News:

You may pay someone to create your store, or you visit our seminar and become a professional yourself with the silver certification

Main Menu

Super Users created again and again on an updated site

Started by izig, July 21, 2017, 18:14:24 PM

Previous topic - Next topic

izig

Hi, I'm running my VirtueMart 3.2.2 on Joomla 3.7.3 and have some security (I would say serious) issues.
Almost every day, I see new users under the list of "Super Users"

The site is running on Debian jessie that is fully updated on a weekly basis.

I did noticed some VirtueMart modules that refuses to updated (see attached image), can I update them manually?

One more note, I'm in the process of migrating the entire site to the latest Debian version.

Any advise?

Thanks,
Izi

K&K media production

#1
Seems your site was hacked before you've updated a security release. You need malware scan tools for your website files.

https://securitycheck.protegetuordenador.com/

https://sucuri.net/

jenkinhill

The super user hack is Joomla related, not VirtueMart. For the procedure to work out and recover from the hack start with https://forum.joomla.org/viewtopic.php?f=714&t=757645  and then work within that forum. You will get good advice. The recovery route is covered here:  https://forum.joomla.org/viewtopic.php?f=714&t=946026

A Joomla specific site check is available from Phil Taylor, the first site scan is free.  https://myjoomla.com/site/is/hacked  so you could do that first.
Kelvyn
Lowestoft, Suffolk, UK

Retired from forum life November 2023

Please mention your VirtueMart, Joomla and PHP versions when asking a question in this forum

izig

Thanks for the advises above.

Now that the site is clean, seems like whom ever hacked the site left me a few challenges:
1. Every new account created as "Super User". Legitimate users created with those elevated privileges
2. No mail is sent for new account creation, so I need to watch occasionally for new accounts and change them to "Registered"

I added a layer of protection on the /administrator in my .htaccess so those users will find it hard to login to the administrator panel, but still...

jenkinhill

You obviously still have residual issues which will certainly bite you if you do not fix them now. I suspect you did not follow best practice for recovery from hacking.
Kelvyn
Lowestoft, Suffolk, UK

Retired from forum life November 2023

Please mention your VirtueMart, Joomla and PHP versions when asking a question in this forum

izig

Thanks Kelvyn, you're partially correct. I had 2 options as I see it, reinstall the entire store from scratch, or dig into the site files looking for suspected ones.

As the site had many modifications during the years, reinstalling is my last option. But I do consider it.

I'd like to get any clue that may assist the current issues I noted above.
I assume the PHP file handling new accounts was tempered or the DB entry for "Super Admin" and "Registers" accounts is swapped.

jenkinhill

If you don't replace all the files as in a normal hack recovery, then you run the risk of there being one or more hacked file being present, and also more than one backdoor into the site. You are showing us the importance of any "modifications" always being made using override files or by a plugin.
Kelvyn
Lowestoft, Suffolk, UK

Retired from forum life November 2023

Please mention your VirtueMart, Joomla and PHP versions when asking a question in this forum

Milbo

not only replace, he must also delete additional files. The best way is to remove all files, and install it completly fresh. But using the old db and of course that should be done at "home" with a backup and if all is cleared, upload it.
Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

izig

I'm sad :(

Installed new server, Debian fully updated. Installed clean Joomla, Virtuemart and PHP 7.0.19-1. All are running latest version (Joomla 3.8.0 and will be updated to 3.8.1 soon)

Exported my old DB from the old server and imported it to a new DB on the new server. Changed Joomla configuration file to use the imported DB.
Also copied the media folder to the new server after scanning it on a Windows machine with McAfee anti virus.

Today, a couple of weeks later, I see a few new spam users that are in the Super Admin group. And I never got a notification mail of regarding new account creation.
Also created a test user myself, the new user created in "Activated" and "Enabled" status and as "Super User".

Any ideas where to look for the root cause of this issue?

Thanks for any assistance.

jenkinhill

Quote from: izig on October 07, 2017, 14:16:10 PM
Also copied the media folder to the new server after scanning it on a Windows machine with McAfee anti virus.

