Site Hacked

[N1K]

My site has been hacked. Text from the attached document has been added at the bottom of this files:

\index.php

\index2.php

\forum\index.php

\forum\administrator\index.php

I'm not sure how it has been done, and what to do to protect myself. I'm also not sure if there's more files hacked that I should change..I'll have to keep searching..

Has anyone had similiar experience..

viagrashit.txt

WinCert.net

[tain]

Unless you are running an IDS you probably can't tell how badly you were hacked. So you have two options: continue on and hope for the best (with patches, hardening, etc), or rebuild the server. The safest course of action is to backup your data and rebuild your server. If you have known-good backups from before you were hacked, that is even better. The choice is yours.

Until then:

1. Your site should be offline until this is resolved.
   
2. Change your passwords.
   
3. Check your logs to see if you can detect the intruder and method of attack. Save the data and pursue action against that person by contacting the ISP.
   

Since your site is Joomla, you might want to check out their security forum where they have two topics that you will want to read:

Joomla Administrator's Security Checklist

You think you're site got hacked? Read this first, please!!!

[N1K]

I got an IP from the logs and have found this out..

Link

[tain]

Are you saying that this was the attacker?

[N1K]

Are you saying that this was the attacker?

I wouldn't call it attacker, more robot than hacker..But the question is how did he got in?

[chilifrei64]

My sites not to long ago where hacked also and I too use Joomla. You will prolly get a better response from the joomla forums but I can tell you

1) make sure you update to the latest version of Joomla (1.0.11) obviously. 1.0.11 did have security holes

2) gigCalendar did have a major security hole and so did JoomlaXplorer so update to the latest of those.

3) make sure you update all the rest of your extensions because that is gonna be the first thing the joomla programmers are going to blame it on.

4) php register_globals is a major security hole and most hosting providers still have it enabled as it is the default setting for php 4.x. Joomla has known vulnerabilities with php register_globals and have no plans to fix it. Ask your host if it is possible to become current by either upgrading to php5 or turning php register_globals off.

5) make sure you change all your passwords for administrative access to your joomla site. Passwords are stored as md5 and can be reversed to get your password.

Just my little bit of help since I recently went through those things with 3 of my joomla sites.

[N1K]

Thx chilifrei64 for your reply..

I can tell you this matey. I moved my site to MSFN hosting 10 days ago, and before that my site was hosted on emaxhosting. The attack happened before I moved to MSFN hosting..To be honest I haven't noticed that my site was hacked 'cause nothing was different except that page was loading bti more slowly than before, probably because of parsing all of the links and txt which was added to my index.php files..

Now to reply at your questions:

1) make sure you update to the latest version of Joomla (1.0.11) obviously. 1.0.11 did have security holes

I had the latest version of Joomla instaled (1.0.11)

2) gigCalendar did have a major security hole and so did JoomlaXplorer so update to the latest of those.

I don't have this module installed..

3) make sure you update all the rest of your extensions because that is gonna be the first thing the joomla programmers are going to blame it on.

Updated..

4) php register_globals is a major security hole and most hosting providers still have it enabled as it is the default setting for php 4.x. Joomla has known vulnerabilities with php register_globals and have no plans to fix it. Ask your host if it is possible to become current by either upgrading to php5 or turning php register_globals off.

This was the main problem I had. After updating to version 1.0.11, after every login to admin console of Joomla I got a message that I should turn register_globals to off. I contacted emaxhosting and ask them kindly to help. They replied that they won't turn register_globals to OFF. So, for about a month or so my site was running with register_globals set to ON...I moved to MSFN hosting and had a warm surprise by knowing that register_globals are set to OFF.. So now, I did everything I can to protect myself although I'm aware that there are a lot of smart people and hackers who still can crack my site..

I can only hope that I won't be a target..

5) make sure you change all your passwords for administrative access to your joomla site. Passwords are stored as md5 and can be reversed to get your password.

Yup, I've changed all of my administrative passwords and those passwords contain more than 10 chars now..

Since you're a Joomla user too, please add me to MSN, so we can help each other and share some information regarding Joomla...

Thx

[chilifrei64]

I dont use msn messenger but feel free to bounce stuff off of me whenever.

[LLXX]

Done via HTML injection. Common exploit for forums.

Edited October 15, 2006 by LLXX

[CoffeeFiend]

Done via HTML injection. Common exploit for forums.

