Author Topic: Super Users created again and again on an updated site  (Read 715 times)

izig

  • Beginner
  • *
  • Posts: 32
Super Users created again and again on an updated site
« on: July 21, 2017, 18:14:24 pm »
Hi, I'm running my VirtueMart 3.2.2 on Joomla 3.7.3 and have some security (I would say serious) issues.
Almost every day, I see new users under the list of "Super Users"

The site is running on Debian jessie that is fully updated on a weekly basis.

I did noticed some VirtueMart modules that refuses to updated (see attached image), can I update them manually?

One more note, I'm in the process of migrating the entire site to the latest Debian version.

Any advise?

Thanks,
Izi

K&K media production

  • VirtueMart Developer Team
  • Global Moderator
  • Full Member
  • *
  • Posts: 834
  • VirtueMart Version: VM3 on J3
Re: Super Users created again and again on an updated site
« Reply #1 on: July 21, 2017, 18:26:45 pm »
Seems your site was hacked before you've updated a security release. You need malware scan tools for your website files.

https://securitycheck.protegetuordenador.com/

https://sucuri.net/

jenkinhill

  • UK Web Developer & Consultant
  • Global Moderator
  • Super Hero
  • *
  • Posts: 26362
  • Always on vacation
    • Jenkin Hill Internet
Re: Super Users created again and again on an updated site
« Reply #2 on: July 21, 2017, 23:21:24 pm »
The super user hack is Joomla related, not VirtueMart. For the procedure to work out and recover from the hack start with https://forum.joomla.org/viewtopic.php?f=714&t=757645  and then work within that forum. You will get good advice. The recovery route is covered here:  https://forum.joomla.org/viewtopic.php?f=714&t=946026

A Joomla specific site check is available from Phil Taylor, the first site scan is free.  https://myjoomla.com/site/is/hacked  so you could do that first.
Kelvyn

Jenkin Hill Internet,
Keswick, Lake District

Unsolicited PMs/emails will be ignored.

Please mention your VirtueMart, Joomla and PHP versions when asking a question in this forum

Currently using VM3.2.4 on Joomla 3.8.2 PHP 7.0.23

Testing VM3.2.5 on J!3.8.2

izig

  • Beginner
  • *
  • Posts: 32
Re: Super Users created again and again on an updated site
« Reply #3 on: September 01, 2017, 18:19:56 pm »
Thanks for the advises above.

Now that the site is clean, seems like whom ever hacked the site left me a few challenges:
1. Every new account created as "Super User". Legitimate users created with those elevated privileges
2. No mail is sent for new account creation, so I need to watch occasionally for new accounts and change them to "Registered"

I added a layer of protection on the /administrator in my .htaccess so those users will find it hard to login to the administrator panel, but still...

jenkinhill

  • UK Web Developer & Consultant
  • Global Moderator
  • Super Hero
  • *
  • Posts: 26362
  • Always on vacation
    • Jenkin Hill Internet
Re: Super Users created again and again on an updated site
« Reply #4 on: September 01, 2017, 23:31:57 pm »
You obviously still have residual issues which will certainly bite you if you do not fix them now. I suspect you did not follow best practice for recovery from hacking.
Kelvyn

Jenkin Hill Internet,
Keswick, Lake District

Unsolicited PMs/emails will be ignored.

Please mention your VirtueMart, Joomla and PHP versions when asking a question in this forum

Currently using VM3.2.4 on Joomla 3.8.2 PHP 7.0.23

Testing VM3.2.5 on J!3.8.2

izig

  • Beginner
  • *
  • Posts: 32
Re: Super Users created again and again on an updated site
« Reply #5 on: September 02, 2017, 08:40:54 am »
Thanks Kelvyn, you're partially correct. I had 2 options as I see it, reinstall the entire store from scratch, or dig into the site files looking for suspected ones.

As the site had many modifications during the years, reinstalling is my last option. But I do consider it.

