LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 12-24-2008, 03:20 PM   #1
farslayer
Guru
 
Registered: Oct 2005
Location: Willoughby, Ohio
Distribution: linuxdebian
Posts: 7,228
Blog Entries: 5

Rep: Reputation: 189Reputation: 189
joomla website compromised ?


So I went to my hosted joomla site today

I was unable to log into my website because either I have forgotten my password ( I don't believe this is the case) or it was somehow changed. The password for the coppermine admin was unchanged.
I was able to retrieve my joomla password and reset it so I can login to the admin portion of the site


The next weird item is that noscript is showing a script being blocked.
I clicked the no-script icon and it says a script from sacaschool.com is currently blocked.

This is not a script I put on the site,
I do not know anything about the site sacaschool.com
This does not appear to be a script that is related to joomla.
GoDaddy says they do not run scripts on Paid Hosting.

A couple quick queries and google searches haven't shown me anything security related for sacaschool.com

I'm trying to figure out how to see where this script is being included at, and view it to see what it is.. Could anyone suggest how I could do this ? I installed the jswiew plugin in firefox on a seperate machine, but it didn't seem to help me.

All the scripts I see look like part of joomla, even when I enable scripts from sacaschool.com.

I'm off to look for joomla security notifications to see if theres something unpatched..


The website I run is located at http://www.argconline.org It's a simple site I put together for my gun club.. please beware that I do NOT know what that other script is or does if you decide to look at the site.

Would welcome any suggestions.

Thanks
 
Old 12-24-2008, 06:03 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,457
Blog Entries: 54

Rep: Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897
Below the end HTML tag of the page is a Javascript embedded. Decoding it using "document.write(escape(r))" instead of "document.write(r)" leads to an Iframe being set up for exactly the site you mentioned. One could (or should) regard about any PHP-based app as unsafe and vulnerable by default. Where the injection took place I don't know. Could be tacked onto an output module or something. This checklist to get you started: http://forum.joomla.org/viewtopic.php?t=54006, else|also see http://docs.joomla.org/Category:Security_Checklist.
 
Old 12-24-2008, 06:05 PM   #3
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 781
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
I went to the site with noscript and saw nothing that was triggered or blocked.
 
Old 12-24-2008, 06:19 PM   #4
Chris H
Member
 
Registered: Aug 2003
Location: Farnborough, UK
Distribution: Zenwalk
Posts: 288

Rep: Reputation: 30
View the source code after the </html>.

Looks decidedly dodgy!
 
Old 12-24-2008, 10:05 PM   #5
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 781
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
Quote:
Originally Posted by Chris H View Post
View the source code after the </html>.

Looks decidedly dodgy!
Actually, I'm just as curious as to why this didn't trigger my noscript. I'm using Google Chrome now but when I initially went to the page (right before unspawn posted), I used FF with the noscript plugin...I got no alert whatsoever. Isn't this type of stuff supposed to trigger noscript (like how it happened with the OP)?
 
Old 12-25-2008, 04:33 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,457
Blog Entries: 54

Rep: Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897
Quote:
Originally Posted by unSpawn View Post
Iframe
Not that it matters much wrt finding out the infection vector but as indication the following engines detected the resultant Javascript as:
AntiVir: HTML/Crypted.Gen
AVG: JS/Downloader.Agent
ClamAV: HTML.Agent-19
CPsecure: Troj.Exploit.HTML.Agent.C
Dr.Web: VBS.PackFor
Sophos: Mal/ObfJS-A
VirusBuster: JS.Agent.B
* Ofcourse commercial AV companies naming schemes themselves are meant to obfuscate what is important, their engines tripping on anything that smells like money to them.


Quote:
Originally Posted by unixfool View Post
I'm just as curious as to why this didn't trigger my noscript.
(Being careful not to hijack this thread) we don't know your Chrome/FF/plugin versions/configuration/settings. If you think it's a NoScript flaw you might want to get on their mailing list for confirmation?
 
