Author Topic: Super Users created again and again on an updated site  (Read 382 times)

izig

  • Beginner
  • *
  • Posts: 27
Super Users created again and again on an updated site
« on: July 21, 2017, 18:14:24 pm »
Hi, I'm running my VirtueMart 3.2.2 on Joomla 3.7.3 and have some security (I would say serious) issues.
Almost every day, I see new users under the list of "Super Users"

The site is running on Debian jessie that is fully updated on a weekly basis.

I did noticed some VirtueMart modules that refuses to updated (see attached image), can I update them manually?

One more note, I'm in the process of migrating the entire site to the latest Debian version.

Any advise?

Thanks,
Izi

K&K media production

  • VirtueMart Developer Team
  • Global Moderator
  • Full Member
  • *
  • Posts: 825
  • VirtueMart Version: VM3 on J3
Re: Super Users created again and again on an updated site
« Reply #1 on: July 21, 2017, 18:26:45 pm »
Seems your site was hacked before you've updated a security release. You need malware scan tools for your website files.

https://securitycheck.protegetuordenador.com/

https://sucuri.net/

jenkinhill

  • UK Web Developer & Consultant
  • Global Moderator
  • Super Hero
  • *
  • Posts: 26206
  • Always on vacation
    • Jenkin Hill Internet
Re: Super Users created again and again on an updated site
« Reply #2 on: July 21, 2017, 23:21:24 pm »
The super user hack is Joomla related, not VirtueMart. For the procedure to work out and recover from the hack start with https://forum.joomla.org/viewtopic.php?f=714&t=757645  and then work within that forum. You will get good advice. The recovery route is covered here:  https://forum.joomla.org/viewtopic.php?f=714&t=946026

A Joomla specific site check is available from Phil Taylor, the first site scan is free.  https://myjoomla.com/site/is/hacked  so you could do that first.
Kelvyn

Jenkin Hill Internet,
Keswick, Lake District

Unsolicited PMs/emails will be ignored.

Please mention your VirtueMart, Joomla and PHP versions when asking a question in this forum

Currently using VM3.2.4 on Joomla 3.8 PHP 7.0.23

Testing VM3.2.5 on J!3.8

izig

  • Beginner
  • *
  • Posts: 27
Re: Super Users created again and again on an updated site
« Reply #3 on: September 01, 2017, 18:19:56 pm »
Thanks for the advises above.

Now that the site is clean, seems like whom ever hacked the site left me a few challenges:
1. Every new account created as "Super User". Legitimate users created with those elevated privileges
2. No mail is sent for new account creation, so I need to watch occasionally for new accounts and change them to "Registered"

I added a layer of protection on the /administrator in my .htaccess so those users will find it hard to login to the administrator panel, but still...

jenkinhill

  • UK Web Developer & Consultant
  • Global Moderator
  • Super Hero
  • *
  • Posts: 26206
  • Always on vacation
    • Jenkin Hill Internet
Re: Super Users created again and again on an updated site
« Reply #4 on: September 01, 2017, 23:31:57 pm »
You obviously still have residual issues which will certainly bite you if you do not fix them now. I suspect you did not follow best practice for recovery from hacking.
Kelvyn

Jenkin Hill Internet,
Keswick, Lake District

Unsolicited PMs/emails will be ignored.

Please mention your VirtueMart, Joomla and PHP versions when asking a question in this forum

Currently using VM3.2.4 on Joomla 3.8 PHP 7.0.23

Testing VM3.2.5 on J!3.8

izig

  • Beginner
  • *
  • Posts: 27
Re: Super Users created again and again on an updated site
« Reply #5 on: September 02, 2017, 08:40:54 am »
Thanks Kelvyn, you're partially correct. I had 2 options as I see it, reinstall the entire store from scratch, or dig into the site files looking for suspected ones.

As the site had many modifications during the years, reinstalling is my last option. But I do consider it.

I'd like to get any clue that may assist the current issues I noted above.
I assume the PHP file handling new accounts was tempered or the DB entry for "Super Admin" and "Registers" accounts is swapped.

jenkinhill

  • UK Web Developer & Consultant
  • Global Moderator
  • Super Hero
  • *
  • Posts: 26206
  • Always on vacation
    • Jenkin Hill Internet
Re: Super Users created again and again on an updated site
« Reply #6 on: September 02, 2017, 15:15:54 pm »
If you don't replace all the files as in a normal hack recovery, then you run the risk of there being one or more hacked file being present, and also more than one backdoor into the site. You are showing us the importance of any "modifications" always being made using override files or by a plugin.
Kelvyn

Jenkin Hill Internet,
Keswick, Lake District

Unsolicited PMs/emails will be ignored.

Please mention your VirtueMart, Joomla and PHP versions when asking a question in this forum

Currently using VM3.2.4 on Joomla 3.8 PHP 7.0.23

Testing VM3.2.5 on J!3.8

Milbo

  • Virtuemart Projectleader
  • Administrator
  • Super Hero
  • *
  • Posts: 9327
  • VM3.2 Cached and Optimized
    • VM3 Extensions
  • VirtueMart Version: VirtueMart 3 on joomla 3
Re: Super Users created again and again on an updated site
« Reply #7 on: September 02, 2017, 23:35:34 pm »
not only replace, he must also delete additional files. The best way is to remove all files, and install it completly fresh. But using the old db and of course that should be done at "home" with a backup and if all is cleared, upload it.
I should fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/