Author Topic: Server overload caused by injection in Virtuemart  (Read 1491 times)

Renata

  • Jr. Member
  • **
  • Posts: 112
Server overload caused by injection in Virtuemart
« on: November 12, 2018, 00:54:00 am »
I am desperate and I hope you can help me.

I am Dutch so I hope that I can explain it well and understandably

One of the websites I manage is hacked and causes a huge server overload. The relevant website has been taken offline

According to my host, everything points to the Virtuemart part of the website. Probably a sql injection.

We have already done everything to exclude matters such as:

A completely clean installation of both Joomla, Virtuemart and all extensions. We then linked the database again, uploaded images, adjusted template files.

We have changed all passwords: Directadmin, Database (phpMyadmin), backend of the website, ftp

But the attack continues on and on. The server is still being overloaded when the website is online.

The suspicion is that it is a sql injection, we do not have another explanation.


f.y.i: This concerns a website that has been upgraded from VM 2 to 3.4.2 and from Joomla 2.5 to Joomla 3.9.0
All extensions inclusive the template (Yootheme) are the latest versions
php 7.2.10
Apache 2.4.34


I hope you can help me.

Kind regards
Renata Gravendijk
Please visit my website http://www.1place4ads.nl for all you graphic webdesign and joomla websites.

GJC Web Design

  • 3rd party VirtueMart Developer
  • Super Hero
  • *
  • Posts: 8892
  • Virtuemart, Joomla & php developer
    • GJC Web Design
  • VirtueMart Version: 3.4.2
Re: Server overload caused by injection in Virtuemart
« Reply #1 on: November 12, 2018, 01:55:36 am »
r u sure its not the 404 loop problem?

Make sure u have the VM 404 handling switched off.. ->  Enable VirtueMart 404 error handling - NOT CHECKED

see   http://forum.virtuemart.net/index.php?topic=141213.0

http://forum.virtuemart.net/index.php?topic=141220
GJC Web Design
VirtueMart and Joomla Developers - php developers http://www.gjcwebdesign.com
VM3 AusPost Shipping Plugin - e-go Shipping Plugin - VM3 Postcode Shipping Plugin - Radius Shipping Plugin - VM3 NZ Post Shipping Plugin - AusPost Estimator
Samport Payment Plugin - EcomMerchant Payment Plugin - ccBill payment Plugin
VM2 Product Lock Extension - VM2 Preconfig Adresses Extension - TaxCloud USA Taxes Plugin - Virtuemart  Product Review Component
http://extensions.joomla.org/profile/profile/details/67210
Contact for any VirtueMart or Joomla development & customisation

jjk

  • Global Moderator
  • Sr. Member
  • *
  • Posts: 3447
  • using Matomo instead of Google Analytics
Re: Server overload caused by injection in Virtuemart
« Reply #2 on: November 12, 2018, 12:57:49 pm »
Just want to mention it - php 7.2.10 has an XSS-vulnerability: https://bugs.php.net/bug.php?id=76582
Non-English Shops: Are your language files up to date?
http://virtuemart.net/community/translations

Renata

  • Jr. Member
  • **
  • Posts: 112
Re: Server overload caused by injection in Virtuemart
« Reply #3 on: November 12, 2018, 13:11:36 pm »
Dear GJC Web Design

You've made me very happy! It seems that your suggestion is the solution. We are monitoring the data traffic now and all looks oke. We keep on monitoring untill the end of this afternoon. I will let you know the outcome.

Thanks thanks thanks!!!!

Kind regards
Renata
Please visit my website http://www.1place4ads.nl for all you graphic webdesign and joomla websites.

fkeller

  • Beginner
  • *
  • Posts: 5
Re: Server overload caused by injection in Virtuemart
« Reply #4 on: January 22, 2019, 14:25:05 pm »
I have the same problem.

After the first week of attacks I removed VM and all VM plugins.
Then I reinstalled it from the Joomla backend. (it installed a a bit older version then the actual version)
I've waited 2 weeks and it locked like everyting was working fine.
The I noticed that there is a VM update available - so I installed it.
1 day later the attacks came back.

