RocketTheme - TOPIC: Heads Up

Welcome Guest! Login

0 items Join Now

- Mack
- Elite Rocketeer
- Posts: 535
- Thanks: 0
Heads Up - Hack Attacked

Posted 17 years 9 months ago
- Still going over logs trying to figure this one out. Site is "secure" at first glance, no permission/file issues. ISP and I scratching our heads, taking a break trying to figure this one out. Just thought I'd give you guys a heads up. Have no idea if this is J related or not.
  
  Found a 60k php file in the public directory. Ran it, nasty looking hacker tool. Could execute commands and read files, would run almost any unix command. Rooting around the site, found the same file named help.php in the /media directory. By timestamp, it was 2 minutes newer than the one found in the root. (No way pub could have wrote to the dir)
  
  So we think that's how it landed. Still no idea how it got to the sites main directory. Will update when I find more. just thought I'd pass it on. Check for a 62,779 .php file.
  
  <edit> forgot to add, it's the c99Shell script
- Last Edit: 17 years 9 months ago by Mack.
#79215
- Mike VanKirk
- Preeminent Rocketeer
- Posts: 15294
- Thanks: 3
Re: Heads Up - Hack Attacked

Posted 17 years 9 months ago
- I ran into the same file (help.php) in the media folder this morning. I had some other files I can't remember offhand right now that did not belong. Though the site was hacked was not a surprise. I had been putting off updating my events calendar and I am almost certain that is what they used to break the site..lol
  
  So I wipe it clean and re-installed my back-up and got rid of events calendar and my site is back up. Just a pain in the butt, so lesson learned from me to start taking security more seriously if I don't want to be constantly re-doing my site... :'(
  
  Thanks for the post Mack.
  
  Mike
#79220
- Bob Ateah
- Elite Rocketeer
- Posts: 4521
- Thanks: 0
Re: Heads Up - Hack Attacked

Posted 17 years 9 months ago
- Clean here, thank goodness (whew).
  
  If you find the weak link where the "hackers" got in, please post it!
  
  Cheers!
- The member formerly known as Roland Deschain
  After your question is solved, please Edit your original post and choose the Solved message icon, thank you!
#79315
- Mack
- Elite Rocketeer
- Posts: 535
- Thanks: 0
Re: Heads Up - Hack Attacked

Posted 17 years 9 months ago
- Update: Check any of your extensions that allow files to be uploaded to your site, and the directories they upload to. The file they uploaded has a "signature' that makes it appear as a .gif file. So if you have allowed uploads, be sure to review the security there.
  
  Another point, when letting front end users access to WYSIWYG editors, remember they can upload files through some of them and put anything on your server. Some even let you browse all the directories.
  
  This has been a learning experience for me, hope you get something out of it and keep it from happening to you. We ran this exploit on a test server and it's nasty. I'm going to go search Godaddy and see if al-lhackers-must-die.com is already taken.
- Last Edit: 17 years 9 months ago by Mack.
#79340
- Bob Ateah
- Elite Rocketeer
- Posts: 4521
- Thanks: 0
Re: Heads Up - Hack Attacked

Posted 17 years 9 months ago
- Mack wrote:
  I'm going to go search Godaddy and see if al-lblackhathackers-must-die.com is already taken.
  
  Fixed that for 'ya!
  
  Good job rectifying the problem and keeping us updated!
- The member formerly known as Roland Deschain
  After your question is solved, please Edit your original post and choose the Solved message icon, thank you!
#79449
- Caltucker
- Sr. Rocketeer
- Posts: 159
- Thanks: 0
Re: Heads Up - Hack Attacked

Posted 17 years 9 months ago
- Mack wrote:
  Another point, when letting front end users access to WYSIWYG editors, remember they can upload files through some of them and put anything on your server. Some even let you browse all the directories.
  
  Do you recommend a WYSIWYG editor? I allow my users (note: they must be registered by invite only) to use the JC Editor, but I just noticed it has picture uploading capabilties...
#79454
- GollumX
- Elite Rocketeer
- Posts: 2817
- Thanks: 0
Re: Heads Up - Hack Attacked

Posted 17 years 9 months ago
- Caltucker wrote:
  Do you recommend a WYSIWYG editor? I allow my users (note: they must be registered by invite only) to use the JC Editor, but I just noticed it has picture uploading capabilties...
  
  You can specify in your admin panel : Components>JCE Admin>JCE plugins what plugins are shown
- Say no to Internet Explorer 6.
  twitter.com/mark_up
#79461
- Carl Johnson
- Rocketeer
- Posts: 78
- Thanks: 0
Re: Heads Up - Hack Attacked

Posted 17 years 9 months ago
- Does anyone have any suggestions for persons who could look at my site and do a security review. (which I would pay for)
  
  I have tried to go through the Security suggestions on Joomla.org and it seems that when I try to implement fixes it takes my site down.
  
  Basically because I have no idea what I am doing. I can follow directions but not deal with unexpected issues. I think my site may be pretty vulnerable so I think I should have some knowledgeable person take a look.
  
  Any takers???
- Carl Johnson
  
  “An investment in knowledge always pays the best interest.”
  -Benjamin Franklin
#79696
- Caltucker
- Sr. Rocketeer
- Posts: 159
- Thanks: 0
Re: Heads Up - Hack Attacked

Posted 17 years 9 months ago
- I would also be interested/ I have no idea how to test a site for vulnerability
#80302