Major security issue?

netwise

The Ad Agency installation (v6.0.21) we are running on a client website is being hacked. Someone is creating thousands of fake campaigns like these (DB dump):

'29801','0','otfvtpgt','','Y','2020-02-26 17:32:40','fr','0','2030-02-26 17:32:40','0.00','9','P','1','0','58e16dc760ca166c476403499ff5c59b','a:1:{s:6:\"adslim\";i:10;}','0','','0','0'
'29800','0','otfvtpgt','','Y','2020-02-26 17:32:40','fr','0','2030-02-26 17:32:40','0.00','9','P','1','0','5acdc9ca5d99ae66afdfe1eea0e3b26b','a:1:{s:6:\"adslim\";i:10;}','0','','0','0'
'29799','0','otfvtpgt','','Y','2020-02-26 17:32:40','fr','0','2030-02-26 17:32:40','0.00','9','P','1','0','e6abb6620be44e2035008f84888a43b1','a:1:{s:6:\"adslim\";i:10;}','0','','0','0'

...and ads like these:

'49990','-1','Mr.','1','Transition',NULL,NULL,NULL,NULL,NULL,'<script type=\"text/javascript\">\nfunction getAbsoluteLeft(objectId) {\n	// Get an object left position from the upper left viewport corner\n	// Tested with relative and nested objects\n	o = document.getElementById(objectId);\n	oLeft = o.offsetLeft;           // Get left position from the parent object\n	while(o.offsetParent!=null) {   // Parse the parent hierarchy up to the document element\n		oParent = o.offsetParent;    // Get parent object reference\n		oLeft += oParent.offsetLeft; // Add parent left position\n		o = oParent;\n	}\n	// Return left postion\n	return oLeft;\n}\n\nfunction getAbsoluteTop(objectId) {\n	// Get an object top position from the upper left viewport corner\n	// Tested with relative and nested objects\n	o = document.getElementById(objectId);\n	oTop = o.offsetTop;            // Get top position from the parent object\n	while(o.offsetParent!=null) { // Parse the parent hierarchy up to the document element\n		oParent = o.offsetParent;  // Get parent object reference\n		oTop += oParent.offsetTop; // Add parent top position\n		o = oParent;\n	}\n	// Return top position\n	return oTop;\n}\n\nfunction leftposition() {\n	var left=getAbsoluteLeft(\"floatvert\");\n	document.getElementById(\"floatvert\").style.left = (-1) * left + \"px\";\n}\n\nfunction topposition() {\n	var top = getAbsoluteTop(\"floatvert\");\n	document.getElementById(\"floatvert\").style.top = (-1) * top + \"px\";\n}\nfunction initbox(){\ndocument.getElementById(\"floatvert\").style.visibility=\"visible\";\nif (!document.all) {\nasd = document.getElementById(\"floatvert\");\nasd.parentNode.removeChild(asd);\ndocument.body.appendChild(asd); }\nleftposition();\ntopposition();\n}\nfunction HideVert(number) {\n    //document.getElementById(\"floatvert\").style.visibility=\"hidden\";\n	//document.getElementById(\"floatvert\").parentNode.removeChild(document.getElementById(\"floatvert\"));\n	\n	var divs = document.getElementsByClassName(\'floatvert\'+number);\n	for(var i=0; i<divs.length; i++){\n		divs[i].parentNode.removeChild(divs[i]);\n	}\n}\nvar screenWidth = screen.width;\nvar screenHeight = screen.height;\n</script>\n<div id=\"floatvert\" class=\"floatvert62\" style=\"z-index:1000;position:absolute;top:1px;left:1px;visibility:hidden; background-color: #FFFFFF; border-color: #000000;\">\n<table border=\"0\" cellpadding=\"0\" cellspacing=\"0\" style=\"border-collapse: collapse\" id=\"continut2\">\n<tr>\n	<td bordercolor=\"000000\" bgcolor=\"FFFFFF\" align=\"\" id=\"containing_td\" valign=\"\">\n\n		<table border=\"0\" cellpadding=\"0\" cellspacing=\"0\" style=\"border-collapse: collapse\" id=\"continut3\">\n		<tr>\n			<td align=\"left\" valign=\"top\">\n				<table border=\"\" cellpadding=\"5\" cellspacing=\"0\" style=\"border-collapse: collapse\" id=\"continut4\" >\n				<tr>\n					<td align=\"left\">\n						<a href=\"\" onClick=\"HideVert(62);return false;\">Close Ad</a>\n					</td>\n				</tr>\n				<tr>\n					<td id=\"continut\" class=\"continut\" valign=\"top\" >\n\n					94102\n\n				        </td>\n				</tr>\n				</table>\n			</td>\n		</tr>\n		</table>\n	</td>\n</tr>\n\n</table>\n<script type=\"text/javascript\">\ninitbox();\nvar divs = document.getElementsByClassName(\'continut\');\nfor(var