Old 12-26-2008, 01:26 AM   #7
farslayer
Guru
 
Registered: Oct 2005
Location: Willoughby, Ohio
Distribution: linuxdebian
Posts: 7,228
Blog Entries: 5

Original Poster
Rep: Reputation: 189Reputation: 189
Thanks for the assist..

Searching for the source now. and having a bear of a time locating it in the code of the site.. I would like to find out where that is being inserted at.

I see in my hosting control panel a failed update to Joomla, I'm guessing there was a security update that never got applied because I moved joomla from a subfolder to the root of the host so it would load automatically without a redirect.. Doesn't seem to be any way to tell their system where the application is installed at. Guess that's what I get for taking the easy way out and doing the one click install instead of doing it myself.

The site is currently 1.5.1 I believe and godaddy is currently hosting 1.5.8 My site never successfully received the update..

I'm waiting to hear back form Godaddys security team, and trying to figure out when I made my last backup.. if ever...
 
Old 12-26-2008, 01:30 AM   #8
farslayer
Guru
 
Registered: Oct 2005
Location: Willoughby, Ohio
Distribution: linuxdebian
Posts: 7,228
Blog Entries: 5

Original Poster
Rep: Reputation: 189Reputation: 189
Update..

Quote:
Dear Sir/Madam,

Thank you for contacting Advanced Hosting Support.

We have identified and deleted known malicious files on the Shared Hosting account for argconline.org. These files appear to date back to 11/15/2008. It appears the account is running a vulnerable version of Joomla, which was used by an attacker to upload malicious files to our server and compromise your admin panel. You will need to ensure that your Joomla installation has the latest updates(version 1.5.6 or later) to prevent future compromises.

Please note that uploading infected content is against our Terms of Service and future compromises may result in account suspension. In addition, we strongly suggest that you remove all content from the account and upload a fresh copy. This will ensure that no malicious files were overlooked and prevent future issues.

Please contact us if you have any further issues.

Krista J.
Hosting Support
Yet after clearing my browser cache, and the website cache I'm still seeing this content.. Hrm..

Got to love how they make it sound as if I uploaded that content..

Going to flush and try again.

Last edited by farslayer; 12-26-2008 at 01:32 AM.
 
Old 12-27-2008, 02:08 PM   #9
geek745
Member
 
Registered: Jul 2004
Location: Boston, MA
Distribution: Slackware; Ubuntu; Slax
Posts: 172
Blog Entries: 2

Rep: Reputation: 33
Fix and precautions for next time

to appear after </html> the code must be in your template file. Go into Administrator and find out which template you are using (if you don't already know) - that's in Extensions > Template Manager, the one with the star.

Then FTP to the site, and edit index.php in /templates/your_template/ - you will find the code there after </html> at the end of the file.

I recently had my index.php replaced by an attack - you should read these articles about Joomla security and refer to the security page:
http://developer.joomla.org/security...checklist.html
http://developer.joomla.org/security...njections.html
http://developer.joomla.org/security.html

In these attacks, they often reset your admin password as well - you should change your admin password, maybe change the username so that a user named "admin" does not exist, and change the FTP password if it is stored in your /configuration.php file. Anyway, if you follow the stuff on the checklist I linked above you should be safe. If you have a recent backup of the site, I would diff that and the current site to make sure there are no more rogue scripts lying around - the slightest wrong byte could kill you.
 
Old 12-27-2008, 09:29 PM   #10
stickman
Senior Member
 
Registered: Sep 2002
Location: Nashville, TN
Posts: 1,552

Rep: Reputation: 53
Check your templates and modules. These are the two most common locations that I've seen to hide content. You've definitely got something being appended to your page.
 
Old 12-28-2008, 11:33 PM   #11
farslayer
Guru
 
Registered: Oct 2005
Location: Willoughby, Ohio
Distribution: linuxdebian
Posts: 7,228
Blog Entries: 5

Original Poster
Rep: Reputation: 189Reputation: 189
Thank you all very much.

unSpawn for pointing out where the script was.

geek745 hitting me with the clue-bat and pointing at the file in the templates directory.
Direct Hit btw. index.php in the templates directory had the script appended to it. was simple to edit the file and upload it back to the site.

