VirtueMart Forum

VirtueMart 1.1.x [ Old version - no longer supported ] => Security (https) / Performance / SEO/ SEF issues VM 1.1 => Topic started by: pgoosen on August 15, 2012, 15:04:00 pm

Title: Hack in virtuemart (vm1)
Post by: pgoosen on August 15, 2012, 15:04:00 pm
Hi there,

We found 2 files in components/com_virtuemart/themes/default/templates a z.php and a inc.php which were accessable from the internet. the created the following logentries:

[Thu Aug 02 15:54:28 2012] [warn] [client 72.55.xx.xx] mod_fcgid: read data timeout in 45 seconds, referer: http://www.xxxxx.nl//components/com_virtuemart/themes/default/templates/inc.php
[Thu Aug 02 20:51:12 2012] [error] [client 92.99.xx.xx] Premature end of script headers: z.php, referer: http://www.xxxxx.nl//components/com_virtuemart/themes/default/templates/z.php

These files where used for posting spam mail through my server. Is this a known error? Mail me and I will send you the php code. pgoosen@gmail.com.

Kind regards,
Patrick Goosen
Title: Re: Hack in virtuemart
Post by: jenkinhill on August 15, 2012, 16:50:14 pm
Those referers are not from VirtueMart 2 - the directory path indicates it is one of the old VirtueMart 1.1 versions - and the 1.1 themes/default directory did not contain those php files.

So your site has been hacked - maybe you can tell us the exact versions of Joomla & VirtueMart installed on the site?
Title: Re: Hack in virtuemart
Post by: PRO on August 15, 2012, 17:11:35 pm
pgoosen

RUN malaware bytes on your computer asap.
http://www.malwarebytes.org/

Title: Re: Hack in virtuemart (vm1)
Post by: pgoosen on August 16, 2012, 11:17:56 am
Hi there, we are using joomla 1.5.26 and virtuemart 1.1.9 stable. The files did not come with virtuemart but were placed in the virtuemart directory. If the path looks like an  old virtuemart version perhaps an idea for virtuemart to remove those files when installing a new one.
Title: Re: Hack in virtuemart (vm1)
Post by: jenkinhill on August 16, 2012, 12:48:47 pm
By old VM version I refer exactly to the version you are using. Do not confuse the terms "path" with "file". Those files never were part of VirtueMart so have been added by a hacker.

As there have been to date no reports of malicius attacks directly on Joomla 1.5.26 and VM1.1.9 it is possible that there is some other component/module/plugin that needs updating or there is a server security issue. I suggest you report this in the J1.5 security forum, first read http://forum.joomla.org/viewtopic.php?f=432&t=335090

Moving this to the VM1.1 security forum.