-
AuthorPosts
-
April 27, 2008 at 11:52 am #127966
My JA Teline site was seriously hacked over the period of the last week and nothing I did halted the attacks until I completely changed the site with a new template.
As I had taken backups before the attacks I looked at the site again in a safe offline environment to try and find anything I’d missed. What I found – having originally used the QuickStart install – was 5 JoomlArt staff registered as Super Administrators with full access in the template prefixed part of the SQL database . That was compounded by my having installed Xplorer which then gave the user details carte blanche to do what they wanted (fortunately it was a single domain account). I realise that Xplorer is itself unsafe but my caution should have been raised earlier by finding a particular search term in my site stats.
Now, I am absolutely NOT saying the individuals concerned caused the problem, but they did provide the backdoor through not having the details deleted before the QuickStart file was prepared. The attacks were very serious – the domain concerned was turned into a zombie phishing site for at least three banks – and finding people using Teline is very easy with a single line SERPs query, so I’m just advising users to delete the names concerned in their databases before the same thing happens to them.
Balaji Ramanathan FriendBalaji Ramanathan
- Join date:
- September 2014
- Posts:
- 187
- Downloads:
- 0
- Uploads:
- 13
- Thanks:
- 24
- Thanked:
- 2 times in 1 posts
April 27, 2008 at 6:06 pm #247023Oh!. Could you please let me know how to take care of it? I just installed the full package and beginning to try it out.
bigrk Friendbigrk
- Join date:
- February 2007
- Posts:
- 1425
- Downloads:
- 0
- Uploads:
- 2
- Thanks:
- 39
- Thanked:
- 45 times in 15 posts
April 28, 2008 at 2:19 am #247057Would you PM me the names that were listed?
April 28, 2008 at 8:23 am #247089drb07 – you’ll find the sql database is split into two separate sections with different prefixes – one is the usual jos_ and the other is teline_. Just use PHPMyAdmin to browse the users in teline_ and delete them all.
bigrk – I’ve PM’d you.
Balaji Ramanathan FriendBalaji Ramanathan
- Join date:
- September 2014
- Posts:
- 187
- Downloads:
- 0
- Uploads:
- 13
- Thanks:
- 24
- Thanked:
- 2 times in 1 posts
April 28, 2008 at 10:52 am #247103pardon my ignorance. Why those users are not being shown in joomla backend? I see only ‘super administrator’?
bigrk Friendbigrk
- Join date:
- February 2007
- Posts:
- 1425
- Downloads:
- 0
- Uploads:
- 2
- Thanks:
- 39
- Thanked:
- 45 times in 15 posts
April 28, 2008 at 2:48 pm #247115I can guarantee that this list of people did not have anything to do with your site having problems. I have been using this template for a almost a year now and no troubles. I would suspect a 3rd party product you are using may have been responsible. Always check to make sure you have the lastest versions of all products to avoid this type of problem. Also I doubt that JoomlaXplorer is the culprit either. Make sure your configuration.php is : Unwriteable.
There is a list of problem products here that are vunerable : http://help.joomla.org/component/option,com_easyfaq/task,view/id,186/Itemid,268/
Here is the forum where these and others are discussed: 3rd Party/Non Joomla! Security Issues http://forum.joomla.org/viewforum.php?f=296
April 28, 2008 at 5:04 pm #247129OK, doesn’t seem this is going to be taken seriously without further detail.
Five Super Administrator accounts were already set up in the SQL portion of the first quickstart package for Teline. These accounts were for JoomlArt staff, presumably when they were collaborating on finishing off the template. I assume someone forgot to delete them before the package was produced.
Some months later I saw a number of queries in my AWStats for ja_teline. As the template string is retained in the rendered page, anyone searching with this term can find all spidered pages that use JA Teline.
Putting two and two together, as Teline was really the first such JoomlArt template that really did need a quickstart package to get it up and running in any reasonable period of time, it was a fair assumption that most sites using the template had also used the quickstart, hence had the same backdoor access using those login details (as it was a 1.0x install a simple MD5 decrypt would give the passwords).
With Xplorer installed, once in the hackers then had access to the whole domain.
All plugins used on this site were security tested – only Xplorer had any weakness. On that basis, the only possible exploit was these backdoor Super Admin accounts (heck, I was using GRC passwords just to make sure for my own accounts).
I repeat, I am NOT saying that the JoomlArt staff concerned had anything to do with the hacking, only that their details were used for the purpose. What I AM hoping is that a warning can be issued so that others don’t suffer the same problems.
bigrk Friendbigrk
- Join date:
- February 2007
- Posts:
- 1425
- Downloads:
- 0
- Uploads:
- 2
- Thanks:
- 39
- Thanked:
- 45 times in 15 posts
April 28, 2008 at 5:37 pm #247138I have brought this to the attention of the JA Staff and am waiting to hear their opinion.
Hung Dinh FriendHung Dinh
- Join date:
- September 2014
- Posts:
- 4408
- Downloads:
- 11
- Uploads:
- 189
- Thanks:
- 309
- Thanked:
- 3310 times in 3 posts
April 28, 2008 at 5:46 pm #247139I can see that it has been JA forthcoming not to remove the superadmin account out of the Quickstart and these account can be abused for unexpected purpose. It’s hard to inverstigate and specify whether the problem is caused by the abused account or not but updating the Quickstart will be the first thing we do from our side.
Besides that, I can gurrantee that our Quickstart is purely a clean Joomla installation + JA template + Sample article sql which can be as safe as the package you download from J!Forge.
-
AuthorPosts
This topic contains 10 replies, has 4 voices, and was last updated by bigrk 16 years, 8 months ago.
We moved to new unified forum. Please post all new support queries in our New Forum