looks like joomla org hacked

[bigodines]

bergmann, I'm sure they will inform us as soon as they get some real information.

[Kursat]

Lets have some cold joke



"Hey folks!
Well,
joomal.org has never been hacked today."


We are under wrong thread title . 


Sorry, too bad joke   

[JacquesR]

I want to agree with most of what Chris Hutcheson posted regarding security notification.

I've read in the Security section that one can subscribe to that part of the forum, and thereby receive notifications, but when all posts are moved to the lesser-know/used Sites & Infrastructure section as happened in this case, then many people may be unaware of a potential serious security issue (joomla, extension, PHP or otherwise).

Regarding what eyezberg posted:

How will publication of the investigations be handled, do we have to wait untill hole and fix both are available if it's Joomla core, will you post the hole if it's a 3rd part extension even before the fix is available so concerned people can remove it from their sites, are there any hints yet..?
Don't know if this part is off topic, but I don't see how posting a screenshot can be considered "rude"... I don't mind readers here not knowing who hacked the site, but how it was done is crucial info, and if these same hackers (a cracker for me is this: http://www.cepolina.com/freephoto/f/oth ... .bread.jpg ) have, as I understood from a post here, already compromised other sites, it might be helpfull to be able to search with their name or url or whatever to gain insight on the methods they used, and thus maybe be able to secure one's site before the team here is able to post something...
Alsoo think this is more a Security matter than "Sites and Infrastructure", as it doesn't only affect joomla.orgs site(s), and is in no way a "'mechanical' forum or Joomla! sites related issues/suggestions" topic.

While I agree in principle that those who hack sites like this should not be given the exposure they want, I also have to agree with what eyezberg said in his post regarding being able to have all info available (including the name of the person or group that hacked the Joomla.org site), so that we can use this to search for answers.

Using the information gained from other sites, I was for instance able to ascertain that more that 40 web sites built on Joomla! have been hacked by the same person who hacked shop.joomla.org and related sites.

Since I am no expert in this field, I have no easy way of knowing if the exploit is not in something unrelated to Joomla, but with the added information gained it is clear that this is not a joomla.org -only issue, and it therefore raises my level of concern for my own site and that of our customers.

Accordingly I would request that this thread be moved to the Security section (where it will get far greater exposure), or at the very least, that a sticky be placed in that section, linking to this thread.

As Chris said, I'm sure that many people are working very hard behind the scenes to get to the bottom of this hacking incident, and I sincerely appreciate the effort!

regards
Jacques

Edited: amount of hacked sites mentioned

[Kursat]

I do not want to disturb anyone but i guess this is a kind of
file permission hack or hack from a hole of webserver software,
a hack that probably applies on mambo too.

[ilox]

I have no idea why this would be even considered as appropriate for Sites and Infrastructure. It has nothing to do with that and everything to do with Security and should be moved back into Security where it belongs.  Except that so much of this thread likewise has nothing to directly do with Security and everything to do with people waiting desperately to find out what happened.
I only have 6 sites under Joomla so I don't have as much at stake as some others but I need to know where to start looking and what to start tweaking, and I needed to know that information yesterday
Since then I have been over all my sites with a fine tooth comb, resetting permissions, cleaning out unused folders and files, doing all the standard secure management tasks.

That is all I can do at the moment until we get the WORD from the Team on just what did happen.
That word HAS to be posted in Security so that our Subscriptions will bring it to our mailbox without further delay.

[cbh]

I have no idea why this would be even considered as appropriate for Sites and Infrastructure. It has nothing to do with that and everything to do with Security and should be moved back into Security where it belongs.  Except that so much of this thread likewise has nothing to directly do with Security and everything to do with people waiting desperately to find out what happened.
I only have 6 sites under Joomla so I don't have as much at stake as some others but I need to know where to start looking and what to start tweaking, and I needed to know that information yesterday

I absolutely agree with you on this one. It doesn't make any sense at all to have this anywhere except in security, since it would seem that our sites are insecure at this particular moment......

Cheers
Chris Hutcheson

[ilox]

Chris, please note my third line starting with "Except..."
Our mailboxes would by now be bursting at the sides with conjecture and speculation and not one post in the batch has anything serious to say about what actually happened and how to fix it. So for now it is sitting in a good spot
( apologies to anybody subscribed to this Forum).
As soon as the WORD comes down from above I have no doubt that it will be posted here AND in Security so we can get something sensible in our mailbox.

[mandville]

Ilox and i originally discussed this (off forum) when it was in the "security topics", due to differing time frames we were not watching the  posts all day, but have "subscribed to security" can we please have a link back in security so that we can be alerted when this security breach is found?
thanks

[cbh]

I get your point - thanks for clarifying. A better approach IMHO would be to have an announcement forum (or a mailing list a la Drupal alternative) that was only outbound from the joomla.org team - no discussion - to ensure we get the message loud and clear. Whatever the approach taken, it needs to be better than the current one/lack of one.

Cheers
Chris

[mmikeyy]

These idiots (who call themselves "turkish crackers") have replaced the file "helpsites-15.xlm" at  help.joomla.org.  This file is downloaded whenever the help languages file is refreshed, which does not seem to always require a user intervention. The problem is that it can't be parsed, and the config menu becomes inaccessible after the file is replaced. This little hack may soon spread everywhere...

