|
joomla website compromised ?
So I went to my hosted joomla site today
I was unable to log into my website because either I have forgotten my password ( I don't believe this is the case) or it was somehow changed. The password for the coppermine admin was unchanged. I was able to retrieve my joomla password and reset it so I can login to the admin portion of the site The next weird item is that noscript is showing a script being blocked. I clicked the no-script icon and it says a script from sacaschool.com is currently blocked. This is not a script I put on the site, I do not know anything about the site sacaschool.com This does not appear to be a script that is related to joomla. GoDaddy says they do not run scripts on Paid Hosting. A couple quick queries and google searches haven't shown me anything security related for sacaschool.com I'm trying to figure out how to see where this script is being included at, and view it to see what it is.. Could anyone suggest how I could do this ? I installed the jswiew plugin in firefox on a seperate machine, but it didn't seem to help me. All the scripts I see look like part of joomla, even when I enable scripts from sacaschool.com. I'm off to look for joomla security notifications to see if theres something unpatched.. The website I run is located at http://www.argconline.org It's a simple site I put together for my gun club.. please beware that I do NOT know what that other script is or does if you decide to look at the site. Would welcome any suggestions. Thanks |
Below the end HTML tag of the page is a Javascript embedded. Decoding it using "document.write(escape(r))" instead of "document.write(r)" leads to an Iframe being set up for exactly the site you mentioned. One could (or should) regard about any PHP-based app as unsafe and vulnerable by default. Where the injection took place I don't know. Could be tacked onto an output module or something. This checklist to get you started: http://forum.joomla.org/viewtopic.php?t=54006, else|also see http://docs.joomla.org/Category:Security_Checklist.
|
I went to the site with noscript and saw nothing that was triggered or blocked.
|
View the source code after the </html>.
Looks decidedly dodgy! |
Quote:
|
Quote:
AntiVir: HTML/Crypted.Gen AVG: JS/Downloader.Agent ClamAV: HTML.Agent-19 CPsecure: Troj.Exploit.HTML.Agent.C Dr.Web: VBS.PackFor Sophos: Mal/ObfJS-A VirusBuster: JS.Agent.B * Ofcourse commercial AV companies naming schemes themselves are meant to obfuscate what is important, their engines tripping on anything that smells like money to them. Quote:
|
Thanks for the assist..
Searching for the source now. and having a bear of a time locating it in the code of the site.. I would like to find out where that is being inserted at. I see in my hosting control panel a failed update to Joomla, I'm guessing there was a security update that never got applied because I moved joomla from a subfolder to the root of the host so it would load automatically without a redirect.. Doesn't seem to be any way to tell their system where the application is installed at. Guess that's what I get for taking the easy way out and doing the one click install instead of doing it myself. The site is currently 1.5.1 I believe and godaddy is currently hosting 1.5.8 My site never successfully received the update.. I'm waiting to hear back form Godaddys security team, and trying to figure out when I made my last backup.. if ever... |
Update..
Quote:
Got to love how they make it sound as if I uploaded that content.. Going to flush and try again. |
Fix and precautions for next time
to appear after </html> the code must be in your template file. Go into Administrator and find out which template you are using (if you don't already know) - that's in Extensions > Template Manager, the one with the star.
Then FTP to the site, and edit index.php in /templates/your_template/ - you will find the code there after </html> at the end of the file. I recently had my index.php replaced by an attack - you should read these articles about Joomla security and refer to the security page: http://developer.joomla.org/security...checklist.html http://developer.joomla.org/security...njections.html http://developer.joomla.org/security.html In these attacks, they often reset your admin password as well - you should change your admin password, maybe change the username so that a user named "admin" does not exist, and change the FTP password if it is stored in your /configuration.php file. Anyway, if you follow the stuff on the checklist I linked above you should be safe. If you have a recent backup of the site, I would diff that and the current site to make sure there are no more rogue scripts lying around - the slightest wrong byte could kill you. |
Check your templates and modules. These are the two most common locations that I've seen to hide content. You've definitely got something being appended to your page.
|
Thank you all very much.
unSpawn for pointing out where the script was. geek745 hitting me with the clue-bat and pointing at the file in the templates directory. Direct Hit btw. index.php in the templates directory had the script appended to it. was simple to edit the file and upload it back to the site. Apparently when I thought I had downloaded the entire site, the template directories did not download to my machine for whatever reason, so when I was searching locally I wasn't getting any hits on my search string. No-Script is no longer being triggered when I go to the site, so that's all good. I guess I should look at a wipe and reload (with a current version) to ensure it's clean, but I had really wanted to locate where this was first. Thanks a ton !! |
Yeah - I use Google Reader and subscribed to the RSS feed from the Joomla page so I know right away when there's an update and I can update all my clients. Can't get trapped by that one again.
|
Nice to see you got things sorted out. Let us know what you put in place to avoid this and have early warnings?
|
One very useful technique that can stop many "kiddies" and compromises is ... avail yourself of Unix file/directory permissions on the server!
Make very sure that all of the directories, and all of the files in those directories, which represent "the CMS or any portion thereof," are read-only to the user that is running the Apache server. Consider removing the "r" bit from directories so that Apache can find files if it knows the name, but cannot scan the list of files. Most of the components of the system "should never be modified during use," therefore do not allow them to be modified. (Even setting them so that they are read-only to you is reasonable, since as the file's owner you can always change that setting.) Finally, keep a separate backup directory at your hosting-account, not accessible to the web-server, in which you keep "known-good copies." Lock-down those directories so that they are accessible only to you. This will not stop every compromise, of course, but always remember that web-crooks are generally "lazy opportunists." They write scripts to probe web-sites by the tens of thousands, attempting known vulnerabilities in hopes of detecting laziness or ignorance. (And I mean no offense in saying that!!) It's like the proverbial cat-burglar who "broke in" to homes by carrying a pizza-box and trying the front door... which was very often unlocked. Crooks know that most CMSes are run in "vanilla" configurations by people who barely know how to install them. The database userIDs used by those systems are "all-powerful" for no good reason whatsoever. There are no backups of anything. The odds are therefore excellent that fully-automatic compromises will succeed, thousands of times. But if your door is "merely locked," they're not going to wiggle the doorknob twice. |
I did look at the permissions of the file that was modified.. 555 r-xr-xr-x index.php
I'm still not sure how they altered that file.. Getting on the notification list for Joomla sounds like a good idea.. I'm really surprised that Godaddy doesn't notify you when a 'one click' hosted application has an update available. One click apps are just that, a single click and Godaddy installs the application on your hosted domain (Joomla, wordpress, Xoops, Drupal, etc.. etc.. ). they also provide updates in a similar fashion, but it doesn't automatically email you notification of the availability of those updates. |
| All times are GMT -5. The time now is 03:23 PM. |