I got up this morning and logged on to my site to try and finish up a few loose ends so that I can officially launch it this weekend. I was greeted ba a "you have been hacked" page, not a good start of the day! I had a very similair attack a few months back, but it was on a site that I had installed joomla on and that was about it, it had a fresh install, no actual work had been done on the site, so I emptied the ftp directory, reinstalled joomla and didn't think about it again until this morning. I was a little panicked this morning, but then I realized that no damage had really been done, they replaced the index.php page and added an index.html page, and that was it. Luckily it was the joomla root directory index.php file and not my template one that I had highly customized. So all I had to do was delete the index.html file and replace the index.php file with the one in the joomla install folder. Question is, how to stop this from happening again? Anyone had this happen to them? I noticed when I did a google search for the name of the group that was on my front page, there were a few results coming from the joomla forums, but noone really seemed to have a solution to stopping it from happening. There was also a url on the page that the hackers put up on my site, so I went there, and it had a list of the sites they had hacked. There were over 300 sites listed as being hacked today, march 13th 2007 alone. The name of the group is DENGESIZ TEAM, and the site url on the page was http://www.dengesiz-team.org

Anyways, has anyone here had this problem and know what the actually vulnerability is?

Thanks,
David Henderson

I assumed as much, since they seem to be doing thousands of sitees a day, it must be a script. But does anyone know the vulnerability they are using so that we can prevent it?

If they uploaded an index.html page, wouldn't that mean that they have access to the server (username/ password)?If that were the case, I'd be a tad nervous.

It would be a biatch if these "hackers" (and I use that term loosely) site got hacked... just sayin', not suggesting...

Sorry to hear about this William.

It depends on how the server is set up, and what the permissions are set to, but there are a number of scenarios in which they don't need the password to do this (force a poorly secured PHP file to remotely include another PHP file, for instance).

Been hacked four times, three different sites. Each time the hacker came through an offending component that I used. Fortunately, I had a backup. I'm back in operation within 20 minutes of finding the hack. Joomla.org has a list of the offending extensions.

dave

I have a daily backup going that emails to an account I setup, so a backup isnt really my worry. Problem is, this is an online retail site, so if  this happens, and say it takes me an hour to log on and see it, how many customers just saw it and refuse to do business with me now because the site is not secure? I was reading somewhere on the joomla.org forums about how to find where they got in, something about checking your access logs? HEre is a bit of the post:

gocchin: your site was hacked? Trust me I know this oh too well, it seems to happen as Brad said best, 3PD code that was written correctly or they forgot to add the famous "defined('_VALID_MOS') or die('Direct access to this location is not allowed.');" tag to the top of the file in that component, mambot or module. Check your access logs to see what strings were passed and what they hacked. YOu will typlically see a POST (the GETs you can typically ignore) and some being passed. Here is an example from a site I found:

IP_ADDRESS_HERE - - [11/Jul/2006:01:38:16 -0700] "POST /JOOMLA/absolute_path=SOMETHING_PASS_HERE? HTTP/1.0" 200 25010 "http://YOUR_SITE.com/JOOMLA/absolute_path=SOMETHING_PASS_HERE?" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7"


Question is, does anyone know how I can look at these logs? Sure would like to know where the hole that needs patching is:)

as for the 3rd party bad list, I think he was refering to this thread:

http://forum.joomla.org/index.php/topic,79477.0.html

It has a list of 3rd party stuff and their vulnerabilities

http://nvd.nist.gov/nvd.cfm

Type 'joomla' into their search.

There are other sites that list vulnerabilities but I was too lazy to look them back up for you, sorry.


I forgot to mention... I believe Phil Taylor offers security auditing for Joomla although I have no idea what his fees are.