Users with nonstandard characters keep appearing in our user Table

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, fcoulter, PhilD, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
wbyers
Joomla! Intern
Joomla! Intern
Posts: 50
Joined: Thu May 04, 2017 5:46 pm

Users with nonstandard characters keep appearing in our user Table

Post by wbyers » Thu Jun 21, 2018 7:20 pm

Okay so for the past day and a half along with Sunday we have been dealing with users with cyrillic and numeral names entering our Joomla Users table in the DB. We have placed in a captcha on our registration form to try and combat this issue. This does not seem to work as they keep appearing in our joomla user table and only that specific table they don't appear anywhere else where user information usually goes for registered users. It's a custom built form we're using.

User avatar
abernyte
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3646
Joined: Fri May 15, 2009 2:01 pm
Location: Écosse - Scozia - Escocia - Škotija -स्कॉटलैंड

Re: Users with nonstandard characters keep appearing in our user Table

Post by abernyte » Sat Jun 23, 2018 6:39 pm

Either someone has worked out how to directly access your user registration page or your hacked.
I take it you have tried closing your registration process to see if the dodgy users stop registering?
The output from viewtopic.php?f=714&t=793531 would help us.
It ain't what you don't know that gets you into trouble. It's what you know for sure that just ain't so. Twain

User avatar
Per Yngve Berg
Joomla! Master
Joomla! Master
Posts: 25874
Joined: Mon Oct 27, 2008 9:27 pm
Location: Akershus, Norway

Re: Users with nonstandard characters keep appearing in our user Table

Post by Per Yngve Berg » Sat Jun 23, 2018 7:36 pm

Have you turned off user registration in the options of user manager?

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 37261
Joined: Sat Apr 05, 2008 9:58 pm

Re: Users with nonstandard characters keep appearing in our user Table

Post by Webdongle » Sat Jun 23, 2018 10:20 pm

wbyers wrote:... It's a custom built form we're using.
Who built it?
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

wbyers
Joomla! Intern
Joomla! Intern
Posts: 50
Joined: Thu May 04, 2017 5:46 pm

Re: Users with nonstandard characters keep appearing in our user Table

Post by wbyers » Wed Jun 27, 2018 1:52 pm

Who built it?
Us. We Built it.

wbyers
Joomla! Intern
Joomla! Intern
Posts: 50
Joined: Thu May 04, 2017 5:46 pm

Re: Users with nonstandard characters keep appearing in our user Table

Post by wbyers » Wed Jun 27, 2018 2:02 pm

abernyte wrote:Either someone has worked out how to directly access your user registration page or your hacked.
I take it you have tried closing your registration process to see if the dodgy users stop registering?
The output from viewtopic.php?f=714&t=793531 would help us.
We haven't shut it off, because we use a nonstandard modal for registration that we have built. We have however placed a captcha and some other limits on the form. These did not seem to have an effect.

User avatar
abernyte
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3646
Joined: Fri May 15, 2009 2:01 pm
Location: Écosse - Scozia - Escocia - Škotija -स्कॉटलैंड

Re: Users with nonstandard characters keep appearing in our user Table

Post by abernyte » Wed Jun 27, 2018 3:11 pm

So turn it off and turn off the user registration and see if the sign ups continue.
It ain't what you don't know that gets you into trouble. It's what you know for sure that just ain't so. Twain

User avatar
fcoulter
Joomla! Ace
Joomla! Ace
Posts: 1685
Joined: Thu Sep 13, 2007 11:39 am
Location: UK
Contact:

Re: Users with nonstandard characters keep appearing in our user Table

Post by fcoulter » Wed Jun 27, 2018 3:20 pm

If you are serious about wanting support I think that you need to try to supply more information. I mean you have so far said that it is a custom registration method that you built yourselves, so only you know how it works, and you are expecting someone on a forum to tell you what the problem is when you do not know yourselves.

For example:-

To clarify, is this a custom built form using a forms extension such as Breezing forms, RSForms etc?

Or is it actually a custom registration component that you wrote from scratch?

Which version of Joomla are you using?

