Author Topic: Security Issue - Site Cracked!  (Read 4218 times)

whysigh

  • Beginner
  • *
  • Posts: 33
Security Issue - Site Cracked!
« on: August 27, 2008, 11:10:08 am »
Hi All

I have been in contact with my website hosting company, and they have given me the below explanation to why my joomla! & virtuemart shop has been turned off!!

======================================

Hi Paul,

Thanks for contacting us.

*** Important please read this ticket fully ****

After our own server analysis we have found that your site is currently
running daemons.

This activity is strictly against our terms and conditions. Given the nature
of the daemons in question, it seems highly probable that your site was
cracked rather than a deliberate act. The most likely cause of this issue
is that another Internet user is exploiting the scripts on your site.
If this issue is a result of your own actions then we would ask you to cease your
activities immediately or face possible legal action.

For the time being, all scripting has been disabled for this site to protect
the safety of your site and others on the server.

Likely entry points for the crackers would be:

1. File-upload scripts (this is very likely)
2. PHPNuke scripts (likely)
3. Any PHP script that requires register_globals on.

In the case of this site the script in question is mydomain.co.uk ***.***.***.***- - [26/Aug/2008:12:39:41 +0100] "POST /language/.language.php?seC=webshell&workingdiR=/home/sites/mydomain.co.uk/public_html/language HTTP/1.1" 200 8660 "http://www.mydomain.co.uk/language/.language.php?seC=webshell&workingdiR=/home/sites/mydomain.co.uk/public_html/language" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.16) Gecko/20061201 Firefox/2.0.0.16 (Ubuntu-feisty)"

So it looks like possible code injection to the file ".language.php" which is in the language directory.

Also, /components/com_virtuemart/fetchscript.php looks to have been compromised too.

As with any script you should always ensure it is kept up to date with the latest updates and security patches and this is also true of any third party components you add too.

Where other Internet users exploit scripts hosted on a site the problem
can often be resolved by upgrading to the latest version of the script
or in the case of custom scripts asking your developer to close the
loophole that has been exploited. Please review your scripts and get updates
and replacements where necessary, and then inform us when you've done so.

Until you have made your scripts secure we will be unable to reactivate
scripting. To have scripting reactivated please reply to this ticket
stating the steps you have taken.

========================================

I am/was using Joomla 1.5.3 and virtuemart 1.1, with nothing else installed on my domain other than that, slightly confused to what someone would gain from doing the above? if anyone can shed any light? if they know a fix? etc?

Eeek

Paul
 ??? ???

ZEUS__

  • Beginner
  • *
  • Posts: 48
Re: Security Issue - Site Cracked!
« Reply #1 on: August 27, 2008, 12:11:22 pm »
Hi Paul,
Joomla 1.5.6 was released and it has an urgent security update..read this:
http://forum.joomla.org/viewtopic.php?f=372&t=315538
PHP on cgi
Joomla!: 1.5.14
Virtuemart: 1.1.3

whysigh

  • Beginner
  • *
  • Posts: 33
Re: Security Issue - Site Cracked!
« Reply #2 on: August 27, 2008, 15:46:14 pm »
Zeus,

Thanks for that, any ideas why someone would want to crack my site and run continuous server processes?

Like, what do they gain from it?

ZEUS__

  • Beginner
  • *
  • Posts: 48
Re: Security Issue - Site Cracked!
« Reply #3 on: August 28, 2008, 01:36:27 am »
not at all,
maybe they want to steal your customers information or may be they have some problem with their brain..I don't understand hackers why doing this :D I want to smack all of them ;D
PHP on cgi
Joomla!: 1.5.14
Virtuemart: 1.1.3