I'd like to get any clue that may assist the current issues I noted above.
I assume the PHP file handling new accounts was tempered or the DB entry for "Super Admin" and "Registers" accounts is swapped.

jenkinhill

  • UK Web Developer & Consultant
  • Global Moderator
  • Super Hero
  • *
  • Posts: 26362
  • Always on vacation
    • Jenkin Hill Internet
Re: Super Users created again and again on an updated site
« Reply #6 on: September 02, 2017, 15:15:54 pm »
If you don't replace all the files as in a normal hack recovery, then you run the risk of there being one or more hacked file being present, and also more than one backdoor into the site. You are showing us the importance of any "modifications" always being made using override files or by a plugin.
Kelvyn

Jenkin Hill Internet,
Keswick, Lake District

Unsolicited PMs/emails will be ignored.

Please mention your VirtueMart, Joomla and PHP versions when asking a question in this forum

Currently using VM3.2.4 on Joomla 3.8.2 PHP 7.0.23

Testing VM3.2.5 on J!3.8.2

Milbo

  • Virtuemart Projectleader
  • Administrator
  • Super Hero
  • *
  • Posts: 9373
  • VM3.2 Cached and Optimized
    • VM3 Extensions
  • VirtueMart Version: VirtueMart 3 on joomla 3
Re: Super Users created again and again on an updated site
« Reply #7 on: September 02, 2017, 23:35:34 pm »
not only replace, he must also delete additional files. The best way is to remove all files, and install it completly fresh. But using the old db and of course that should be done at "home" with a backup and if all is cleared, upload it.
I should fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

izig

  • Beginner
  • *
  • Posts: 32
Re: Super Users created again and again on an updated site
« Reply #8 on: October 07, 2017, 14:16:10 pm »
I'm sad :(

Installed new server, Debian fully updated. Installed clean Joomla, Virtuemart and PHP 7.0.19-1. All are running latest version (Joomla 3.8.0 and will be updated to 3.8.1 soon)

Exported my old DB from the old server and imported it to a new DB on the new server. Changed Joomla configuration file to use the imported DB.
Also copied the media folder to the new server after scanning it on a Windows machine with McAfee anti virus.

Today, a couple of weeks later, I see a few new spam users that are in the Super Admin group. And I never got a notification mail of regarding new account creation.
Also created a test user myself, the new user created in "Activated" and "Enabled" status and as "Super User".

Any ideas where to look for the root cause of this issue?

Thanks for any assistance.

jenkinhill

  • UK Web Developer & Consultant
  • Global Moderator
  • Super Hero
  • *
  • Posts: 26362
  • Always on vacation
    • Jenkin Hill Internet
Re: Super Users created again and again on an updated site
« Reply #9 on: October 07, 2017, 15:40:55 pm »
Also copied the media folder to the new server after scanning it on a Windows machine with McAfee anti virus.

McAfee anti-virus is not designed to detect the sort of backdoor access files that a hacker could install in media/images. You really should manually check that the image files are what they claim to be for example a file image.php.jpg could be a backdoor file, giving a way in for hackers.  Also malicious code can also be hidden in an image, eg see https://thehackernews.com/2015/06/Stegosploit-malware.html  (and instructions for hackers to do just that are online).

Looks like you have to rebuild the site again.
Kelvyn

Jenkin Hill Internet,
Keswick, Lake District

Unsolicited PMs/emails will be ignored.

Please mention your VirtueMart, Joomla and PHP versions when asking a question in this forum

Currently using VM3.2.4 on Joomla 3.8.2 PHP 7.0.23

Testing VM3.2.5 on J!3.8.2

GJC Web Design

  • 3rd party VirtueMart Developer
  • Super Hero
  • *
  • Posts: 7613
  • Virtuemart, Joomla & php developer
    • GJC Web Design
  • VirtueMart Version: 2.6.22 & 3.2.2
Re: Super Users created again and again on an updated site
« Reply #10 on: October 07, 2017, 22:03:27 pm »
Quote
Today, a couple of weeks later, I see a few new spam users that are in the Super Admin group. And I never got a notification mail of regarding new account creation.
Also created a test user myself, the new user created in "Activated" and "Enabled" status and as "Super User".