[ilox]

But the the PTB said that the site was rebuilt from backups, didn't they do that?
Maybe you need to repost in Security as a heads up to others who are not following this thread over here?

[korzinko]

Joomla Help Site hacked.

http://help.joomla.org/media/index.html

[slogen123]

Joomla Help Site hacked.

http://help.joomla.org/media/index.html

it's gonna be a loooong night for the core team....

[mmckeen]

Should I delete any reference to the help file in my Joomla site that is in the global configuration?  If that file is called will it damage my site?

[Kursat]

I saw this new hack too
I do not became sure that this is a
joomla core attacks, i am no going to check if mambo is
vulnerable too. I guess mambo is in danger too.

The Hackers of

http://help.joomla.org

found the hole at file permissions, i guess

[korzinko]

I found,that http://www.joomla.org was already hacked at 11.08.2007.Do you know somethig about ? 

[Kursat]

I found,that http://www.joomla.org was already hacked at 11.08.2007.Do you know somethig about ? 

I have heard that(gossips) but i have not seen any messages at official site.

There are known issues for vulnerabilities from file permissions if this is the case even joomla 1,5 is in danger too.

[Kursat]

These turkish idiots have replaced the file "helpsites-15.xlm" at  help.joomla.org. 

Are you racist Mikey?
Why do you use a bad adjective with a Nation name?

[infograf768]

FYI, internet records about this cracker show that a variety of sites/servers have been hit.
From simple Microsoft Frontpage to Joomla, passing by Mambo, phpNuke, Wordpress, standalone forums, etc.

[slogen123]

These turkish idiots have replaced the file "helpsites-15.xlm" at  help.joomla.org. 

Are you racist Mikey?
Why do you use a bad adjective with a Nation name?

the crackers are well-known and are from turkey. that is all. i'm sure he did not mean it to be offensive to the general population of turkey

[slogen123]

FYI, internet records about this cracker show that a variety of sites/servers have been hit.
From simple Microsoft Frontpage to Joomla, passing by Mambo, phpNuke, Wordpress, standalone forums, etc.

so are you suggesting that the exploit may be on a server level, and not neccessarily the joomla core in itself?

[Kursat]

Looks like cracking happens to the best of us

You can never be safe enough, I guess the best solution is to always keep fully updated backups!

This is one of the best ideas around. Always take stable backups of the system.
But todays hack is done to file systems instead of joomla database.
So check your files and file read write logs very often

[AG2]

Joomla Help Site hacked.

http://help.joomla.org/media/index.html

dev.joomla.org is suffering from the same problem, seems it's a different hacker though

http://dev.joomla.org/media/index.html

[Kursat]

FYI, internet records about this cracker show that a variety of sites/servers have been hit.
From simple Microsoft Frontpage to Joomla, passing by Mambo, phpNuke, Wordpress, standalone forums, etc.

so are you suggesting that the exploit may be on a server level, and not neccessarily the joomla core in itself?

The same vulnerability is for mambo too.
They hit the system from file permissions, i guess

[Kursat]

Joomla Help Site hacked.

http://help.joomla.org/media/index.html

dev.joomla.org is suffering from the same problem, seems it's a different hacker though

http://dev.joomla.org/media/index.html

Official Joomla is on different servers and they are all standalone installations,
I think the safest joomla site  is
forum.joomla.org
because forums are SMF, not bridged to joomla, and this server only operates SMF forum

[ad_hie]

lets be patient, waiting any info from joomla developer....
and keep monitoring this threat ..... 

[mmikeyy]

These turkish idiots have replaced the file "helpsites-15.xlm" at  help.joomla.org.

Are you racist Mikey?
Why do you use a bad adjective with a Nation name?

Just in case someone uses a web-based tool to translate the message in a such a messy way as to convey the meaning that you suggest, I changed the post. I don't really see how the designation "Turkish idiot", when applied to someone who calls himself "Turkish cracker", can be understood to refer to the Turkish population in general... But, instead of starting an argument that could be as endless as it would be pointless in this forum, I applied the tag to the original post. Et voilà. End of discussion, I hope!

[Kursat]

lets be patient, waiting any info from joomla developer....
and keep monitoring this threat ..... 

I am trying to understand the weak parts cuz i have some joomla sites and have to take action to keep them.

I need to learn if joomla servers are behind corporate hardware firewalls or not.
Which apache server software official joomla is using.

Because i could not get info about firewalls at Rochen Hosting site.

If behind a well configured firewall these guys are real professionals.

[Kursat]

These turkish idiots have replaced the file "helpsites-15.xlm" at  help.joomla.org.

Are you racist Mikey?
Why do you use a bad adjective with a Nation name?

Just in case someone uses a web-based tool to translate the message in a such a messy way as to convey the meaning that you suggest, I changed the post. I don't really see how the designation "Turkish idiot", when applied to someone who calls himself "Turkish cracker", can be understood to refer to the Turkish population in general... But, instead of starting an argument that could be as endless as it would be pointless in this forum, I applied the tag to the original post. Et voilà. End of discussion, I hope!

Kind Regards

[koji126]

I'm new to the site, well not all that new.  But I would like to say that help.joomla.org is not functioning.