i=0; i<divs.length; i++){\n	divs[i].width = screen.width;\n	divs[i].height = screen.height;\n}\n\n/*document.getElementById(\"continut\").width = screen.width;\ndocument.getElementById(\"continut\").height = screen.height;\n\ndocument.getElementById(\"continut2\").width = screen.width;\ndocument.getElementById(\"continut2\").height = screen.height;\ndocument.getElementById(\"continut3\").width = screen.width;\ndocument.getElementById(\"continut3\").height = screen.height;\ndocument.getElementById(\"continut4\").width = screen.width;\ndocument.getElementById(\"continut4\").height = screen.height;*/\n</script>\n</div>','N',NULL,'a:5:{s:10:\"\'bg_color\'\";s:0:\"\";s:8:\"\'border\'\";s:0:\"\";s:14:\"\'border_color\'\";s:0:\"\";s:7:\"ad_code\";s:5:\"94102\";s:13:\"target_window\";s:6:\"_blank\";}','P','0',NULL,'2020-02-27','0','1','3e9e39fed3b8369ed940f52cf300cf88',NULL,'2020-02-27 03:37:34','0000-00-00 00:00:00','0','','','','1','1'
'52248','0','Mr.','1','Transition',NULL,NULL,NULL,NULL,NULL,'<script type=\"text/javascript\">\nfunction getAbsoluteLeft(objectId) {\n	// Get an object left position from the upper left viewport corner\n	// Tested with relative and nested objects\n	o = document.getElementById(objectId);\n	oLeft = o.offsetLeft;           // Get left position from the parent object\n	while(o.offsetParent!=null) {   // Parse the parent hierarchy up to the document element\n		oParent = o.offsetParent;    // Get parent object reference\n		oLeft += oParent.offsetLeft; // Add parent left position\n		o = oParent;\n	}\n	// Return left postion\n	return oLeft;\n}\n\nfunction getAbsoluteTop(objectId) {\n	// Get an object top position from the upper left viewport corner\n	// Tested with relative and nested objects\n	o = document.getElementById(objectId);\n	oTop = o.offsetTop;            // Get top position from the parent object\n	while(o.offsetParent!=null) { // Parse the parent hierarchy up to the document element\n		oParent = o.offsetParent;  // Get parent object reference\n		oTop += oParent.offsetTop; // Add parent top position\n		o = oParent;\n	}\n	// Return top position\n	return oTop;\n}\n\nfunction leftposition() {\n	var left=getAbsoluteLeft(\"floatvert\");\n	document.getElementById(\"floatvert\").style.left = (-1) * left + \"px\";\n}\n\nfunction topposition() {\n	var top = getAbsoluteTop(\"floatvert\");\n	document.getElementById(\"floatvert\").style.top = (-1) * top + \"px\";\n}\nfunction initbox(){\ndocument.getElementById(\"floatvert\").style.visibility=\"visible\";\nif (!document.all) {\nasd = document.getElementById(\"floatvert\");\nasd.parentNode.removeChild(asd);\ndocument.body.appendChild(asd); }\nleftposition();\ntopposition();\n}\nfunction HideVert(number) {\n    //document.getElementById(\"floatvert\").style.visibility=\"hidden\";\n	//document.getElementById(\"floatvert\").parentNode.removeChild(document.getElementById(\"floatvert\"));\n	\n	var divs = document.getElementsByClassName(\'floatvert\'+number);\n	for(var i=0; i<divs.length; i++){\n		divs[i].parentNode.removeChild(divs[i]);\n	}\n}\nvar screenWidth = screen.width;\nvar screenHeight = screen.height;\n</script>\n<div id=\"floatvert\" class=\"floatvert18\" style=\"z-index:1000;position:absolute;top:1px;left:1px;visibility:hidden; background-color: #FFFFFF; border-color: #000000;\">\n<table border=\"0\" cellpadding=\"0\" cellspacing=\"0\" style=\"border-collapse: collapse\" id=\"continut2\">\n<tr>\n	<td bordercolor=\"000000\" bgcolor=\"FFFFFF\" align=\"\" id=\"containing_td\" valign=\"\">\n\n		<table border=\"0\" cellpadding=\"0\" cellspacing=\"0\" style=\"border-collapse: collapse\" id=\"continut3\">\n		<tr>\n			<td align=\"left\" valign=\"top\">\n				<table border=\"\" cellpadding=\"5\" cellspacing=\"0\" style=\"border-collapse: collapse\" id=\"continut4\" >\n				<tr>\n					<td align=\"left\">\n						<a href=\"\" onClick=\"HideVert(18);return false;\">Close Ad</a>\n					</td>\n				</tr>\n				<tr>\n					<td id=\"continut\" class=\"continut\" valign=\"top\" >\n\n					94102\n\n				        </td>\n				</tr>\n				