VirtueMart 2 + 3 > Security (https) / Performance / SEO, SEF, URLs

Help, how hack got in bypass totally user registeration form

(1/3) > >>

sxl097:
First, I guess this is more related to joomla security than virtuemart. But since I install virtuemart latest version on this joomla installation so I post my question as well. A couple of information here. I upgrade Joomla v3.9 the latest. And Install virtuemart to the latest version as well. But still I can see in user manager there are newly created users showing up who tried to register and fortunately I set to adminstrator for activation so they did not really get login. see the screenshoot, both enabled and activation remained red checkmark.
https://snag.gy/zDijP9.jpg

But I don't understand how could the hacker to register new user to showing on Joomla's user manager. I do understand virtuemart change the joomla registeration.

Here is what I found,
1. Even disable user registeration, they still get on to my Joomla user manager. That tells me hacker was using script to bypass Joomla user registeration form and virtuemart user registeration totally!! I could not imagine Joomla team won't know Joomla website new user registeration can be totally bypass??

2. On the registeration form, at last I end up to insert captcha and another email validation (which would never be able to pass), but I can see hacker still get into Joomla user manager. and shopper list in virtuemart. and in shopper's some of required field was totally missing, that tell me they get on to user manager not through registeration form.

3. I checked with my colo and cpanel. The user could not reach the sql directly and I check ip address list in remote sql.

I am sorry that I am a little frustrated and I am not php programmer. But but change register template both under com_users and under come_virtuemart/view/tmpl. I have already overextended myself  on Php's skill too much than I would like to be. But how could Joomla and virtuemart even latest version did not counter this kind of bypass nonsense. Someone please help? I believe this hacker bypass has been exist for quite sometime now, obviously for the older version joomla and virtuemart this hole has been existed!

AH:
Try and visit an url based on

yoursite/yourshopurlifany/user/editaddress

jenkinhill:
Or  yourwebsite.com/index.php?option=com_users&view=registration

sxl097:
Thanks for your responses.

Correct me if I was wrong but I believe I have been to "yoursite/yourshopurlifany/user/editaddress" (you are referring to the editaddress.php?) and  "yourwebsite.com/index.php?option=com_users&view=registration"  but I conclude so far the hack script bypass all of those.

They are now just malicious or bad registrations, not legit successful hack yet. But that would be the first step of hack. that is how they get a foot into the door.  You really don't what they can do with it if I allow those users activated.. Many years ago, I had a joomla website be defaced at home page with islam flag and then when I tried to fix on that. Hacker then totally delete the whole root directory and everything with subfolders. But that time I knew I was not up to the latest security patches.

As to how they bypass I have my guess, even though, I am not php nor joomla programmer. I am not even computer programmer in general.  But I have been researched on joomla forum for a couple of days and extend myself to dabble into various php and html coding in various template files by insert captcha code and email validation code manually as most of joomla cacha plugin and email validation plugin stop working as virtuemart was installed. Those plugins will only work and be very effective in surely joomla websites. virtuemart obviously change something inside joomla so shopper required information fields (such as shipping address, state, country, and etc) were appended into the original joomla registration form.

Here are what I know

1. I already knew the hack scripts did not hit.

./components/com_virtuemart/views/user/tmpl/edit_shopper.php (AH mentioned in this line)
nor
./components/com_users/views/registration/tmpl/default.php

(both templates are used for my website virtuemart modified registeration). My guess they did not hit website.com/index.php/component/virtuemart/user?Itemid=0 (jenkinhill mentioned in this line) that webpage as I setup a user tracking plug in for whoever hit that page.

2. even after I turn off user registration at user manager option. they still can get registered onto user manager table. And I can tell there are more than one hack source. I guess they were running the same kind of hacking tool.

My guess the bypass has something to do with two controller folders (joomla and virtuemart).
such as./components/com_users/controllers/registration.php or ./components/com_virtuemart/controllers/user.php. The script were hitting those php file directly so bypass "Allow User Registration" switch set at joomla user manager option.

3. please take a look at(screenshoot below) the shopper detail of virtuemart. You can see "*" are required fields but totally empty. That is impossible for the real person to go through at registration form but somehow those fanny users show up as shopper in virtuemart.

https://snag.gy/Tzm5di.jpg

that is why I conclude somehow the script bypass the registeration form totally to render my captcha and email validation code setup totally invalid. Actually, as the last resolve. I dabble the email validation code to make no real person can pass the registeration form successfully. but those fanny users still continue to show up.

Again, I am not programmer by trade. I overextended myself here to dabble into various php files. There are so many smart people here, especially the folks who develope Joomla code and Virtuemart code. I can not imagine by the information I present here, they would not know what actually happen.  Especially my guess this hole if I can call this, does exist for various version of joomla and virtuemart.

GJC Web Design:
There must be a registration / created date in the db tables .. use this timestamp to analyse your server access logs to find the _POST that was made to create this user

Navigation

[0] Message Index

[#] Next page

Go to full version