents - Attendance, Invitati (3.1.15) | JEvents - File and Image uploa (3.0.11) | Nextend Smart Slider Widget: B (1.0.0) | Nextend Smart Slider Widget: B (1.0.0) | Nextend Smart Slider Widget: B (1.0.0) | Nextend Smart Slider Widget: A (1.0.0) | Nextend Smart Slider Widget: B (1.0.0) | Nextend Smart Slider Widget: B (1.0.0) | Nextend Smart Slider Widget: I (1.0.0) | Nextend Smart Slider Widget: S (1.0.0) | Nextend Smart Slider Widget: A (1.0.0) | Nextend Smart Slider Widget: T (1.0.0) | Nextend Smart Slider Widget: H (1.0.0) | Nextend Smart Slider Joomla mo (1.0.0) | Nextend Smart Slider Image Ite (1.0.0) | Nextend Smart Slider Shape Ite (1.0.0) | Nextend Smart Slider Vimeo Ite (1.0.0) | Nextend Smart Slider Button It (1.0.0) | Nextend Smart Slider Image Fad (1.0.0) | Nextend Smart Slider iframe It (1.0.0) | Nextend Smart Slider Paragraph (1.0.0) | Nextend Smart Slider Heading I (1.0.0) | Nextend Smart Slider Caption I (1.0.0) | Nextend Smart Slider Special I (1.0.0) | Nextend Smart Slider Tag Item (1.0.0) | Nextend Smart Slider Html Item (1.0.0) | Nextend Smart Slider Image Fli (1.0.0) | Nextend Smart Slider [youtube] I (1.0.0) | plg_content_example (1.0) | EB Register Plugin (2.1.0) | plg_content_sbtrigger (2.0.38) | JEvents - Core Content Plugin (3.2.0) | EB Event Plugin (2.1.0) | plg_content_vote (3.0.0) | plg_content_geshi (2.5.0) | Multithumb (3.7.1) | plg_content_pagenavigation (3.0.0) | plg_content_loadmodule (3.0.0) | plg_content_pagebreak (3.0.0) | plg_content_emailcloak (3.0.0) | Content - [youtube] Gallery (1.3.7) | plg_content_joomla (3.0.0) | Eventbooking Category content (2.1.0) | plg_content_finder (3.0.0) | Content - Newsletter Subscribe (1.2) | Nextend Smart Slider Simple Ty (1.0.0) | Nextend Smart Slider Vertical (1.0.0) | Nextend Smart Slider Showcase (1.0.0) | Nextend Smart Slider Horizonta (1.0.0) | Nextend Smart Slider Full Page (1.0.0) | Events Booking Registration Fo (2.1.0) | Events Booking Event Detail (2.1.0) | plg_editors-xtd_image (3.0.0) | plg_editors-xtd_pagebreak (3.0.0) | plg_editors-xtd_article (3.0.0) | PLG_EDITORS-XTD_MODULESANYWHER (3.6.3FREE) | plg_editors-xtd_readmore (3.0.0) | RSVP Pro - Virtuemart Payment (3.1.15) | RSVP Pro - Virtuemart 2.0 (3.1.15) | RSVP Pro - HikaShop (3.1.15) | RSVP Pro - Manual (3.1.15) | RSVP Pro - Authorize.net SIM - (3.1.15) | RSVP Pro - PayPal IPN (3.1.15) | RSVP Pro Payment Trigger - Hik (3.1.15) | plg_user_example (1.0) | plg_user_contactcreator (3.0.0) | plg_user_joomla (3.0.0) | plg_user_profile (3.0.0) | plg_captcha_recaptcha (3.4.0) | Nextend Smart Slider generator (1.0.0) | plg_quickicon_extensionupdate (3.0.0) | plg_quickicon_jcefilebrowser (2.4.6) | plg_quickicon_joomlaupdate (3.0.0) | plg_editors_codemirror (5.6) | plg_editors_jce (2.4.6) | plg_editors_tinymce (4.1.7) | Editor - JoomlaCK (3.4.5) | Editor - JoomlaCK (3.4.5) | Unknown (0.1) | Unknown (0.1) | plg_authentification_example (1.6.0) | plg_authentication_cookie (3.0.0) | plg_authentication_joomla (3.0.0) | plg_authentication_gmail (3.0.0) | plg_authentication_ldap (3.0.0) | plg_extension_example (1.0) | plg_extension_joomla (3.0.0) | Nextend Smart Slider Widget: B (1.0.0) | Nextend Smart Slider Widget: B (1.0.0) | Nextend Smart Slider Widget: B (1.0.0) | Nextend Smart Slider Widget: S (1.0.0) | Nextend Smart Slider Widget: A (1.0.0) | Nextend Smart Slider Widget: A (1.0.0) | Nextend Smart Slider Widget: A (1.0.0) | Nextend Smart Slider Widget: I (1.0.0) | Nextend Smart Slider Widget: I (1.0.0) | plg_installer_rsform (1.0.0) | plg_installer_webinstaller (1.0.5) | Nextend Smart Slider Widget: H (1.0.0) | plg_finder_categories (3.0.0) | plg_finder_jevents (3.1.41) | plg_finder_content (3.0.0) | plg_finder_weblinks (3.0.0) | plg_finder_tags (3.0.0) | plg_finder_contacts (3.0.0) | plg_finder_newsfeeds (3.0.0) | EB Registration History (1.0) | Nextend Smart Slider Widget: T (1.0.0) | Nextend Smart Slider Widget: T (1.0.0) | Nextend Smart Slider Widget: T (1.0.0) | Nextend Smart Slider Widget: A (1.0.0) | plg_twofactorauth_yubikey (3.2.0) | plg_twofactorauth_totp (3.2.0) | Social Profiles - Custom DB (5.2.0) | Social Profiles - Joomla (5.2.0) | Events Booking - Invoice Gener (2.1.0) | Events Booking - Move Registra (1.5.0) | Eventbooking - Map plugin (2.1.0) | Events Booking - Mailchimp plu (2.1.0) | Event Booking - CB plugin (2.1.0) | Events Booking - Unpublish Eve (2.1.0) | Event Booking - Joomla Groups (2.1.0) | Eventbooking - Acymailing plug (2.1.0) | Events Booking - Cart Update (2.1.0) | Eventbooking - Jcomments plugi (2.1.0) | Events Booking - Jomsocial Act (2.1.0) | plg_search_categories (3.0.0) | plg_search_content (3.0.0) | Search - JEvents (3.1.41) | plg_search_weblinks (3.0.0) | plg_search_tags (3.0.0) | plg_search_contacts (3.0.0) | plg_search_newsfeeds (3.0.0) | Search - Event Booking (2.1.0) | plg_system_remember (3.0.0) | plg_system_logout (3.0.0) | plg_system_languagefilter (3.0.0) | PLG_SYSTEM_NNFRAMEWORK (15.4.3) | ebreminder (1.7.4) | Nextend Library (1.0.0) | Nextend Library (1.0.0) | System - Yjsg Framework (2.2.0) | plg_system_languagecode (3.0.0) | plg_system_highlight (3.0.0) | PLG_SYSTEM_ADVANCEDMODULES (4.22.7FREE) | System - One Click Action (2.1) | System - HikaShop to RSVP Pro (3.1.15) | plg_system_cache (3.0.0) | plg_system_log (3.0.0) | plg_system_sef (3.0.0) | plg_system_debug (3.0.0) | plg_system_redirect (3.0.0) | plg_system_p3p (3.0.0) | System - KeysCAPTCHA (5.0.10) | PLG_SYSTEM_MODULESANYWHERE (3.6.3FREE) | plg_system_sbsynchronizer (2.0.38) |
Templates Discovered :: wrote:Templates :: SITE :: protostar (1.0) | beez5 (2.5.0) | atomic (2.5.0) | beez_20 (2.5.0) | beez3 (3.1.0) | Youmania (1.0.2) |
Templates :: ADMIN :: isis (1.0) | hathor (3.0.0) |
Last edited by Bernard T on Tue Jan 19, 2016 5:43 am, edited 1 time in total.
Reason: disabled smilie rendering

