Help, how hack got in bypass totally user registeration form

[sxl097]

First, I guess this is more related to joomla security than virtuemart. But since I install virtuemart latest version on this joomla installation so I post my question as well. A couple of information here. I upgrade Joomla v3.9 the latest. And Install virtuemart to the latest version as well. But still I can see in user manager there are newly created users showing up who tried to register and fortunately I set to adminstrator for activation so they did not really get login. see the screenshoot, both enabled and activation remained red checkmark.
https://snag.gy/zDijP9.jpg

But I don't understand how could the hacker to register new user to showing on Joomla's user manager. I do understand virtuemart change the joomla registeration.

Here is what I found,
1. Even disable user registeration, they still get on to my Joomla user manager. That tells me hacker was using script to bypass Joomla user registeration form and virtuemart user registeration totally!! I could not imagine Joomla team won't know Joomla website new user registeration can be totally bypass??

2. On the registeration form, at last I end up to insert captcha and another email validation (which would never be able to pass), but I can see hacker still get into Joomla user manager. and shopper list in virtuemart. and in shopper's some of required field was totally missing, that tell me they get on to user manager not through registeration form.

3. I checked with my colo and cpanel. The user could not reach the sql directly and I check ip address list in remote sql.

I am sorry that I am a little frustrated and I am not php programmer. But but change register template both under com_users and under come_virtuemart/view/tmpl. I have already overextended myself  on Php's skill too much than I would like to be. But how could Joomla and virtuemart even latest version did not counter this kind of bypass nonsense. Someone please help? I believe this hacker bypass has been exist for quite sometime now, obviously for the older version joomla and virtuemart this hole has been existed!

[AH]

Try and visit an url based on

yoursite/yourshopurlifany/user/editaddress

[jenkinhill]

Or  yourwebsite.com/index.php?option=com_users&view=registration

[sxl097]

Thanks for your responses.

Correct me if I was wrong but I believe I have been to "yoursite/yourshopurlifany/user/editaddress" (you are referring to the editaddress.php?) and  "yourwebsite.com/index.php?option=com_users&view=registration"  but I conclude so far the hack script bypass all of those.

They are now just malicious or bad registrations, not legit successful hack yet. But that would be the first step of hack. that is how they get a foot into the door.  You really don't what they can do with it if I allow those users activated.. Many years ago, I had a joomla website be defaced at home page with islam flag and then when I tried to fix on that. Hacker then totally delete the whole root directory and everything with subfolders. But that time I knew I was not up to the latest security patches.

As to how they bypass I have my guess, even though, I am not php nor joomla programmer. I am not even computer programmer in general.  But I have been researched on joomla forum for a couple of days and extend myself to dabble into various php and html coding in various template files by insert captcha code and email validation code manually as most of joomla cacha plugin and email validation plugin stop working as virtuemart was installed. Those plugins will only work and be very effective in surely joomla websites. virtuemart obviously change something inside joomla so shopper required information fields (such as shipping address, state, country, and etc) were appended into the original joomla registration form.

Here are what I know

1. I already knew the hack scripts did not hit.

./components/com_virtuemart/views/user/tmpl/edit_shopper.php (AH mentioned in this line)
nor
./components/com_users/views/registration/tmpl/default.php

(both templates are used for my website virtuemart modified registeration). My guess they did not hit website.com/index.php/component/virtuemart/user?Itemid=0 (jenkinhill mentioned in this line) that webpage as I setup a user tracking plug in for whoever hit that page.

2. even after I turn off user registration at user manager option. they still can get registered onto user manager table. And I can tell there are more than one hack source. I guess they were running the same kind of hacking tool.

My guess the bypass has something to do with two controller folders (joomla and virtuemart).
such as./components/com_users/controllers/registration.php or ./components/com_virtuemart/controllers/user.php. The script were hitting those php file directly so bypass "Allow User Registration" switch set at joomla user manager option.

3. please take a look at(screenshoot below) the shopper detail of virtuemart. You can see "*" are required fields but totally empty. That is impossible for the real person to go through at registration form but somehow those fanny users show up as shopper in virtuemart.

https://snag.gy/Tzm5di.jpg

that is why I conclude somehow the script bypass the registeration form totally to render my captcha and email validation code setup totally invalid. Actually, as the last resolve. I dabble the email validation code to make no real person can pass the registeration form successfully. but those fanny users still continue to show up.

Again, I am not programmer by trade. I overextended myself here to dabble into various php files. There are so many smart people here, especially the folks who develope Joomla code and Virtuemart code. I can not imagine by the information I present here, they would not know what actually happen.  Especially my guess this hole if I can call this, does exist for various version of joomla and virtuemart.