Apparently when I thought I had downloaded the entire site, the template directories did not download to my machine for whatever reason, so when I was searching locally I wasn't getting any hits on my search string.

No-Script is no longer being triggered when I go to the site, so that's all good. I guess I should look at a wipe and reload (with a current version) to ensure it's clean, but I had really wanted to locate where this was first.

Thanks a ton !!
 
Old 12-29-2008, 02:52 PM   #12
geek745
Member
 
Registered: Jul 2004
Location: Boston, MA
Distribution: Slackware; Ubuntu; Slax
Posts: 172
Blog Entries: 2

Rep: Reputation: 33
Yeah - I use Google Reader and subscribed to the RSS feed from the Joomla page so I know right away when there's an update and I can update all my clients. Can't get trapped by that one again.
 
Old 12-29-2008, 03:04 PM   #13
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,457
Blog Entries: 54

Rep: Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897
Nice to see you got things sorted out. Let us know what you put in place to avoid this and have early warnings?
 
Old 12-29-2008, 07:44 PM   #14
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,401

Rep: Reputation: 1119Reputation: 1119Reputation: 1119Reputation: 1119Reputation: 1119Reputation: 1119Reputation: 1119Reputation: 1119Reputation: 1119
One very useful technique that can stop many "kiddies" and compromises is ... avail yourself of Unix file/directory permissions on the server!

Make very sure that all of the directories, and all of the files in those directories, which represent "the CMS or any portion thereof," are read-only to the user that is running the Apache server. Consider removing the "r" bit from directories so that Apache can find files if it knows the name, but cannot scan the list of files.

Most of the components of the system "should never be modified during use," therefore do not allow them to be modified. (Even setting them so that they are read-only to you is reasonable, since as the file's owner you can always change that setting.)

Finally, keep a separate backup directory at your hosting-account, not accessible to the web-server, in which you keep "known-good copies." Lock-down those directories so that they are accessible only to you.

This will not stop every compromise, of course, but always remember that web-crooks are generally "lazy opportunists." They write scripts to probe web-sites by the tens of thousands, attempting known vulnerabilities in hopes of detecting laziness or ignorance. (And I mean no offense in saying that!!) It's like the proverbial cat-burglar who "broke in" to homes by carrying a pizza-box and trying the front door... which was very often unlocked.

Crooks know that most CMSes are run in "vanilla" configurations by people who barely know how to install them. The database userIDs used by those systems are "all-powerful" for no good reason whatsoever. There are no backups of anything. The odds are therefore excellent that fully-automatic compromises will succeed, thousands of times. But if your door is "merely locked," they're not going to wiggle the doorknob twice.
 
Old 12-29-2008, 10:45 PM   #15
farslayer
Guru
 
Registered: Oct 2005
Location: Willoughby, Ohio
Distribution: linuxdebian
Posts: 7,228
Blog Entries: 5

Original Poster
Rep: Reputation: 189Reputation: 189
I did look at the permissions of the file that was modified.. 555 r-xr-xr-x index.php
I'm still not sure how they altered that file..

Getting on the notification list for Joomla sounds like a good idea..

I'm really surprised that Godaddy doesn't notify you when a 'one click' hosted application has an update available. One click apps are just that, a single click and Godaddy installs the application on your hosted domain (Joomla, wordpress, Xoops, Drupal, etc.. etc.. ). they also provide updates in a similar fashion, but it doesn't automatically email you notification of the availability of those updates.
 
  


Reply

Tags
joomla


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Joomla : What can YOU do with it? linuxglobe General 7 02-08-2008 08:15 AM
Joomla+Mambo. binary_dreamer Debian 0 08-04-2006 07:44 AM
Which database for Joomla website? LinuxSeeker Linux - Networking 2 07-09-2006 04:14 PM
likelihood of being compromised by visiting a suspicious website TheOneAndOnlySM Linux - Security 5 06-28-2004 04:38 PM
Gnome.org website compromised Capt_Caveman General 6 03-24-2004 07:14 PM


All times are GMT -5. The time now is 12:29 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration