looks like joomla org hacked

[Kursat]

joomla.org seems to be hacked today.


Here is the news
http://forum.joomla.org/index.php/topic,203000.0.html

[AG2]

lets be patient, waiting any info from joomla developer....
and keep monitoring this threat ..... 

I am trying to understand the weak parts cuz i have some joomla sites and have to take action to keep them.

I need to learn if joomla servers are behind corporate hardware firewalls or not.
Which apache server software official joomla is using.

Because i could not get info about firewalls at Rochen Hosting site.

If behind a well configured firewall these guys are real professionals.

more like script kiddiez... definitely not a pro

look at the html source from http://help.joomla.org/media/index.html

the html is so borked that i doubt they knew what were they doing except saying "look dude, i can run this script to target that site"

CENTER tag is left opened, and opened again instead of being closed
img tag is not even finished
html end tag is not specified

... and so on. The W3C validator finds 31 errors on that page alone:

http://validator.w3.org/check?uri=http% ... index.html

[Kursat]

more like script kiddiez... definitely not a pro

When i see the attackers message 1st time i looked at attackers  web site mainpage.
The header is same as the hacked/replaced joomla site file.
as u said for hacked files also his site has no closing tags etc...

His website uses cpanel and normal/default email solution.


Who is info shows a name and no one has complained about mis contact info on his domainname

Ways to learn His(attackers) credit cards info or his other personel information are open.

But these evidences do not make me so sure if he is a script kiddy or pro before going on
these evidences,

Hacker is using DirectI services and one DirectI reseller. I am sure DirectI has all
personal info of this hacker.

One interesting info is, that reseller does not operates legally in Turkey with a legally registered
brand name and does not officially licensed by any of Turkish Chamber of Commerce Offices.

The reseller do business via only mobile phone,
(Mobile Phone Operators have their personal details)
they do not have legally shown business address
(office address. Also they do not have a static phone line for their operations.
no place to welcome their customers)

Such resellers only have a very few customers and the resellers phone numbers are available.
So the reseller also know this hacker.

I checked the other info about the hacker, he probably lives in istanbul, bursa or somewhere in germany.
Directi can give all access info and logs about this guy.

Also he can be catch by money transactions of directi reseller.

It will be easy to see him in jail in a few days,

I did not wanted to struggle his web server because i am not law, i do not have such
duty, i hate giving damages around and personally i hate trying to learn other peoples secrets.

This is the difference between hackers and computer professionals.

[infograf768]

These idiots (who call themselves "turkish crackers") have replaced the file "helpsites-15.xlm" at  help.joomla.org.  This file is downloaded whenever the help languages file is refreshed, which does not seem to always require a user intervention. The problem is that it can't be parsed, and the config menu becomes inaccessible after the file is replaced. This little hack may soon spread everywhere...

Not correct.
http://forum.joomla.org/index.php/topic ... #msg954556

[vistartony]

The same vulnerability is for mambo too.
They hit the system from file permissions, i guess

On what basic and what tests you say that?
Please explain

[Kursat]

The same vulnerability is for mambo too.
They hit the system from file permissions, i guess

On what basic and what tests you say that?
Please explain

only with the information we get from this forum,
the similar hacked files are used at mambo for the
similar purposes. If there is a file permission security
hole same hackig also applies to mambo too.
This is only a guess without explanation of core team.

The test is done on my local server.

[Kursat]

These idiots (who call themselves "turkish crackers") have replaced the file "helpsites-15.xlm" at  help.joomla.org.  This file is downloaded whenever the help languages file is refreshed, which does not seem to always require a user intervention. The problem is that it can't be parsed, and the config menu becomes inaccessible after the file is replaced. This little hack may soon spread everywhere...

Not correct.
http://forum.joomla.org/index.php/topic ... #msg954556

I agree with infograf768, this does not seem a core hack,
of course there are hundreds of such folders in joomla which
can have probability to be under risk but these are tiny
files that will not effect joomla core working or any database
read/write/insert functions.
So perhaps a well configured firewall and other file system related
keeping will stop hacks on these files

[omponk]

[EDIT MOD: no need to give cracker's credits here]

hello joomla development... where are youu

[X-Ception]

Given the forums have not been hacked, one would suspect its something like AWstats or an external package used on the joomla.org webserver similar to how phpbb.com got overturned the last time it was "hacked" and ugh these people are not HACKERS ! - cracker/black hat will suffice :P

[omponk]

who have site has been hack? any log.. 

[eyezberg]

It's been over 24hrs now, I do know it's a week-end (those guys didn't do this on a saturday without reason), but there are tools available to analize log files etc, and I thought Joomla were using a security scanner software on their code anyway, so it's getting a bit long to wait for info..?! There isn't even an announcement in the security forums so all users are at least warned and maybe take some defensive measures to secure their sites further?
I'd have liked to warn the french users about a potential issue, but with what?...

[ilox]

When discussing if they are hackers or crackers or black hats or just script kiddies I'm quite partial to Anne McCaffrey's term of "scumvermin" but perhaps others don't like my choice of words

On a sadder note I see that the exploits in the media directory or help and dev sites are still there, and it has only been 4 1/2 hours since they were first reported.

I also note that it is now many long hours since the first exploits were reported. Yes, I have heard of the many megs of logs to go through, and I have heard of the challenge of reloading the site from backup, and I have heard of the problems caused because so many people are asleep at any one time.

When are the PTB going to pronounce something Official and let us into the secret as to the who, what, why, when, where and how, the sites were hacked?

We have been patient, super patient, but this lack of information is becoming painful, and worrying. Would the Team person currently holding the Speaking Stick please either speak up or pass it on to somebody else who will?

If this is something that we need to be aware of to fix our sites then isn't it only right that we get a chance to do so before the scum run their scripts or turn their attention against us? We do understand and accept the logistics problems and we do honestly understand the problems tracking down the damage that has been caused and making sure it doesn't happen again. That is why we have all been so patient even though we have been bursting with the need to know.

In the middle of all of that could somebody who is in the know please drop us a line and put us in the picture?

[infograf768]

Defensive measures can't be taken if it is not known exactly what happened.

The variations in the type of sites cracked in this last cycle (as stated in a post above) do not give any hint on the culprit and logs have to be analysed thoroughly.

Site admins have a life too and family matters prevented Brad/Tonie to go further in their search last night.
Research will resume this morning.

[romit]

It's been over 24hrs now, I do know it's a week-end (those guys didn't do this on a saturday without reason), but there are tools available to analize log files etc, and I thought Joomla were using a security scanner software on their code anyway, so it's getting a bit long to wait for info..?! There isn't even an announcement in the security forums so all users are at least warned and maybe take some defensive measures to secure their sites further?
I'd have liked to warn the french users about a potential issue, but with what?...

I understand your concern Eyez,

But you are not helping the situation at all, you are increasing the pressure on them more and more..

Its not like that Joomla Core/Admins are sleeping while all this is going on, they are working on it as we speak and will let us know when they have anything to report ..

Its better to report something that is correct than to report wrong info .. causing a mass scare..

Even automated tools take a while to go through 400MB of log files ..

Hang tight .. 

[omponk]

look the google with keyname [mod edit: removed hacker name.  Please do not name these hacker/s again.  - WRobinson]
so many many web .


whereis log... hello somebody with site has been hack.. where is a log?



EDITED:sorry

[ilox]

In both your posts you have used that persons ID. Please edit your posts to delete any reference to that person. We must not give any sort of credit to somebody who does things like that. No Screenshots, No names, no links, nothing that might be identifying the ID. Thank you for your cooperation.

[infograf768]

look the google with keyname [mod edit: removed hacker name.  Please do not name these hacker/s again.  - WRobinson]
so many many web .


whereis log... hello somebody with site has been hack.. where is a log?