Any ideas where to look for the root cause of this issue?

when this vulnerability first became known I had a couple of sites to fix that were doing the exact of above..
It was a while ago but from memory the eventual cause i found wasn't code but they had redone all the standard Joomla users permissions configs etc.
Compare your permissions setup to a clean new install
GJC Web Design
VirtueMart and Joomla Developers - php developers http://www.gjcwebdesign.com
VM3 AusPost Shipping Plugin - e-go Shipping Plugin - VM3 Postcode Shipping Plugin - Radius Shipping Plugin - VM3 NZ Post Shipping Plugin - AusPost Estimator
Samport Payment Plugin - EcomMerchant Payment Plugin - ccBill payment Plugin
VM2 Product Lock Extension - VM2 Preconfig Adresses Extension - TaxCloud USA Taxes Plugin - Virtuemart  Product Review Component
http://extensions.joomla.org/profile/profile/details/67210
Contact for any VirtueMart or Joomla development & customisation

jenkinhill

  • UK Web Developer & Consultant
  • Global Moderator
  • Super Hero
  • *
  • Posts: 26362
  • Always on vacation
    • Jenkin Hill Internet
Re: Super Users created again and again on an updated site
« Reply #11 on: October 07, 2017, 23:56:44 pm »
Permissions are stored in the db - but surely any developer would check that if the simply imported the old db. ???
Kelvyn

Jenkin Hill Internet,
Keswick, Lake District

Unsolicited PMs/emails will be ignored.

Please mention your VirtueMart, Joomla and PHP versions when asking a question in this forum

Currently using VM3.2.4 on Joomla 3.8.2 PHP 7.0.23

Testing VM3.2.5 on J!3.8.2

GJC Web Design

  • 3rd party VirtueMart Developer
  • Super Hero
  • *
  • Posts: 7613
  • Virtuemart, Joomla & php developer
    • GJC Web Design
  • VirtueMart Version: 2.6.22 & 3.2.2
Re: Super Users created again and again on an updated site
« Reply #12 on: October 08, 2017, 00:18:10 am »
struggling to remember but I think it was the hierarchy of  the set permissions and what they were allowed to do had been totally altered A about F

so not individual perms but the permissions and the order in which they were applied to groups etc.. this may be totally different .. it just rang a bell from when this hack was popular

whether u are regged as a Super or Registered is simply group ids in the registration model so just debug out what is happening there..  unless there is nefarious code swapping them after registration etc..

if not every reg ends as a Super then I guess a back door is there to allow that
GJC Web Design
VirtueMart and Joomla Developers - php developers http://www.gjcwebdesign.com
VM3 AusPost Shipping Plugin - e-go Shipping Plugin - VM3 Postcode Shipping Plugin - Radius Shipping Plugin - VM3 NZ Post Shipping Plugin - AusPost Estimator
Samport Payment Plugin - EcomMerchant Payment Plugin - ccBill payment Plugin
VM2 Product Lock Extension - VM2 Preconfig Adresses Extension - TaxCloud USA Taxes Plugin - Virtuemart  Product Review Component
http://extensions.joomla.org/profile/profile/details/67210
Contact for any VirtueMart or Joomla development & customisation

izig

  • Beginner
  • *
  • Posts: 32
Re: Super Users created again and again on an updated site
« Reply #13 on: October 08, 2017, 13:23:06 pm »
Thanks !
Global Configuration -> Users -> User options: New User Registration Group and Guest User Group where set to "Super User"

GJC Web Design

  • 3rd party VirtueMart Developer
  • Super Hero
  • *
  • Posts: 7613
  • Virtuemart, Joomla & php developer
    • GJC Web Design
  • VirtueMart Version: 2.6.22 & 3.2.2
Re: Super Users created again and again on an updated site
« Reply #14 on: October 08, 2017, 21:42:45 pm »
I can see that would be problematic..   :P

Yes, it was part and parcel of the hack that once they had gained access they often played silly buggers with the settings then deleted their registration.

You would think they would have better things to do with their time...
GJC Web Design
VirtueMart and Joomla Developers - php developers http://www.gjcwebdesign.com
VM3 AusPost Shipping Plugin - e-go Shipping Plugin - VM3 Postcode Shipping Plugin - Radius Shipping Plugin - VM3 NZ Post Shipping Plugin - AusPost Estimator
Samport Payment Plugin - EcomMerchant Payment Plugin - ccBill payment Plugin
VM2 Product Lock Extension - VM2 Preconfig Adresses Extension - TaxCloud USA Taxes Plugin - Virtuemart  Product Review Component
http://extensions.joomla.org/profile/profile/details/67210
Contact for any VirtueMart or Joomla development & customisation