User avatar
ribo
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3377
Joined: Sun Jan 03, 2010 8:47 pm
Contact:

Re: New SuperUser appairs

Post by ribo » Wed Dec 23, 2015 1:46 pm

First make your joomla offline
Then go at Users-manage-options
and Allow User Registration-No
New User Registration Group-registered
Then check what is this folder tempcs which have 777.Usually there is a tmp folder. All folders must have permissions 755 , files 644 and configuration.php 444 .
Transfer your joomla in your pc and scan it with a good antivirus.
After update your joomla to the latest version and your third party extensions and always be up to date.
Also don t forget to change password.
Also you can use an extension to protect your administrator area http://extensions.joomla.org/category/a ... e-security
chat room spontes : http://www.spontes.com

User avatar
ribo
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3377
Joined: Sun Jan 03, 2010 8:47 pm
Contact:

Re: New SuperUser appairs

Post by ribo » Wed Dec 23, 2015 1:50 pm

If you transfer your joomla in your pc you can use xampp or wamp server to have it local
chat room spontes : http://www.spontes.com

cral
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Fri Sep 06, 2013 12:43 pm

Re: New SuperUser appairs

Post by cral » Wed Dec 23, 2015 2:06 pm

Ok, downloading the site now.

and Allow User Registration-No
New User Registration Group-registered

These settings was like this.

Found a folder called .htpasswds with a php file called iso-clock.php inside.

This file don't seems to be part of the orginale joomla installation?

The tempcs folder is deleted.

User avatar
ribo
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3377
Joined: Sun Jan 03, 2010 8:47 pm
Contact:

Re: New SuperUser appairs

Post by ribo » Wed Dec 23, 2015 2:10 pm

You must find all infected files folders delete them update, etc. Also when you finish change all passwords ftp, etc.
chat room spontes : http://www.spontes.com

User avatar
ribo
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3377
Joined: Sun Jan 03, 2010 8:47 pm
Contact:

Re: New SuperUser appairs

Post by ribo » Wed Dec 23, 2015 2:12 pm

Also why do you have so big in values | Max. Upload Size: 250M | Max. POST Size: 250M | Memory limit 300M ?
chat room spontes : http://www.spontes.com

slickrockweb2
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Tue Jan 19, 2016 1:50 am

Re: New SuperUser appairs

Post by slickrockweb2 » Tue Jan 19, 2016 2:18 am

I would check your plugin /keyscaptcha/ ... note the "s" in the name is not present in the real one. During a remediation of a hacked Joomla site for a client our investigation and analysis found that one particular hack on the site that we were working on occurred Dec. 18th 2015 and some of the files in the /keyscaptcha/ had the exact same time-stamp and on further investigation this particular plugin does not look legitimate.

Eric at Slickrockweb


Locked

Return to “Security in Joomla! 3.x”