@Renata
Did the Error 404 handling resolt in a permanent solution? Or did the attaks come back?


cheers,
Flex

Renata

  • Jr. Member
  • **
  • Posts: 112
Re: Server overload caused by injection in Virtuemart
« Reply #5 on: January 22, 2019, 14:43:20 pm »
Dear Flex,

Switching off the Error 404 handling was THE permanent solution  ;D

Kind regards
Renata
Please visit my website http://www.1place4ads.nl for all you graphic webdesign and joomla websites.

GJC Web Design

  • 3rd party VirtueMart Developer
  • Super Hero
  • *
  • Posts: 8892
  • Virtuemart, Joomla & php developer
    • GJC Web Design
  • VirtueMart Version: 3.4.2
Re: Server overload caused by injection in Virtuemart
« Reply #6 on: January 22, 2019, 22:13:08 pm »
Yes .. and was never an attack .. it is a simple php loop that eventually uses all the resources .. this is a bug .. not any sort of vulnerability of VM
GJC Web Design
VirtueMart and Joomla Developers - php developers http://www.gjcwebdesign.com
VM3 AusPost Shipping Plugin - e-go Shipping Plugin - VM3 Postcode Shipping Plugin - Radius Shipping Plugin - VM3 NZ Post Shipping Plugin - AusPost Estimator
Samport Payment Plugin - EcomMerchant Payment Plugin - ccBill payment Plugin
VM2 Product Lock Extension - VM2 Preconfig Adresses Extension - TaxCloud USA Taxes Plugin - Virtuemart  Product Review Component
http://extensions.joomla.org/profile/profile/details/67210
Contact for any VirtueMart or Joomla development & customisation

Renata

  • Jr. Member
  • **
  • Posts: 112
Re: Server overload caused by injection in Virtuemart
« Reply #7 on: January 23, 2019, 00:20:39 am »
Because of this "simple" loop, the virtuemart shop was offline for one week. Because the server was overloaded we had even to shut down the server! After comparing all files with an original installation looking for a file injection, after building the complete webshop as new over and over again hoping to solve the problem this way,   we almost gave up.

My customer lost a lot of money because of this and me a lot of time and sleepless nights....

I am glad the solution was handed here to me for which i thank you. But I do not understand why this was not fixed in a update and why members here were not informed about this!

Kind regards
Renata
Please visit my website http://www.1place4ads.nl for all you graphic webdesign and joomla websites.

GJC Web Design

  • 3rd party VirtueMart Developer
  • Super Hero
  • *
  • Posts: 8892
  • Virtuemart, Joomla & php developer
    • GJC Web Design
  • VirtueMart Version: 3.4.2
Re: Server overload caused by injection in Virtuemart
« Reply #8 on: January 23, 2019, 08:49:42 am »
By "simple loop" I meant technically .. I fully realise the effect can be catastrophic but does only seem to effect a small minority  of installs and server setups.
For example all my clients installs still have VM 404 enabled and no problems...
As soon as the very varied reports of supposed hack attempts, injections, server overloads and similar reports were received Stan and others investigated, found and publicised the problem... this was on October 12th.. VM3.4.2 was only released on October 7th
http://forum.virtuemart.net/index.php?topic=141213.0
There was no case of this problem during the extensive pre release testing which again points to a specific server/config situation which none of the testers have.

All development of VM is done by unpaid volunteers for what at the end of the day is a completely free extremely competent e-commerce solution...

GJC Web Design
VirtueMart and Joomla Developers - php developers http://www.gjcwebdesign.com
VM3 AusPost Shipping Plugin - e-go Shipping Plugin - VM3 Postcode Shipping Plugin - Radius Shipping Plugin - VM3 NZ Post Shipping Plugin - AusPost Estimator
Samport Payment Plugin - EcomMerchant Payment Plugin - ccBill payment Plugin
VM2 Product Lock Extension - VM2 Preconfig Adresses Extension - TaxCloud USA Taxes Plugin - Virtuemart  Product Review Component
http://extensions.joomla.org/profile/profile/details/67210
Contact for any VirtueMart or Joomla development & customisation

Renata

  • Jr. Member
  • **
  • Posts: 112
Re: Server overload caused by injection in Virtuemart
« Reply #9 on: January 23, 2019, 11:15:54 am »
I do appreciate all the work done by volunteers! Thank you!
f.y.i.: I have tried the commercial webshop extension Hikashop, yours is better! So hereby my compliments! ;D

After the problem started at our webshop I searched on the entire forum and www. I probably used keywords which were not recognized as the topic to which you are referring did not show up.