The very large majority of cracked sites are not joomla sites. Period.
Nobody knows as of now if Joomla is [also] at stake.
We have had no reports here from any user having the same issue.

If there is one, we would be happy to get the logs, privately, as they would be likely easier to go through.

[JacquesR]

In both your posts you have used that persons ID. Please edit your posts to delete any reference to that person. We must not give any sort of credit to somebody who does things like that. No Screenshots, No names, no links, nothing that might be identifying the ID. Thank you for your cooperation.

I have to respectfully disagree.

As previously posted I agree with the principle with not giving such a person any credit, but with little information to work on (at this stage), it is more important that all information (including the hacker's ID) is made available!

For example, there was someone who posted in the Security section yesterday (or the day before) about their site being hacked, and there the server admin informed them that in their case the vulnerability was trough some Microsoft Frontpage extension on the server.

That person did post the name of the person who hacked their site http://forum.joomla.org/index.php/topic,202943.0.html , but since he was asked to remove that reference, that important bit of information was removed, and therefore one possible cause/solutions became less useful.

The more information is available, the sooner we can get (and find) answers.

regards,
Jacques

edit: spelling and added link

[yaron_elh]

The core team members which I have the highest respect for.
they are professionals, and fluent in every part of this site's code, and the joomla core,
and still this site is being hacked over and over again(seems a bit personal),

I don't want to buy into the script kiddies theory, because it is worse to think any kid could download some script off the Internet with no knowledge and break into my site, and take it down. It's easy, to easy.
I rather be in a conception that this is a professional work, someone who has good knowledge of joomla.

theories aside, the fact is that this site is being on and off for more than 24 hours.
leaving me to think what were my chances of handling these sort of attacks. 

[RobS]

Hello everyone,

It looks like this has caught a lot of people's attention... 6 pages already... wow.

We took one of the Joomla.org servers off-line so that we could conduct a thorough analysis of how the sites were compromised.  I am happy to say that as far as we can tell, after several hours of investigation, it does not appear to be a problem with the Joomla! Core.  We will be posting a forum announcement shortly to give more details and we hope to have the rest of the joomla.org sites back up and running as soon as possible. 

I want to thank you all for your patience and your concerns.

[JacquesR]

Thanks for the update Rob!

The cracker seems to have continued with defacing more sites (mainly .it sites), and he? still seems to have a preference for Joomla! sites.
(it might be purely because he? is familiar with this cms, and not related to a joomla core or extension vulnerability)

Or as someone suggested elsewhere, he could be a disgruntled [EDIT MOD: bad taste.]

regards,
Jacques

[Gianmarco Odorizzi]

thank you ROBS!!!


I hope that the Joomla! Core is safe and without bugs

[infograf768]

Official Announcement here now
http://forum.joomla.org/index.php/topic,203290.0.html

Discussion here
http://forum.joomla.org/index.php/topic,203291.0.html

[Gianmarco Odorizzi]

tahnk you!!! Good work guys!!!!

[ilox]

Thank you Team for clearing up the site, the problems and above all the worry. It is a relief to find that this exploit wasn't due to Joomla itself. Too many outside were looking at us and getting ready to laugh at being caught out like that. Thank that the main site is safe again.

Thanks also to the Mods for the unenviable task of trying to herd cats in keeping all those threads together, then merged, then herding up the stray threads that threatened to break out

Thanks also to the Development team, and this includes the 3PD's, for giving us one of the best CMS tools out there. Sure there are exploits now and then, that is part of the problem about being so good, so many look at Joomla seeing if they can bring it down.  Each crack they find just makes us stronger.

It has been more than a long day, but Joomla has survived, and will continue to not just survive but grow even stronger.

[Kursat]

Thank you Team for clearing up the site, the problems and above all the worry.

Each crack they find just makes us stronger.
It has been more than a long day, but Joomla has survived, and will continue to not just survive but grow even stronger.

Very good words iloxs.

Once more we understand that they can hack files, servers and equipments
but they can never hack the encourage of team and the community behind joomla.

[rsd]

I am trying to understand the weak parts cuz i have some joomla sites and have to take action to keep them.

I need to learn if joomla servers are behind corporate hardware firewalls or not.
Which apache server software official joomla is using.

Because i could not get info about firewalls at Rochen Hosting site.

If behind a well configured firewall these guys are real professionals.

Hacking thru a website on a poorly written script (php, perl , asp, java) has nothing to do with a how good a filewall is.

Port 80 has to pass by it and there is no way for a firewall to differentiate a legitim request from a hacking attempt.

The only way to have this is to have a tool that sits before the webserver and filters the HTTP protocol that can pass or not.  But for this to work, it has to be aware what is allowed and what is not in your scripts (not very doable).

There is a similar tool for IIS that protects IIS from attacks for all known vulnerability (a lot) and it costs several thousands of dolars.

So back toyour statement, this guys can be pros or scriptkids, but it has nothing to do, passing the firewall.


-rsd

[rob27]

Thanks to everyone involved for their hard work in bringing everything up again and for the open communication.
I know from experience how stressful that can be under pressure with so many people "looking over your shoulder" waiting to hear news.

There's a great Dilbert cartoon where the pointy-haired manager shouts "I want FULL status reports, every 5 minutes, until you're done!" 

While it is understandeable that every Joomla webmaster is concerned and anxious to hear news, perhaps next time everyone can remember that people trying to fix things asap should be left alone to work in peace until _after_ the fix. Panic & half flame wars are quite counter productive, always actually, but more so when there is an emergency fix going on.

I envy the moderators for the patience they show many times 
And this is also a good time to thank all Joomla contributors for the great job they are doing every day without much public recognition: THANKS!

One good thing to come out of all this for me is that it made me at least re-check all security related settings on my sites, web server, php and joomla related. Hope everyone else does the same...

And may justice be done on the people responsible for the defacing.

[Kursat]

Hacking thru a website on a poorly written script (php, perl , asp, java) has nothing to do with a how good a filewall is.

Port 80 has to pass by it and there is no way for a firewall to differentiate a legitim request from a hacking attempt.

The only way to have this is to have a tool that sits before the webserver and filters the HTTP protocol that can pass or not.  But for this to work, it has to be aware what is allowed and what is not in your scripts (not very doable).

There is a similar tool for IIS that protects IIS from attacks for all known vulnerability (a lot) and it costs several thousands of dolars.

So back toyour statement, this guys can be pros or scriptkids, but it has nothing to do, passing the firewall.

-rsd

Hi rsd
nice statements.
At the time i wrote that post i did not have exact info on the attack type so i was making investigation on my hypothesis. I was thinking on wrong file permissions and mis configuration of firewall settings to allow files which are unnecessary for web client via 80.

Later i learned more about attack

Here 2 posts on evidences to attackers and a way to catch them.

http://forum.joomla.org/index.php/topic ... #msg954536

http://forum.joomla.org/index.php/topic ... #msg954845

[exrace]

Hacking thru a website on a poorly written script (php, perl , asp, java) has nothing to do with a how good a filewall is.

Port 80 has to pass by it and there is no way for a firewall to differentiate a legitim request from a hacking attempt.

The only way to have this is to have a tool that sits before the webserver and filters the HTTP protocol that can pass or not.  But for this to work, it has to be aware what is allowed and what is not in your scripts (not very doable).

There is a similar tool for IIS that protects IIS from attacks for all known vulnerability (a lot) and it costs several thousands of dolars.
-rsd

Many firewalls have a built-in IDS which can detect these "script attacks".
Snort is one such tool that is used in many of these firewalls.
I personally use Astaro Firewall which runs on a dedicated computer to protect some of the networks I work on and it uses the snort engine.
Works very well and the have a free home/SHO version that works well.

You also have tools like Commercial products like BinarySEC 2.0 for Apache and Opensource http://www.modsecurity.org/ that can stop these types of attacks dead.
It takes effort but solutions are out there.