Author Topic: Hack in virtuemart (vm1)  (Read 4424 times)

pgoosen

  • Beginner
  • *
  • Posts: 3
Hack in virtuemart (vm1)
« on: August 15, 2012, 15:04:00 pm »
Hi there,

We found 2 files in components/com_virtuemart/themes/default/templates a z.php and a inc.php which were accessable from the internet. the created the following logentries:

[Thu Aug 02 15:54:28 2012] [warn] [client 72.55.xx.xx] mod_fcgid: read data timeout in 45 seconds, referer: http://www.xxxxx.nl//components/com_virtuemart/themes/default/templates/inc.php
[Thu Aug 02 20:51:12 2012] [error] [client 92.99.xx.xx] Premature end of script headers: z.php, referer: http://www.xxxxx.nl//components/com_virtuemart/themes/default/templates/z.php

These files where used for posting spam mail through my server. Is this a known error? Mail me and I will send you the php code. pgoosen@gmail.com.

Kind regards,
Patrick Goosen

jenkinhill

  • UK Web Developer & Consultant
  • Global Moderator
  • Super Hero
  • *
  • Posts: 27474
  • Always on vacation
    • Jenkin Hill Internet
Re: Hack in virtuemart
« Reply #1 on: August 15, 2012, 16:50:14 pm »
Those referers are not from VirtueMart 2 - the directory path indicates it is one of the old VirtueMart 1.1 versions - and the 1.1 themes/default directory did not contain those php files.

So your site has been hacked - maybe you can tell us the exact versions of Joomla & VirtueMart installed on the site?
Kelvyn

Jenkin Hill Internet,
Lowestoft, Suffolk, UK

Unsolicited PMs/emails will be ignored.

Please mention your VirtueMart, Joomla and PHP versions when asking a question in this forum

Currently using VM 3.4.3.10057 on Joomla 3.9.10 PHP 7.0.33
Testing VM 3.5.0.10097 on Joomla 3.9.10

PRO

  • Global Moderator
  • Super Hero
  • *
  • Posts: 10352
  • VirtueMart Version: 3+
Re: Hack in virtuemart
« Reply #2 on: August 15, 2012, 17:11:35 pm »
pgoosen

RUN malaware bytes on your computer asap.
http://www.malwarebytes.org/

J3.9+ VM 3.4.2
Slowest Page Speed Score (88) (Category)
Fastest Page Speed Score (94-96) (productdetails)

pgoosen

  • Beginner
  • *
  • Posts: 3
Re: Hack in virtuemart (vm1)
« Reply #3 on: August 16, 2012, 11:17:56 am »
Hi there, we are using joomla 1.5.26 and virtuemart 1.1.9 stable. The files did not come with virtuemart but were placed in the virtuemart directory. If the path looks like an  old virtuemart version perhaps an idea for virtuemart to remove those files when installing a new one.

jenkinhill

  • UK Web Developer & Consultant
  • Global Moderator
  • Super Hero
  • *
  • Posts: 27474
  • Always on vacation
    • Jenkin Hill Internet
Re: Hack in virtuemart (vm1)
« Reply #4 on: August 16, 2012, 12:48:47 pm »
By old VM version I refer exactly to the version you are using. Do not confuse the terms "path" with "file". Those files never were part of VirtueMart so have been added by a hacker.

As there have been to date no reports of malicius attacks directly on Joomla 1.5.26 and VM1.1.9 it is possible that there is some other component/module/plugin that needs updating or there is a server security issue. I suggest you report this in the J1.5 security forum, first read http://forum.joomla.org/viewtopic.php?f=432&t=335090

Moving this to the VM1.1 security forum.
Kelvyn

Jenkin Hill Internet,
Lowestoft, Suffolk, UK

Unsolicited PMs/emails will be ignored.

Please mention your VirtueMart, Joomla and PHP versions when asking a question in this forum

Currently using VM 3.4.3.10057 on Joomla 3.9.10 PHP 7.0.33
Testing VM 3.5.0.10097 on Joomla 3.9.10