Author Topic: Help, how hack got in bypass totally user registeration form  (Read 368 times)

sxl097

  • Beginner
  • *
  • Posts: 6
Help, how hack got in bypass totally user registeration form
« on: November 03, 2018, 20:35:07 pm »
First, I guess this is more related to joomla security than virtuemart. But since I install virtuemart latest version on this joomla installation so I post my question as well. A couple of information here. I upgrade Joomla v3.9 the latest. And Install virtuemart to the latest version as well. But still I can see in user manager there are newly created users showing up who tried to register and fortunately I set to adminstrator for activation so they did not really get login. see the screenshoot, both enabled and activation remained red checkmark.
https://snag.gy/zDijP9.jpg

But I don't understand how could the hacker to register new user to showing on Joomla's user manager. I do understand virtuemart change the joomla registeration.

Here is what I found,
1. Even disable user registeration, they still get on to my Joomla user manager. That tells me hacker was using script to bypass Joomla user registeration form and virtuemart user registeration totally!! I could not imagine Joomla team won't know Joomla website new user registeration can be totally bypass??

2. On the registeration form, at last I end up to insert captcha and another email validation (which would never be able to pass), but I can see hacker still get into Joomla user manager. and shopper list in virtuemart. and in shopper's some of required field was totally missing, that tell me they get on to user manager not through registeration form.

3. I checked with my colo and cpanel. The user could not reach the sql directly and I check ip address list in remote sql.

I am sorry that I am a little frustrated and I am not php programmer. But but change register template both under com_users and under come_virtuemart/view/tmpl. I have already overextended myself  on Php's skill too much than I would like to be. But how could Joomla and virtuemart even latest version did not counter this kind of bypass nonsense. Someone please help? I believe this hacker bypass has been exist for quite sometime now, obviously for the older version joomla and virtuemart this hole has been existed!

AH

  • Global Moderator
  • Sr. Member
  • *
  • Posts: 2811
  • VirtueMart Version: 3.4
Re: Help, how hack got in bypass totally user registeration form
« Reply #1 on: November 03, 2018, 21:11:29 pm »
Try and visit an url based on

yoursite/yourshopurlifany/user/editaddress

regards
A

Joomla 3.8.13
php 7.1

jenkinhill

  • UK Web Developer & Consultant
  • Global Moderator
  • Super Hero
  • *
  • Posts: 27043
  • Always on vacation
    • Jenkin Hill Internet
Re: Help, how hack got in bypass totally user registeration form
« Reply #2 on: November 03, 2018, 22:44:20 pm »
Or  yourwebsite.com/index.php?option=com_users&view=registration
Kelvyn

Jenkin Hill Internet,
Lowestoft, Suffolk, UK

Unsolicited PMs/emails will be ignored.

Please mention your VirtueMart, Joomla and PHP versions when asking a question in this forum

Currently using VM 3.4.0.9935 on Joomla 3.8.12 PHP 7.0.31
Testing VM 3.4.0.9941 on Joomla 3.8.12

sxl097

  • Beginner
  • *
  • Posts: 6
Re: Help, how hack got in bypass totally user registeration form
« Reply #3 on: November 03, 2018, 22:53:02 pm »
Thanks for your responses.

Correct me if I was wrong but I believe I have been to "yoursite/yourshopurlifany/user/editaddress" (you are referring to the editaddress.php?) and  "yourwebsite.com/index.php?option=com_users&view=registration"  but I conclude so far the hack script bypass all of those.

They are now just malicious or bad registrations, not legit successful hack yet. But that would be the first step of hack. that is how they get a foot into the door.  You really don't what they can do with it if I allow those users activated.. Many years ago, I had a joomla website be defaced at home page with islam flag and then when I tried to fix on that. Hacker then totally delete the whole root directory and everything with subfolders. But that time I knew I was not up to the latest security patches.

As to how they bypass I have my guess, even though, I am not php nor joomla programmer. I am not even computer programmer in general.  But I have been researched on joomla forum for a couple of days and extend myself to dabble into various php and html coding in various template files by insert captcha code and email validation code manually as most of joomla cacha plugin and email validation plugin stop working as virtuemart was installed. Those plugins will only work and be very effective in surely joomla websites. virtuemart obviously change something inside joomla so shopper required information fields (such as shipping address, state, country, and etc) were appended into the original joomla registration form.

Here are what I know

1. I already knew the hack scripts did not hit.

./components/com_virtuemart/views/user/tmpl/edit_shopper.php (AH mentioned in this line)
nor
./components/com_users/views/registration/tmpl/default.php

(both templates are used for my website virtuemart modified registeration). My guess they did not hit website.com/index.php/component/virtuemart/user?Itemid=0 (jenkinhill mentioned in this line) that webpage as I setup a user tracking plug in for whoever hit that page.

2. even after I turn off user registration at user manager option. they still can get registered onto user manager table. And I can tell there are more than one hack source. I guess they were running the same kind of hacking tool.

My guess the bypass has something to do with two controller folders (joomla and virtuemart).
such as./components/com_users/controllers/registration.php or ./components/com_virtuemart/controllers/user.php. The script were hitting those php file directly so bypass "Allow User Registration" switch set at joomla user manager option.

3. please take a look at(screenshoot below) the shopper detail of virtuemart. You can see "*" are required fields but totally empty. That is impossible for the real person to go through at registration form but somehow those fanny users show up as shopper in virtuemart.

https://snag.gy/Tzm5di.jpg

that is why I conclude somehow the script bypass the registeration form totally to render my captcha and email validation code setup totally invalid. Actually, as the last resolve. I dabble the email validation code to make no real person can pass the registeration form successfully. but those fanny users still continue to show up.

Again, I am not programmer by trade. I overextended myself here to dabble into various php files. There are so many smart people here, especially the folks who develope Joomla code and Virtuemart code. I can not imagine by the information I present here, they would not know what actually happen.  Especially my guess this hole if I can call this, does exist for various version of joomla and virtuemart.

GJC Web Design

  • 3rd party VirtueMart Developer
  • Super Hero
  • *
  • Posts: 8433
  • Virtuemart, Joomla & php developer
    • GJC Web Design
  • VirtueMart Version: 2.6.22 & 3.2.14
Re: Help, how hack got in bypass totally user registeration form
« Reply #4 on: November 03, 2018, 23:00:47 pm »
There must be a registration / created date in the db tables .. use this timestamp to analyse your server access logs to find the _POST that was made to create this user
GJC Web Design
VirtueMart and Joomla Developers - php developers http://www.gjcwebdesign.com
VM3 AusPost Shipping Plugin - e-go Shipping Plugin - VM3 Postcode Shipping Plugin - Radius Shipping Plugin - VM3 NZ Post Shipping Plugin - AusPost Estimator
Samport Payment Plugin - EcomMerchant Payment Plugin - ccBill payment Plugin
VM2 Product Lock Extension - VM2 Preconfig Adresses Extension - TaxCloud USA Taxes Plugin - Virtuemart  Product Review Component
http://extensions.joomla.org/profile/profile/details/67210
Contact for any VirtueMart or Joomla development & customisation

sxl097

  • Beginner
  • *
  • Posts: 6
Re: Help, how hack got in bypass totally user registeration form
« Reply #5 on: November 03, 2018, 23:14:57 pm »
Yes. I use that time stamp in user table (it is showed in user manager as well)  I was able to identify the ip addresses of intruder. But I don't have the capability to find out what webpage the intruder was trying to hit or what is exactly their web request or html post...etc

I don't want to block that ip address as they can easily change to different source ip address. and block ip address will agitate them to make even greater effort to hack into my site. That is not what I want to see. But to my surprise, how Joomla or Virtuemart code won't be able to see the big hole for bypass in the firstplace when developing their codes. Again, I am not software developer, I might overextend myself by saying nonsense here.

My guess they might not need to hit any webpage for human eyes. They hit one of php file directly so bypassing all the registeration form and captcha and other fancy validation we setup.

sxl097

  • Beginner
  • *
  • Posts: 6
Re: Help, how hack got in bypass totally user registeration form
« Reply #6 on: November 03, 2018, 23:27:55 pm »
BTW, this one particular intruder ip address, registered 4 page hits (from awstats report) and it take them within one minute to get on the user manager table by checking the timestamp on user table for registration and the initial hit time stamp reported by awstats report from hosting company.


sxl097

  • Beginner
  • *
  • Posts: 6
Re: Help, how hack got in bypass totally user registeration form
« Reply #7 on: November 03, 2018, 23:40:37 pm »
GJC Web Design, what "your server access logs" you are referring to? I went through all log files specifed in joomla global configuration--> Path to Log Folder and I could not find any usable information.

It must be a way to turn on the user activity log to see whether user was html getting and post with exact url they were hitting. But so far I could not that setting?

