Super Users created again and again on an updated site

izig · July 21, 2017, 18:14:24 PM

Hi, I'm running my VirtueMart 3.2.2 on Joomla 3.7.3 and have some security (I would say serious) issues.
Almost every day, I see new users under the list of "Super Users"

The site is running on Debian jessie that is fully updated on a weekly basis.

I did noticed some VirtueMart modules that refuses to updated (see attached image), can I update them manually?

One more note, I'm in the process of migrating the entire site to the latest Debian version.

Any advise?

Thanks,
Izi

K&K media production · July 21, 2017, 18:26:45 PM

Seems your site was hacked before you've updated a security release. You need malware scan tools for your website files.

https://securitycheck.protegetuordenador.com/

https://sucuri.net/

jenkinhill · July 21, 2017, 23:21:24 PM

The super user hack is Joomla related, not VirtueMart. For the procedure to work out and recover from the hack start with https://forum.joomla.org/viewtopic.php?f=714&t=757645 and then work within that forum. You will get good advice. The recovery route is covered here: https://forum.joomla.org/viewtopic.php?f=714&t=946026

A Joomla specific site check is available from Phil Taylor, the first site scan is free. https://myjoomla.com/site/is/hacked so you could do that first.

izig · September 01, 2017, 18:19:56 PM

Thanks for the advises above.

Now that the site is clean, seems like whom ever hacked the site left me a few challenges:
1. Every new account created as "Super User". Legitimate users created with those elevated privileges
2. No mail is sent for new account creation, so I need to watch occasionally for new accounts and change them to "Registered"

I added a layer of protection on the /administrator in my .htaccess so those users will find it hard to login to the administrator panel, but still...

jenkinhill · September 01, 2017, 23:31:57 PM

You obviously still have residual issues which will certainly bite you if you do not fix them now. I suspect you did not follow best practice for recovery from hacking.

izig · September 02, 2017, 08:40:54 AM

Thanks Kelvyn, you're partially correct. I had 2 options as I see it, reinstall the entire store from scratch, or dig into the site files looking for suspected ones.

As the site had many modifications during the years, reinstalling is my last option. But I do consider it.

I'd like to get any clue that may assist the current issues I noted above.
I assume the PHP file handling new accounts was tempered or the DB entry for "Super Admin" and "Registers" accounts is swapped.

jenkinhill · September 02, 2017, 15:15:54 PM

If you don't replace all the files as in a normal hack recovery, then you run the risk of there being one or more hacked file being present, and also more than one backdoor into the site. You are showing us the importance of any "modifications" always being made using override files or by a plugin.

Milbo · September 02, 2017, 23:35:34 PM

not only replace, he must also delete additional files. The best way is to remove all files, and install it completly fresh. But using the old db and of course that should be done at "home" with a backup and if all is cleared, upload it.

izig · October 07, 2017, 14:16:10 PM

I'm sad

Installed new server, Debian fully updated. Installed clean Joomla, Virtuemart and PHP 7.0.19-1. All are running latest version (Joomla 3.8.0 and will be updated to 3.8.1 soon)

Exported my old DB from the old server and imported it to a new DB on the new server. Changed Joomla configuration file to use the imported DB.
Also copied the media folder to the new server after scanning it on a Windows machine with McAfee anti virus.

Today, a couple of weeks later, I see a few new spam users that are in the Super Admin group. And I never got a notification mail of regarding new account creation.
Also created a test user myself, the new user created in "Activated" and "Enabled" status and as "Super User".

Any ideas where to look for the root cause of this issue?

Thanks for any assistance.

jenkinhill · October 07, 2017, 15:40:55 PM

Quote from: izig on October 07, 2017, 14:16:10 PM
Also copied the media folder to the new server after scanning it on a Windows machine with McAfee anti virus.

McAfee anti-virus is not designed to detect the sort of backdoor access files that a hacker could install in media/images. You really should manually check that the image files are what they claim to be for example a file image.php.jpg could be a backdoor file, giving a way in for hackers. Also malicious code can also be hidden in an image, eg see https://thehackernews.com/2015/06/Stegosploit-malware.html (and instructions for hackers to do just that are online).

Looks like you have to rebuild the site again.

GJC Web Design · October 07, 2017, 22:03:27 PM

QuoteToday, a couple of weeks later, I see a few new spam users that are in the Super Admin group. And I never got a notification mail of regarding new account creation.
Also created a test user myself, the new user created in "Activated" and "Enabled" status and as "Super User".

Any ideas where to look for the root cause of this issue?

when this vulnerability first became known I had a couple of sites to fix that were doing the exact of above..
It was a while ago but from memory the eventual cause i found wasn't code but they had redone all the standard Joomla users permissions configs etc.
Compare your permissions setup to a clean new install

jenkinhill · October 07, 2017, 23:56:44 PM

Permissions are stored in the db - but surely any developer would check that if the simply imported the old db.

GJC Web Design · October 08, 2017, 00:18:10 AM

struggling to remember but I think it was the hierarchy of the set permissions and what they were allowed to do had been totally altered A about F

so not individual perms but the permissions and the order in which they were applied to groups etc.. this may be totally different .. it just rang a bell from when this hack was popular

whether u are regged as a Super or Registered is simply group ids in the registration model so just debug out what is happening there.. unless there is nefarious code swapping them after registration etc..

if not every reg ends as a Super then I guess a back door is there to allow that

izig · October 08, 2017, 13:23:06 PM

Thanks !
Global Configuration -> Users -> User options: New User Registration Group and Guest User Group where set to "Super User"

GJC Web Design · October 08, 2017, 21:42:45 PM

I can see that would be problematic..

Yes, it was part and parcel of the hack that once they had gained access they often played silly buggers with the settings then deleted their registration.

You would think they would have better things to do with their time...

News:

Super Users created again and again on an updated site