I am desperate and I hope you can help me.
I am Dutch so I hope that I can explain it well and understandably
One of the websites I manage is hacked and causes a huge server overload. The relevant website has been taken offline
According to my host, everything points to the Virtuemart part of the website. Probably a sql injection.
We have already done everything to exclude matters such as:
A completely clean installation of both Joomla, Virtuemart and all extensions. We then linked the database again, uploaded images, adjusted template files.
We have changed all passwords: Directadmin, Database (phpMyadmin), backend of the website, ftp
But the attack continues on and on. The server is still being overloaded when the website is online.
The suspicion is that it is a sql injection, we do not have another explanation.
f.y.i: This concerns a website that has been upgraded from VM 2 to 3.4.2 and from Joomla 2.5 to Joomla 3.9.0
All extensions inclusive the template (Yootheme) are the latest versions
php 7.2.10
Apache 2.4.34
I hope you can help me.
Kind regards
Renata Gravendijk
r u sure its not the 404 loop problem?
Make sure u have the VM 404 handling switched off.. -> Enable VirtueMart 404 error handling - NOT CHECKED
see http://forum.virtuemart.net/index.php?topic=141213.0
http://forum.virtuemart.net/index.php?topic=141220
Just want to mention it - php 7.2.10 has an XSS-vulnerability: https://bugs.php.net/bug.php?id=76582
Dear GJC Web Design
You've made me very happy! It seems that your suggestion is the solution. We are monitoring the data traffic now and all looks oke. We keep on monitoring untill the end of this afternoon. I will let you know the outcome.
Thanks thanks thanks!!!!
Kind regards
Renata
I have the same problem.
After the first week of attacks I removed VM and all VM plugins.
Then I reinstalled it from the Joomla backend. (it installed a a bit older version then the actual version)
I've waited 2 weeks and it locked like everyting was working fine.
The I noticed that there is a VM update available - so I installed it.
1 day later the attacks came back.
@Renata
Did the Error 404 handling resolt in a permanent solution? Or did the attaks come back?
cheers,
Flex
Dear Flex,
Switching off the Error 404 handling was THE permanent solution ;D
Kind regards
Renata
Yes .. and was never an attack .. it is a simple php loop that eventually uses all the resources .. this is a bug .. not any sort of vulnerability of VM
Because of this "simple" loop, the virtuemart shop was offline for one week. Because the server was overloaded we had even to shut down the server! After comparing all files with an original installation looking for a file injection, after building the complete webshop as new over and over again hoping to solve the problem this way, we almost gave up.
My customer lost a lot of money because of this and me a lot of time and sleepless nights....
I am glad the solution was handed here to me for which i thank you. But I do not understand why this was not fixed in a update and why members here were not informed about this!
Kind regards
Renata
By "simple loop" I meant technically .. I fully realise the effect can be catastrophic but does only seem to effect a small minority of installs and server setups.
For example all my clients installs still have VM 404 enabled and no problems...
As soon as the very varied reports of supposed hack attempts, injections, server overloads and similar reports were received Stan and others investigated, found and publicised the problem... this was on October 12th.. VM3.4.2 was only released on October 7th
http://forum.virtuemart.net/index.php?topic=141213.0
There was no case of this problem during the extensive pre release testing which again points to a specific server/config situation which none of the testers have.
All development of VM is done by unpaid volunteers for what at the end of the day is a completely free extremely competent e-commerce solution...
I do appreciate all the work done by volunteers! Thank you!
f.y.i.: I have tried the commercial webshop extension Hikashop, yours is better! So hereby my compliments! ;D
After the problem started at our webshop I searched on the entire forum and www. I probably used keywords which were not recognized as the topic to which you are referring did not show up.
You do not know if a small minority is effected or not? Among the testers perhaps, but worldwide? Virtuemart is used worldwide! That is a big responsibility! F.a. this topic has been read 396 times. The one you are referring to is read 1059 times ...
Again I appreciate all the work for which i thank you! But if there is a known bug which has enormous consequences for some webshops owners, you should immediately release an update containing the fix. If that on short notice is impossible due to circumstances which I respect, then you should make an announcement somewhere containing obvious keywords, including the temporary solution. Idea: newsletter? This in order to prevent the problems the webshop owners and there developers had to deal with.
Maybe you should discuss this internally?
I am still very happy with Virtuemart and thank all volunteers for their efforts!
Kind regards
Renata
It is generally difficult when a user reports an issue which we cannot replicate. Like GJC, none of my client sites had a problem wiith the release.
The lesson here is to always test any update on a copy of the live site, which we regularly recommend. I do this in a subdirectory of the live domain, and switch the updated copy with the live site is all is apparently OK. The advantage with this is that there is always the previous working version on the server, so if later an issue does crop up the sites can be switched around again. All this does take time, but better to be safe than sorry.
Dear jenkinhill,
I understand and yes this was a good lesson ;)
In any case, you should always have to make a good and complete backup first. And we always do that!
f.y.i.: about what you indicated, testing on a test environment: In this case, tests in a test environment did not show the problem quickly enough. The overload of the server builds up and only after a lot of hours the server is overloaded and the alarm bells starts to ring.
Furthermore: if the webshop is not live, there was no overload! So in this case, the problem will not be detected on a test environment.
Anyway, I gave you some tips above. (i editted my topic above and added newsletter to it) In the end, together we all have to make something beautiful out of it. Only through good cooperation can this be achieved.
Thank you!
Kind regards
Renata
Quote from: Renata on January 23, 2019, 11:15:54 AM
F.a. this topic has been read 396 times. The one you are referring to is read 1059 times ...
Again I appreciate all the work for which i thank you! But if there is a known bug which has enormous consequences for some webshops owners, you should immediately release an update containing the fix. If that on short notice is impossible due to circumstances which I respect, then you should make an announcement somewhere containing obvious keywords, including the temporary solution. Idea: newsletter? This in order to prevent the problems the webshop owners and there developers had to deal with.
Looks like we underestimated the problem with it. We have of course also our customers and as mentioned above. Lets say our core testers are 5 serious webagencies and they adminstrate maybe 100 customers together,... and only 1-2 have the problem, it looks like a minor problem.