Again. I guess there were more than one intruder source, possibly, using similar joomla hacking tools (disregard exact joomla version). I was studying one of obvious one but I was stuck by lacking logging information for me to go further.
 

GJC Web Design

  • 3rd party VirtueMart Developer
  • Super Hero
  • *
  • Posts: 8433
  • Virtuemart, Joomla & php developer
    • GJC Web Design
  • VirtueMart Version: 2.6.22 & 3.2.14
Re: Help, how hack got in bypass totally user registeration form
« Reply #8 on: November 04, 2018, 10:54:22 am »
Your server access logs -- nothing to do with Joomla .. on your server "somewhere"

typically on cPanel
GJC Web Design
VirtueMart and Joomla Developers - php developers http://www.gjcwebdesign.com
VM3 AusPost Shipping Plugin - e-go Shipping Plugin - VM3 Postcode Shipping Plugin - Radius Shipping Plugin - VM3 NZ Post Shipping Plugin - AusPost Estimator
Samport Payment Plugin - EcomMerchant Payment Plugin - ccBill payment Plugin
VM2 Product Lock Extension - VM2 Preconfig Adresses Extension - TaxCloud USA Taxes Plugin - Virtuemart  Product Review Component
http://extensions.joomla.org/profile/profile/details/67210
Contact for any VirtueMart or Joomla development & customisation

jenkinhill

  • UK Web Developer & Consultant
  • Global Moderator
  • Super Hero
  • *
  • Posts: 27043
  • Always on vacation
    • Jenkin Hill Internet
Re: Help, how hack got in bypass totally user registeration form
« Reply #9 on: November 04, 2018, 14:05:40 pm »
You have not provided any useful background information for this site except "I upgrade Joomla v3.9". 

Is this an old site? What Joomla version did you upgrade from?

As GJC comments, the target and POST information from your access logs are vital to determine how the registrations were made.
In case the site has been hacked you would be advised to run the Joomla FPA which can report on the site environment, all installed extensions and directory permissions.  https://forum.joomla.org/viewtopic.php?f=714&t=793531
Kelvyn

Jenkin Hill Internet,
Lowestoft, Suffolk, UK

Unsolicited PMs/emails will be ignored.

Please mention your VirtueMart, Joomla and PHP versions when asking a question in this forum

Currently using VM 3.4.0.9935 on Joomla 3.8.12 PHP 7.0.31
Testing VM 3.4.0.9941 on Joomla 3.8.12

jjk

  • Global Moderator
  • Sr. Member
  • *
  • Posts: 3365
  • using Matomo instead of Google Analytics
Re: Help, how hack got in bypass totally user registeration form
« Reply #10 on: November 04, 2018, 18:47:20 pm »
        Some recommendations from me:

        • Use a free ftp program like WinSCP for easy access to all of the files and folders your webhoster allows, including the access.log file(s). Note that these can become quite large, like 500.000+ lines of text. I usually use the Editor Notepad++ if I want to search for POST / in order to identify and block the ip addresses of the most annoying bots. Registration bots and spam bots often try several hundred or thousand times to locate and fill published registration or contact forms.

        • Use the ECC+ (EasyCalcCheck Plus) plugin and enable at least the Blacklist of StopForumSpam.com and let it add an easy math capcha to your Joomla and VirtueMart registration and contact forms. This is much more user friendly than the Google ReCaptcha (and doesn't send information to Google).

        • Eventually also use Spambotcheck by VI-Solutions (There are plenty of similar plugins, but of course it doesn't make sense to install them all)

        • A nice first information tool if you fear that your site is subject to hacking attempts is the Eyesite plugin. It keeps a list of changed/added files for review.

        • Last but not least, I would recommend to unpublish the Joomla registration module, because it attracts a lot of bots and normally this is not needed for a shop. Real shoppers are registered automatically when they buy something. Some people interested in your products still find the VM registration in the cart. Bots usually don't use this one, if you ask (configure the fields as 'required') for the full address and phone number.

Non-English Shops: Are your language files up to date?
http://virtuemart.net/community/translations

PRO

  • Global Moderator
  • Super Hero
  • *
  • Posts: 10291
  • VirtueMart Version: 3+
Re: Help, how hack got in bypass totally user registeration form
« Reply #11 on: November 14, 2018, 22:35:02 pm »
"captcha on registration" enabled?

I do NOT do development work for hire.