You do not know if a small minority is effected or not? Among the testers perhaps, but worldwide? Virtuemart is used worldwide! That is a big responsibility! F.a. this topic has been read 396 times. The one you are referring to is read 1059 times ...

Again I appreciate all the work for which i thank you! But if there is a known bug which has enormous consequences for some webshops owners, you should immediately release an update containing the fix. If that on short notice is impossible due to circumstances which I respect, then you should make an announcement somewhere containing obvious keywords, including the temporary solution. Idea: newsletter? This in order to prevent the problems the webshop owners and there developers had to deal with.

Maybe you should discuss this internally?

I am still very happy with Virtuemart and thank all volunteers for their efforts!

Kind regards
Renata
Please visit my website http://www.1place4ads.nl for all you graphic webdesign and joomla websites.

jenkinhill

  • UK Web Developer & Consultant
  • Global Moderator
  • Super Hero
  • *
  • Posts: 27426
  • Always on vacation
    • Jenkin Hill Internet
Re: Server overload caused by injection in Virtuemart
« Reply #10 on: January 23, 2019, 11:25:06 am »
It is generally difficult when a user reports an issue which we cannot replicate. Like GJC, none of my client sites had a problem wiith the release.

The lesson here is to always test any update on a copy of the live site, which we regularly recommend. I do this in a subdirectory of the live domain, and switch the updated copy with the live site is all is apparently OK. The advantage with this is that there is always the previous working version on the server, so if later an issue does crop up the sites can be switched around again. All this does take time, but better to be safe than sorry.
Kelvyn

Jenkin Hill Internet,
Lowestoft, Suffolk, UK

Unsolicited PMs/emails will be ignored.

Please mention your VirtueMart, Joomla and PHP versions when asking a question in this forum

Currently using VM 3.4.3.10057 on Joomla 3.9.8 PHP 7.0.33
Testing VM .3.6.0.10075 on Joomla 3.9.8

Renata

  • Jr. Member
  • **
  • Posts: 112
Re: Server overload caused by injection in Virtuemart
« Reply #11 on: January 23, 2019, 11:49:29 am »
Dear jenkinhill,

I understand and yes this was a good lesson ;)

In any case, you should always have to make a good and complete backup first. And we always do that!

f.y.i.: about what you indicated, testing on a test environment: In this case, tests in a test environment did not show the problem quickly enough. The overload of the server builds up and only after a lot of hours the server is overloaded and the alarm bells starts to ring.
Furthermore: if the webshop is not live, there was no overload! So in this case, the problem will not be detected on a test environment.

Anyway, I gave you some tips above. (i editted my topic above and added newsletter to it) In the end, together we all have to make something beautiful out of it. Only through good cooperation can this be achieved.

Thank you!

Kind regards
Renata
Please visit my website http://www.1place4ads.nl for all you graphic webdesign and joomla websites.

Milbo

  • Virtuemart Projectleader
  • Administrator
  • Super Hero
  • *
  • Posts: 9838
  • VM3.2 Cached and Optimized
    • VM3 Extensions
  • VirtueMart Version: VirtueMart 3 on joomla 3
Re: Server overload caused by injection in Virtuemart
« Reply #12 on: April 10, 2019, 09:30:55 am »
F.a. this topic has been read 396 times. The one you are referring to is read 1059 times ...

Again I appreciate all the work for which i thank you! But if there is a known bug which has enormous consequences for some webshops owners, you should immediately release an update containing the fix. If that on short notice is impossible due to circumstances which I respect, then you should make an announcement somewhere containing obvious keywords, including the temporary solution. Idea: newsletter? This in order to prevent the problems the webshop owners and there developers had to deal with.

Looks like we underestimated the problem with it. We have of course also our customers and as mentioned above. Lets say our core testers are 5 serious webagencies and they adminstrate maybe 100 customers together,... and only 1-2 have the problem, it looks like a minor problem.
I should fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/