[GJC Web Design]

There must be a registration / created date in the db tables .. use this timestamp to analyse your server access logs to find the _POST that was made to create this user

[sxl097]

Yes. I use that time stamp in user table (it is showed in user manager as well)  I was able to identify the ip addresses of intruder. But I don't have the capability to find out what webpage the intruder was trying to hit or what is exactly their web request or html post...etc

I don't want to block that ip address as they can easily change to different source ip address. and block ip address will agitate them to make even greater effort to hack into my site. That is not what I want to see. But to my surprise, how Joomla or Virtuemart code won't be able to see the big hole for bypass in the firstplace when developing their codes. Again, I am not software developer, I might overextend myself by saying nonsense here.

My guess they might not need to hit any webpage for human eyes. They hit one of php file directly so bypassing all the registeration form and captcha and other fancy validation we setup.

[sxl097]

BTW, this one particular intruder ip address, registered 4 page hits (from awstats report) and it take them within one minute to get on the user manager table by checking the timestamp on user table for registration and the initial hit time stamp reported by awstats report from hosting company.

[sxl097]

GJC Web Design, what "your server access logs" you are referring to? I went through all log files specifed in joomla global configuration--> Path to Log Folder and I could not find any usable information.

It must be a way to turn on the user activity log to see whether user was html getting and post with exact url they were hitting. But so far I could not that setting?

Again. I guess there were more than one intruder source, possibly, using similar joomla hacking tools (disregard exact joomla version). I was studying one of obvious one but I was stuck by lacking logging information for me to go further.

[GJC Web Design]

Your server access logs -- nothing to do with Joomla .. on your server "somewhere"

typically on cPanel

[jenkinhill]

You have not provided any useful background information for this site except "I upgrade Joomla v3.9". 

Is this an old site? What Joomla version did you upgrade from?

As GJC comments, the target and POST information from your access logs are vital to determine how the registrations were made.
In case the site has been hacked you would be advised to run the Joomla FPA which can report on the site environment, all installed extensions and directory permissions.  https://forum.joomla.org/viewtopic.php?f=714&t=793531

[jjk]

Some recommendations from me:




• Use a free ftp program like WinSCP for easy access to all of the files and folders your webhoster allows, including the access.log file(s). Note that these can become quite large, like 500.000+ lines of text. I usually use the Editor Notepad++ if I want to search for POST / in order to identify and block the ip addresses of the most annoying bots. Registration bots and spam bots often try several hundred or thousand times to locate and fill published registration or contact forms.
  
  
• Use the ECC+ (EasyCalcCheck Plus) plugin and enable at least the Blacklist of StopForumSpam.com and let it add an easy math capcha to your Joomla and VirtueMart registration and contact forms. This is much more user friendly than the Google ReCaptcha (and doesn't send information to Google).
  
  
• Eventually also use Spambotcheck by VI-Solutions (There are plenty of similar plugins, but of course it doesn't make sense to install them all)
  
  
• A nice first information tool if you fear that your site is subject to hacking attempts is the Eyesite plugin. It keeps a list of changed/added files for review.
  
  
• Last but not least, I would recommend to unpublish the Joomla registration module, because it attracts a lot of bots and normally this is not needed for a shop. Real shoppers are registered automatically when they buy something. Some people interested in your products still find the VM registration in the cart. Bots usually don't use this one, if you ask (configure the fields as 'required') for the full address and phone number.
  
  

[PRO]

"captcha on registration" enabled?

[gremaley]

This is an interesting thread. It is 3 years old now, but I wonder if this issue was ever resolved.
I have a Joomla site (3.10.3) that I installed in 2016 and have kept it updated as Joomla core updates were published. My Virtuemart shopping cart was installed at the same time.

I have the same problem with bad actors somehow bypassing the normal registration form and showing up as a new user with none of the required fields containing data except for name and email. So enabling CAPTCHA does no good whatsoever... because they have found a way to bypass the registration form completely.

In 5 years, these bad actors have never caused any problems because new 'registered' users have no permissions on my site. I only upgrade their access level after I have vetted them and verified that they have an address, phone number, etc.... Everyday I have to go in and delete these bad actor (fake users) which is a bit annoying, but I just assumed there was no other way to deal with this. The original post asks an important question.... in Joomla (or Virtuemart) there must be a flaw in the code that allows these bad actors to bypass the registration form. But until that flaw gets fixed, if ever, I will continue to go in and delete these users every day.

I wish I could be of more help...

[jenkinhill]

Spam registrations continue to be an issue on any Joomla site that requires registration.
This plugin provided protection for one of my sites:  https://extensions.joomla.org/extension/access-a-security/site-security/ospam-a-not/

[Studio 42]

Note that if you install an unknown developer module or plugin, it can directly call user registration and define a Virtuemart user or Joomla user.
Only the Joomla controller checks if the user is valid the model, not
And even if the Joomla user model checks this, you can directly create a user calling the database and register any user.
I had a customer who installed a NULLED component and had a lot of Joomla articles with porn links inside. Any website is really easy to hack if you trust  unknown developers (free extensions most time)