That's a gross over-simplification at best. There are many ways apps get hacked. Things like SQL injection (which a TON of web apps are vulnerable to - WAY too many), cross site scripting aka XSS (on the rise), and plain stupid app design (or lack of), leading to overly insecure code (not validating user input client AND server side - query strings included and such, before doing anything with it; often they just take the unvalidated user input and concatenate that into some SQL query - the best way to get hacked; or running commands on the box). Also server software exploits (web server, host OS, database, etc), issues with the language used (like register globals for php) or of any of dependancies used by any component of an app (libs, modules, plugins, frameworks, components, etc) including the ever so common buffer overflows, other software running on the server (like the recent cPanel exploit), or a security issue with any of the previous being used by someone else on the same [shared] box - just like the phpbb bug we've seen ago that let hackers hack every other site located on the same box (they often get root login to the database or box or such), or any of the previous be misconfigured for anyone on that box, improper ACLs letting hackers get access to files they should not be able to or even upload stuff, insecured protocols (like webdav), weak passwords on anything or broken encryption (or none at all) which is fairly common or key management problems, broken authentication mechanism, session hijacking, stupid error messages (I've seen error messages saying can't connect to some_db using login X and password Y and the like), malformed XML, path traversal, leaving config pages on the server (too accessible), issues with http headers (like splitting), etc. Most web apps developpers just don't see what's coming to them, and don't know how to protect against it (often the code is really crappy too - real hack jobs).

That list is pretty much endless. Done via "html injection"? If you say so...

I wish it was that simple. Securing apps is a specialty nowadays (and it pays well). And we're disregarding things like phishing, social engineering and such here too. Most people ought to be scared... A chain is only as strong as its weakest link, and very often one of the links is very weak. The majority of websites could be hacked with some knowledge and determination.

[chilifrei64]

Done via HTML injection. Common exploit for forums.

Kinda a vague statement.. With the exception that Joomla is a CMS and not a forum, I am assuming you are talking about the forum on the site. Common exploit in forums yes, however IPB is one of the most secure forums out there and at version 2.1.7 there are no "injection vulnerabilities" for that version. Now if at the time of the hack it was 2.1.6 their was an XSS vulnerability. This we do not know forsure. The fact that the server had php_register_globals enabled is the problem. Joomla does a good job emulating php_register_globals=off the server itself it still vulnerable.

The best you can do is always keep everything up to date, and this includes everythin from Web server OS patches, language patches, and web app patches. (along with secure passwords and proper file permissions) If any one of them are out of date or not secure you are completely vulnerable. That is why it is always best to do your research. Obviously Linux/Apache is a pretty secure platform. Joomla in my opinion is the best out there. And IPB and SMF (In my opinion(statistic bases)) are the most secure out there. He had everything but a secure host who doesnt want to become current and move to php5 or atleast turn off register_globals to off. He obviously made the change and should be good for a while.

EDIT: after submitting this I noticed crahak posted his statement and is completely correct. Every bit of it.

Edited October 15, 2006 by chilifrei64

[#rootworm]

x

Edited April 19, 2007 by #rootworm

[CoffeeFiend]

might have been an over-simplification, but i bet he's right.

So basically, you're saying he's possibly partially right, because that would have been used for a XSS attack (which is NOT a "html injection" hence making him wrong in the first place). That hardly makes him right...

XSS is on the rise a lot, but it's hardly certain it was used. There are TONS of other extremely popular (MUCH more common than XSS) ways to hack web apps.

You can speculate, but without logs of any kind, you're only guessing, and most likely you're totally wrong. A bit like playing lotto. The odds are very much against a single type of vulnerability. And most forum software out there does a very good job of scrubbing posts from stuff that shouldn't be there (like <script> tags and such), otherwise almost every forum out there would get hacked everyday (just how many instances of phpbb/vB/ipb are out there?) Most likely he's wrong.

If one wants to find out for sure, they look at logs, or at the very least read security bulletins for exploits for the versions of the apps being used. Saying "html injection" or "XSS" is a bit like saying someone died of cancer, without having any kind of evidence - there's that slight chance you might be right, but it very well can be anything else. No point in speculating like that. Heck, there's no way to tell right now if it was even a problem with his CMS, his forum, or any other app, plugin, module or whatever he's using (not like he's positively given us a comprehensive list) and the versions. It's a bit like your garage telling you what's wrong with your car as you book the appointment, without anyone knowing what car it is and without having looked at it - just from being told "something's wrong". Again, there's that slight chance they'll have made the right guess, but... Besides, I doubt it was a forum exploit that took his CMS down...

Edited October 15, 2006 by crahak

[#rootworm]

x

Edited April 19, 2007 by #rootworm

[CoffeeFiend]

quick! let's argue about something neither of us know a thing about!

Uh, what are you assuming I know nothing about exactly? (Your point is not clear at all) I am not exactly a n00b at securing apps.

I have no idea what you're trying to say here. You basically said he must be right, because he assume it was a specific type of attack, which is almost as likely as picking the winning lottery numbers. But you're asking what else his "html injection" can mean? It's totally irrelevant. We're not dicussing what "html injection" means here, but rather the "i bet he's right" part. There is just no reason to believe he's right, it very well could have been - and likely was - one of the other ways.