Try using the forum post assistant, it is the sticky topic at the head of this forum.
http://www.spiralscripts.co.uk for Joomla! extensions
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"

wbyers
Joomla! Intern
Joomla! Intern
Posts: 50
Joined: Thu May 04, 2017 5:46 pm

Re: Users with nonstandard characters keep appearing in our user Table

Post by wbyers » Wed Jun 27, 2018 8:07 pm

fcoulter wrote:If you are serious about wanting support I think that you need to try to supply more information. I mean you have so far said that it is a custom registration method that you built yourselves, so only you know how it works, and you are expecting someone on a forum to tell you what the problem is when you do not know yourselves.

For example:-

To clarify, is this a custom built form using a forms extension such as Breezing forms, RSForms etc?

Or is it actually a custom registration component that you wrote from scratch?

Which version of Joomla are you using?

Try using the forum post assistant, it is the sticky topic at the head of this forum.
It's a custom reg component we've built into a remotelogin plugin. It uses the default mechanics of jUsers and php to send the data to the virtuemart table. We're using joomla 3.7.2. When i first posted this we had been under the impression that our actual user registration form was the issue, evidence has since been exposed to us that this may be some sort of exploit they are utilizing.

The question I should probably be asking is, is there some sort of default registration component/module that could have been set to active or still be lurking on the sight somewhere? And if it's not that is 3.7.2 still vulnerable to the backend hacking exploits first discovered in 2013 from administrator.php?

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 37261
Joined: Sat Apr 05, 2008 9:58 pm

Re: Users with nonstandard characters keep appearing in our user Table

Post by Webdongle » Wed Jun 27, 2018 9:00 pm

Your on J3.7.2 ?
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

wbyers
Joomla! Intern
Joomla! Intern
Posts: 50
Joined: Thu May 04, 2017 5:46 pm

Re: Users with nonstandard characters keep appearing in our user Table

Post by wbyers » Wed Jun 27, 2018 9:13 pm

yes

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 37261
Joined: Sat Apr 05, 2008 9:58 pm

Re: Users with nonstandard characters keep appearing in our user Table

Post by Webdongle » Wed Jun 27, 2018 9:20 pm

Then you have most likely been hacked.
viewtopic.php?f=714&t=793531 please and see viewtopic.php?f=714&t=946026

btw
If you say that you can't update because the extensions don't work with 3.8.10 then they are probably vulnerable as well.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

User avatar
fcoulter
Joomla! Ace
Joomla! Ace
Posts: 1685
Joined: Thu Sep 13, 2007 11:39 am
Location: UK
Contact:

Re: Users with nonstandard characters keep appearing in our user Table

Post by fcoulter » Wed Jun 27, 2018 9:59 pm

While it is certainly possible that you have been hacked, I don't think that this is evidence of a hack.

Because you are using a custom registration system this does not prevent the Joomla core registration system from being available. What I suspect is happening is that a spammer is submitting a registration form to the Joomla core com_users registration system, ie option=com_users&task=registration.register

You might be able to block it by setting a captcha in the com_users options.

Disabling user registration will not work, if you are using "default mechanics of jUsers and php", assuming that you mean what I think you mean, which is using the com_users registration model, because this requires user registration to be allowed (similarly Virtuemart requires user registration to be enabled).

is 3.7.2 still vulnerable to the backend hacking exploits first discovered in 2013 from administrator.php?
No, if there was a known vulnerability in 2013 (and I am not sure exactly what you mean by this), then it would have been fixed in 2013.
http://www.spiralscripts.co.uk for Joomla! extensions
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"

User avatar
abernyte
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3646
Joined: Fri May 15, 2009 2:01 pm
Location: Écosse - Scozia - Escocia - Škotija -स्कॉटलैंड

Re: Users with nonstandard characters keep appearing in our user Table

Post by abernyte » Thu Jun 28, 2018 7:24 am

is 3.7.2 still vulnerable to the backend hacking exploits first discovered in 2013 from administrator.php?
Not withstanding fcoulter's wise advice, by default, J3.7.2 must still be vulnerable to the exploit listed in CVE-2017-9934, and any others discovered since July 2017, which makes the potential for hacked site rather higher than it was when I first suggested hacking or direct access to registration.
The output from viewtopic.php?f=714&t=793531 is now essential.
It ain't what you don't know that gets you into trouble. It's what you know for sure that just ain't so. Twain

