Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
I was unable to log into my website because either I have forgotten my password ( I don't believe this is the case) or it was somehow changed. The password for the coppermine admin was unchanged.
I was able to retrieve my joomla password and reset it so I can login to the admin portion of the site
The next weird item is that noscript is showing a script being blocked.
I clicked the no-script icon and it says a script from sacaschool.com is currently blocked.
This is not a script I put on the site,
I do not know anything about the site sacaschool.com
This does not appear to be a script that is related to joomla.
GoDaddy says they do not run scripts on Paid Hosting.
A couple quick queries and google searches haven't shown me anything security related for sacaschool.com
I'm trying to figure out how to see where this script is being included at, and view it to see what it is.. Could anyone suggest how I could do this ? I installed the jswiew plugin in firefox on a seperate machine, but it didn't seem to help me.
All the scripts I see look like part of joomla, even when I enable scripts from sacaschool.com.
I'm off to look for joomla security notifications to see if theres something unpatched..
The website I run is located at http://www.argconline.org It's a simple site I put together for my gun club.. please beware that I do NOT know what that other script is or does if you decide to look at the site.
Actually, I'm just as curious as to why this didn't trigger my noscript. I'm using Google Chrome now but when I initially went to the page (right before unspawn posted), I used FF with the noscript plugin...I got no alert whatsoever. Isn't this type of stuff supposed to trigger noscript (like how it happened with the OP)?
* Ofcourse commercial AV companies naming schemes themselves are meant to obfuscate what is important, their engines tripping on anything that smells like money to them.
Originally Posted by unixfool
I'm just as curious as to why this didn't trigger my noscript.
(Being careful not to hijack this thread) we don't know your Chrome/FF/plugin versions/configuration/settings. If you think it's a NoScript flaw you might want to get on their mailing list for confirmation?
Searching for the source now. and having a bear of a time locating it in the code of the site.. I would like to find out where that is being inserted at.
I see in my hosting control panel a failed update to Joomla, I'm guessing there was a security update that never got applied because I moved joomla from a subfolder to the root of the host so it would load automatically without a redirect.. Doesn't seem to be any way to tell their system where the application is installed at. Guess that's what I get for taking the easy way out and doing the one click install instead of doing it myself.
The site is currently 1.5.1 I believe and godaddy is currently hosting 1.5.8 My site never successfully received the update..
I'm waiting to hear back form Godaddys security team, and trying to figure out when I made my last backup.. if ever...
Thank you for contacting Advanced Hosting Support.
We have identified and deleted known malicious files on the Shared Hosting account for argconline.org. These files appear to date back to 11/15/2008. It appears the account is running a vulnerable version of Joomla, which was used by an attacker to upload malicious files to our server and compromise your admin panel. You will need to ensure that your Joomla installation has the latest updates(version 1.5.6 or later) to prevent future compromises.
Please note that uploading infected content is against our Terms of Service and future compromises may result in account suspension. In addition, we strongly suggest that you remove all content from the account and upload a fresh copy. This will ensure that no malicious files were overlooked and prevent future issues.
Please contact us if you have any further issues.
Yet after clearing my browser cache, and the website cache I'm still seeing this content.. Hrm..
Got to love how they make it sound as if I uploaded that content..
to appear after </html> the code must be in your template file. Go into Administrator and find out which template you are using (if you don't already know) - that's in Extensions > Template Manager, the one with the star.
Then FTP to the site, and edit index.php in /templates/your_template/ - you will find the code there after </html> at the end of the file.
In these attacks, they often reset your admin password as well - you should change your admin password, maybe change the username so that a user named "admin" does not exist, and change the FTP password if it is stored in your /configuration.php file. Anyway, if you follow the stuff on the checklist I linked above you should be safe. If you have a recent backup of the site, I would diff that and the current site to make sure there are no more rogue scripts lying around - the slightest wrong byte could kill you.
geek745 hitting me with the clue-bat and pointing at the file in the templates directory.
Direct Hit btw. index.php in the templates directory had the script appended to it. was simple to edit the file and upload it back to the site.
Apparently when I thought I had downloaded the entire site, the template directories did not download to my machine for whatever reason, so when I was searching locally I wasn't getting any hits on my search string.
No-Script is no longer being triggered when I go to the site, so that's all good. I guess I should look at a wipe and reload (with a current version) to ensure it's clean, but I had really wanted to locate where this was first.
One very useful technique that can stop many "kiddies" and compromises is ... avail yourself of Unix file/directory permissions on the server!
Make very sure that all of the directories, and all of the files in those directories, which represent "the CMS or any portion thereof," are read-only to the user that is running the Apache server. Consider removing the "r" bit from directories so that Apache can find files if it knows the name, but cannot scan the list of files.
Most of the components of the system "should never be modified during use," therefore do not allow them to be modified. (Even setting them so that they are read-only to you is reasonable, since as the file's owner you can always change that setting.)
Finally, keep a separate backup directory at your hosting-account, not accessible to the web-server, in which you keep "known-good copies." Lock-down those directories so that they are accessible only to you.
This will not stop every compromise, of course, but always remember that web-crooks are generally "lazy opportunists." They write scripts to probe web-sites by the tens of thousands, attempting known vulnerabilities in hopes of detecting laziness or ignorance. (And I mean no offense in saying that!!) It's like the proverbial cat-burglar who "broke in" to homes by carrying a pizza-box and trying the front door... which was very often unlocked.
Crooks know that most CMSes are run in "vanilla" configurations by people who barely know how to install them. The database userIDs used by those systems are "all-powerful" for no good reason whatsoever. There are no backups of anything. The odds are therefore excellent that fully-automatic compromises will succeed, thousands of times. But if your door is "merely locked," they're not going to wiggle the doorknob twice.
I did look at the permissions of the file that was modified.. 555 r-xr-xr-x index.php
I'm still not sure how they altered that file..
Getting on the notification list for Joomla sounds like a good idea..
I'm really surprised that Godaddy doesn't notify you when a 'one click' hosted application has an update available. One click apps are just that, a single click and Godaddy installs the application on your hosted domain (Joomla, wordpress, Xoops, Drupal, etc.. etc.. ). they also provide updates in a similar fashion, but it doesn't automatically email you notification of the availability of those updates.