</table>\n			</td>\n		</tr>\n		</table>\n	</td>\n</tr>\n\n</table>\n<script type=\"text/javascript\">\ninitbox();\nvar divs = document.getElementsByClassName(\'continut\');\nfor(var i=0; i<divs.length; i++){\n	divs[i].width = screen.width;\n	divs[i].height = screen.height;\n}\n\n/*document.getElementById(\"continut\").width = screen.width;\ndocument.getElementById(\"continut\").height = screen.height;\n\ndocument.getElementById(\"continut2\").width = screen.width;\ndocument.getElementById(\"continut2\").height = screen.height;\ndocument.getElementById(\"continut3\").width = screen.width;\ndocument.getElementById(\"continut3\").height = screen.height;\ndocument.getElementById(\"continut4\").width = screen.width;\ndocument.getElementById(\"continut4\").height = screen.height;*/\n</script>\n</div>','N',NULL,'a:5:{s:10:\"\'bg_color\'\";s:52:\"L4COCUiB\'; waitfor delay \'0:0:8.969999999999998\' -- \";s:8:\"\'border\'\";s:0:\"\";s:14:\"\'border_color\'\";s:0:\"\";s:7:\"ad_code\";s:5:\"94102\";s:13:\"target_window\";s:6:\"_blank\";}','P','0',NULL,'2020-02-27','0','1','44ac09ac6a149136a4102ee4b4103ae6',NULL,'2020-02-27 04:02:23','0000-00-00 00:00:00','0','','','','1','1'
'52247','0','Mr.','scIEI6DV\';select pg_sleep(27); -- ','TextLink','',NULL,'http://',NULL,NULL,NULL,'N',NULL,'a:30:{s:7:\"\'align\'\";s:0:\"\";s:10:\"\'bg_color\'\";s:6:\"FFFFFF\";s:8:\"\'border\'\";s:0:\"\";s:14:\"\'border_color\'\";s:6:\"000000\";s:13:\"\'font_family\'\";s:0:\"\";s:11:\"\'font_size\'\";s:0:\"\";s:13:\"\'font_weight\'\";s:0:\"\";s:15:\"\'target_window\'\";s:0:\"\";s:12:\"action_color\";s:6:\"0066CC\";s:5:\"align\";s:4:\"left\";s:8:\"alt_text\";s:1:\"1\";s:10:\"alt_text_a\";s:0:\"\";s:10:\"alt_text_t\";s:3:\"Mr.\";s:8:\"bg_color\";s:6:\"FFFFFF\";s:6:\"border\";s:1:\"1\";s:12:\"border_color\";s:6:\"000000\";s:11:\"font_family\";s:5:\"Arial\";s:13:\"font_family_a\";s:5:\"Arial\";s:13:\"font_family_b\";s:5:\"Arial\";s:9:\"font_size\";s:1:\"1\";s:11:\"font_size_a\";s:1:\"1\";s:11:\"font_size_b\";s:1:\"1\";s:11:\"font_weight\";s:18:\"lighter underlined\";s:13:\"font_weight_a\";s:18:\"lighter underlined\";s:13:\"font_weight_b\";s:18:\"lighter underlined\";s:7:\"img_alt\";s:7:\"http://\";s:11:\"no_bg_color\";s:1:\"1\";s:7:\"padding\";s:1:\"0\";s:13:\"target_window\";s:6:\"_blank\";s:11:\"title_color\";s:6:\"0066CC\";}','P','0',NULL,'2020-02-27','0','1','e465ae46b07058f4ab5e96b98f101756',NULL,'2020-02-27 04:02:22','0000-00-00 00:00:00','0','','','','1','0'

...and nothing I do in the settings stops. As soon as I delete the offending data new data appears.

Help?!?

Michael

Ninja

netwise
Hi
can you Edit fields in first post and submit a site login.
I suggest you to check the site as its something your site is hacked. you can re install the ad agency package so if there is any file change it will be override, on Agency there is no open file to allow this change.

netwise

Ninja

We have already updated the plugin but still new data keeps coming in. I provided our Site admin account and FTP access

Thanks!

Ninja

netwise
Hi
This is not related with one extension, its your site is hacked at the moment and Your site using older version of Joomla , there are major secuirty fixes added later. and i found the server has very low php values including the php version you are using is 5.3. Every other extension too outdated on site. Ad Agency backend is not loading too as very low server values.
I suggest you to first increase the PHP values on server for memory limits : 1024M max execution time 300

You can Restore last backup of site and update all extension, Joomla and Agency. At the moment Agency component is not working because of low php values.

netwise

Understood, thank you. We will act on your advice.

Are you able to share any details about the hacking? What did you find?

Ninja

netwise
Hi
I am not able to share this info, because there are many extension installed on site and its not clear the inject is done on your DB from which file or part, maybe you can ask the server provide to give some details on this.