User avatar
fcoulter
Joomla! Ace
Joomla! Ace
Posts: 1685
Joined: Thu Sep 13, 2007 11:39 am
Location: UK
Contact:

Re: Users with nonstandard characters keep appearing in our user Table

Post by fcoulter » Thu Jun 28, 2018 10:10 am

I totally agree, I did not intend to imply that using a version of Joomla that is seriously out of date is not a cause for concern, only that I don't think that it is related to the reported issue.

It would be a good idea to follow abernyte's advice.

And you should certainly update, and make a plan for regularly applying patches in future.
http://www.spiralscripts.co.uk for Joomla! extensions
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 37261
Joined: Sat Apr 05, 2008 9:58 pm

Re: Users with nonstandard characters keep appearing in our user Table

Post by Webdongle » Thu Jun 28, 2018 10:31 am

fcoulter wrote:I totally agree, I did not intend to imply that using a version of Joomla that is seriously out of date is not a cause for concern, only that I don't think that it is related to the reported issue.
....
Me thinks it is related for the following reasons
  • That version of Joomla is vulnerable
  • If Joomla has not been updated then chances are the 3rd party extensions haven't been updated either. High probability that there are vulnerable versions of those 3rd party extensions on the site.
Once the site is breached with (even a small seemingly insignificant) hack then hackers can have full control over your server. Strongly recommend you treat the site as hacked.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

User avatar
fcoulter
Joomla! Ace
Joomla! Ace
Posts: 1685
Joined: Thu Sep 13, 2007 11:39 am
Location: UK
Contact:

Re: Users with nonstandard characters keep appearing in our user Table

Post by fcoulter » Thu Jun 28, 2018 11:30 am

It is certainly possible that there are vulnerable 3rd party extensions, and that this is what is causing the issue, and I totally agree that it would be a very good idea to use the fpa.

But still I tend to go along with the idea that the simplest explanation is often the true one, and that is that this is the Joomla registration system working exactly as designed. Just because you are using a custom registration system, it does not stop the core registration system from being available, and you need to protect it with a captcha to stop if from being abused.
http://www.spiralscripts.co.uk for Joomla! extensions
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"

wbyers
Joomla! Intern
Joomla! Intern
Posts: 50
Joined: Thu May 04, 2017 5:46 pm

Re: Users with nonstandard characters keep appearing in our user Table

Post by wbyers » Thu Jun 28, 2018 12:29 pm

fcoulter wrote:It is certainly possible that there are vulnerable 3rd party extensions, and that this is what is causing the issue, and I totally agree that it would be a very good idea to use the fpa.

But still I tend to go along with the idea that the simplest explanation is often the true one, and that is that this is the Joomla registration system working exactly as designed. Just because you are using a custom registration system, it does not stop the core registration system from being available, and you need to protect it with a captcha to stop if from being abused.
This makes a lot of sense. The only thing that ever seemed to happen was our joomla users table had some extra accounts. There was no other evidence of malfeasance. However I have a question about the captcha for users option in the configuration. Will activating the captcha in com_users prevent the use of Jusers in our custom form?

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 37261
Joined: Sat Apr 05, 2008 9:58 pm

Re: Users with nonstandard characters keep appearing in our user Table

Post by Webdongle » Fri Jun 29, 2018 12:28 am

That depends on how you have written your custom form. Easiest way to find out is do it then see.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

User avatar
brian
Joomla! Master
Joomla! Master
Posts: 11746
Joined: Fri Aug 12, 2005 7:19 am
Location: Leeds, UK
Contact:

Re: Users with nonstandard characters keep appearing in our user Table

Post by brian » Fri Jun 29, 2018 12:44 pm

No they are completely unrelated - no problem at all
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 37261
Joined: Sat Apr 05, 2008 9:58 pm

