Check your MySQL

Forums    Joomla Templates Club    JA Teline    Check your MySQL
Viewing 10 posts - 1 through 10 (of 10 total)
  • Author
    Posts
  • chrispay Friend
    April 27, 2008 at 11:52 am #127966

    My JA Teline site was seriously hacked over the period of the last week and nothing I did halted the attacks until I completely changed the site with a new template.

    As I had taken backups before the attacks I looked at the site again in a safe offline environment to try and find anything I’d missed. What I found – having originally used the QuickStart install – was 5 JoomlArt staff registered as Super Administrators with full access in the template prefixed part of the SQL database . That was compounded by my having installed Xplorer which then gave the user details carte blanche to do what they wanted (fortunately it was a single domain account). I realise that Xplorer is itself unsafe but my caution should have been raised earlier by finding a particular search term in my site stats.

    Now, I am absolutely NOT saying the individuals concerned caused the problem, but they did provide the backdoor through not having the details deleted before the QuickStart file was prepared. The attacks were very serious – the domain concerned was turned into a zombie phishing site for at least three banks – and finding people using Teline is very easy with a single line SERPs query, so I’m just advising users to delete the names concerned in their databases before the same thing happens to them.

    Balaji Ramanathan Friend
    April 27, 2008 at 6:06 pm #247023

    Oh!. Could you please let me know how to take care of it? I just installed the full package and beginning to try it out.

    bigrk Friend
    April 28, 2008 at 2:19 am #247057

    Would you PM me the names that were listed?

    chrispay Friend
    April 28, 2008 at 8:23 am #247089

    drb07 – you’ll find the sql database is split into two separate sections with different prefixes – one is the usual jos_ and the other is teline_. Just use PHPMyAdmin to browse the users in teline_ and delete them all.

    bigrk – I’ve PM’d you.

    Balaji Ramanathan Friend
    April 28, 2008 at 10:52 am #247103

    pardon my ignorance. Why those users are not being shown in joomla backend? I see only ‘super administrator’?

    bigrk Friend
    April 28, 2008 at 2:48 pm #247115

    I can guarantee that this list of people did not have anything to do with your site having problems. I have been using this template for a almost a year now and no troubles. I would suspect a 3rd party product you are using may have been responsible. Always check to make sure you have the lastest versions of all products to avoid this type of problem. Also I doubt that JoomlaXplorer is the culprit either. Make sure your configuration.php is : Unwriteable.

    There is a list of problem products here that are vunerable : http://help.joomla.org/component/option,com_easyfaq/task,view/id,186/Itemid,268/

    Here is the forum where these and others are discussed: 3rd Party/Non Joomla! Security Issues http://forum.joomla.org/viewforum.php?f=296

    chrispay Friend
    April 28, 2008 at 5:04 pm #247129

    OK, doesn’t seem this is going to be taken seriously without further detail.

    Five Super Administrator accounts were already set up in the SQL portion of the first quickstart package for Teline. These accounts were for JoomlArt staff, presumably when they were collaborating on finishing off the template. I assume someone forgot to delete them before the package was produced.

    Some months later I saw a number of queries in my AWStats for ja_teline. As the template string is retained in the rendered page, anyone searching with this term can find all spidered pages that use JA Teline.

    Putting two and two together, as Teline was really the first such JoomlArt template that really did need a quickstart package to get it up and running in any reasonable period of time, it was a fair assumption that most sites using the template had also used the quickstart, hence had the same backdoor access using those login details (as it was a 1.0x install a simple MD5 decrypt would give the passwords).

    With Xplorer installed, once in the hackers then had access to the whole domain.

    All plugins used on this site were security tested – only Xplorer had any weakness. On that basis, the only possible exploit was these backdoor Super Admin accounts (heck, I was using GRC passwords just to make sure for my own accounts).

    I repeat, I am NOT saying that the JoomlArt staff concerned had anything to do with the hacking, only that their details were used for the purpose. What I AM hoping is that a warning can be issued so that others don’t suffer the same problems.

    bigrk Friend
    April 28, 2008 at 5:37 pm #247138

    I have brought this to the attention of the JA Staff and am waiting to hear their opinion.

    Hung Dinh Friend
    April 28, 2008 at 5:46 pm #247139

    I can see that it has been JA forthcoming not to remove the superadmin account out of the Quickstart and these account can be abused for unexpected purpose. It’s hard to inverstigate and specify whether the problem is caused by the abused account or not but updating the Quickstart will be the first thing we do from our side.

    Besides that, I can gurrantee that our Quickstart is purely a clean Joomla installation + JA template + Sample article sql which can be as safe as the package you download from J!Forge.

    bigrk Friend
    April 29, 2008 at 2:24 pm #247265

    Chrispay would you send a copy of the sql file to me?

  • Author
    Posts
Viewing 10 posts - 1 through 10 (of 10 total)

This topic contains 10 replies, has 4 voices, and was last updated by  bigrk 16 years, 6 months ago.

We moved to new unified forum. Please post all new support queries in our New Forum

Important Notice :

New Unified Portal is live

Must Read

Jump to forum

Categories