McAfee anti-virus is not designed to detect the sort of backdoor access files that a hacker could install in media/images. You really should manually check that the image files are what they claim to be for example a file image.php.jpg could be a backdoor file, giving a way in for hackers.  Also malicious code can also be hidden in an image, eg see https://thehackernews.com/2015/06/Stegosploit-malware.html  (and instructions for hackers to do just that are online).

Looks like you have to rebuild the site again.
Kelvyn
Lowestoft, Suffolk, UK

Retired from forum life November 2023

Please mention your VirtueMart, Joomla and PHP versions when asking a question in this forum

GJC Web Design

QuoteToday, a couple of weeks later, I see a few new spam users that are in the Super Admin group. And I never got a notification mail of regarding new account creation.
Also created a test user myself, the new user created in "Activated" and "Enabled" status and as "Super User".

Any ideas where to look for the root cause of this issue?

when this vulnerability first became known I had a couple of sites to fix that were doing the exact of above..
It was a while ago but from memory the eventual cause i found wasn't code but they had redone all the standard Joomla users permissions configs etc.
Compare your permissions setup to a clean new install
GJC Web Design
VirtueMart and Joomla Developers - php developers https://www.gjcwebdesign.com
VM4 AusPost Shipping Plugin - e-go Shipping Plugin - VM4 Postcode Shipping Plugin - Radius Shipping Plugin - VM4 NZ Post Shipping Plugin - AusPost Estimator
Samport Payment Plugin - EcomMerchant Payment Plugin - ccBill payment Plugin
VM2 Product Lock Extension - VM2 Preconfig Adresses Extension - TaxCloud USA Taxes Plugin - Virtuemart  Product Review Component
https://extensions.joomla.org/profile/profile/details/67210
Contact for any VirtueMart or Joomla development & customisation

jenkinhill

Permissions are stored in the db - but surely any developer would check that if the simply imported the old db. ???
Kelvyn
Lowestoft, Suffolk, UK

Retired from forum life November 2023

Please mention your VirtueMart, Joomla and PHP versions when asking a question in this forum

GJC Web Design

struggling to remember but I think it was the hierarchy of  the set permissions and what they were allowed to do had been totally altered A about F

so not individual perms but the permissions and the order in which they were applied to groups etc.. this may be totally different .. it just rang a bell from when this hack was popular

whether u are regged as a Super or Registered is simply group ids in the registration model so just debug out what is happening there..  unless there is nefarious code swapping them after registration etc..

if not every reg ends as a Super then I guess a back door is there to allow that
GJC Web Design
VirtueMart and Joomla Developers - php developers https://www.gjcwebdesign.com
VM4 AusPost Shipping Plugin - e-go Shipping Plugin - VM4 Postcode Shipping Plugin - Radius Shipping Plugin - VM4 NZ Post Shipping Plugin - AusPost Estimator
Samport Payment Plugin - EcomMerchant Payment Plugin - ccBill payment Plugin
VM2 Product Lock Extension - VM2 Preconfig Adresses Extension - TaxCloud USA Taxes Plugin - Virtuemart  Product Review Component
https://extensions.joomla.org/profile/profile/details/67210
Contact for any VirtueMart or Joomla development & customisation

izig

Thanks !
Global Configuration -> Users -> User options: New User Registration Group and Guest User Group where set to "Super User"

GJC Web Design

I can see that would be problematic..   :P

Yes, it was part and parcel of the hack that once they had gained access they often played silly buggers with the settings then deleted their registration.

You would think they would have better things to do with their time...
GJC Web Design
VirtueMart and Joomla Developers - php developers https://www.gjcwebdesign.com
VM4 AusPost Shipping Plugin - e-go Shipping Plugin - VM4 Postcode Shipping Plugin - Radius Shipping Plugin - VM4 NZ Post Shipping Plugin - AusPost Estimator
Samport Payment Plugin - EcomMerchant Payment Plugin - ccBill payment Plugin
VM2 Product Lock Extension - VM2 Preconfig Adresses Extension - TaxCloud USA Taxes Plugin - Virtuemart  Product Review Component
https://extensions.joomla.org/profile/profile/details/67210
Contact for any VirtueMart or Joomla development & customisation