Re: Users with nonstandard characters keep appearing in our user Table

Post by Webdongle » Fri Jun 29, 2018 12:48 pm

If the custom form checks for that Joomla setting but does not provide a field to display the racaptcha then it will fail. It depends on how you wrote your custom registration.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

wbyers
Joomla! Intern
Joomla! Intern
Posts: 50
Joined: Thu May 04, 2017 5:46 pm

Re: Users with nonstandard characters keep appearing in our user Table

Post by wbyers » Fri Jun 29, 2018 12:55 pm

Our custom form does not make a call to com_users or use that recaptcha. It uses it's own recaptcha hooked up in the remote login plugin. From what I see above we should be okay then should we turn the captcha on in joomla's com_user configuration?

User avatar
brian
Joomla! Master
Joomla! Master
Posts: 11746
Joined: Fri Aug 12, 2005 7:19 am
Location: Leeds, UK
Contact:

Re: Users with nonstandard characters keep appearing in our user Table

Post by brian » Fri Jun 29, 2018 12:59 pm

in that scenario adding joomla recapthca will have zero effect
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

wbyers
Joomla! Intern
Joomla! Intern
Posts: 50
Joined: Thu May 04, 2017 5:46 pm

Re: Users with nonstandard characters keep appearing in our user Table

Post by wbyers » Fri Jun 29, 2018 1:00 pm

Wait, when you say zero effect do you mean it won't do anything for our problem as well?

User avatar
brian
Joomla! Master
Joomla! Master
Posts: 11746
Joined: Fri Aug 12, 2005 7:19 am
Location: Leeds, UK
Contact:

Re: Users with nonstandard characters keep appearing in our user Table

Post by brian » Fri Jun 29, 2018 1:08 pm

If you are not using and have disabled the joomla registration form then no it will not help you at all

and for goodness sake UPGRADE joomla
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

wbyers
Joomla! Intern
Joomla! Intern
Posts: 50
Joined: Thu May 04, 2017 5:46 pm

Re: Users with nonstandard characters keep appearing in our user Table

Post by wbyers » Fri Jun 29, 2018 1:12 pm

We will update joomla when our technical lead says we can. I have no Idea when that will be.

User avatar
brian
Joomla! Master
Joomla! Master
Posts: 11746
Joined: Fri Aug 12, 2005 7:19 am
Location: Leeds, UK
Contact:

Re: Users with nonstandard characters keep appearing in our user Table

Post by brian » Fri Jun 29, 2018 1:15 pm

Then you will keep getting fake registrations. Maybe you should be asking your technical lead to fix the problem instead of wasting our time.
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 37261
Joined: Sat Apr 05, 2008 9:58 pm

Re: Users with nonstandard characters keep appearing in our user Table

Post by Webdongle » Fri Jun 29, 2018 5:05 pm

brian wrote:in that scenario adding joomla recapthca will have zero effect
It will have affect because the Joomla Registration (reached with site.com/index.php?option=com_users&view=registration) will require Recapcha field filled in.

But still suggest that the site is treated as hacked. That will be much quicker in the long run ... it's been nearly a week since the OP. The site could have been rebuilt and updated in less time.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

User avatar
brian
Joomla! Master
Joomla! Master
Posts: 11746
Joined: Fri Aug 12, 2005 7:19 am
Location: Leeds, UK
Contact:

Re: Users with nonstandard characters keep appearing in our user Table

Post by brian » Fri Jun 29, 2018 5:09 pm

It wont have an effect at all if the registration has been disabled ;) As repeatedly instructed by various posters
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 37261
Joined: Sat Apr 05, 2008 9:58 pm

Re: Users with nonstandard characters keep appearing in our user Table

Post by Webdongle » Fri Jun 29, 2018 5:10 pm

wbyers wrote:We will update joomla when our technical lead says we can. I have no Idea when that will be.
Perhaps your 'technical lead' should be posting on here instead of you ... or perhaps your 'technical lead' has their hands tied because you are controlling the site not them. Have you let your 'technical lead' read this thread or are you feeding them your opinion of the advice given?
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein


Post Reply

Return to “Security in Joomla! 3.x”