Discuss: A long day...

A place to discuss recent announcements made by the Joomla! Core Team. Let's hear what you have to say.
User avatar
louis.landry
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 101
Joined: Wed Aug 17, 2005 11:03 pm
Location: New Orleans, Louisiana
Contact:

Discuss: A long day...

Post by louis.landry » Sun Aug 19, 2007 9:40 am

In reference to: http://forum.joomla.org/index.php/topic,203290.0.html

Discuss here.

Thanks,

Louis
Project Manager :: Developer
http://www.webimagery.net
A hacker does for love what others would not do for money.

User avatar
infograf768
Joomla! Engineer
Joomla! Engineer
Posts: 366
Joined: Fri Aug 12, 2005 3:47 pm
Location: •Translation Matters•

Re: Discuss: A long day...

Post by infograf768 » Sun Aug 19, 2007 9:46 am

A long day indeed... and night... hehe  :laugh:
Jean-Marie Simonet / infograf · http://www.info-graf.fr · GMT +1
Qui vult dare parva non debet magna rogare.

User avatar
louis.landry
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 101
Joined: Wed Aug 17, 2005 11:03 pm
Location: New Orleans, Louisiana
Contact:

Re: Discuss: A long day...

Post by louis.landry » Sun Aug 19, 2007 9:47 am

Yes ... it is nearly 5am now ... and I am exhausted .... we will be working to bring back as much as we can in the next few hours.

Louis
Project Manager :: Developer
http://www.webimagery.net
A hacker does for love what others would not do for money.

User avatar
Rochen
Joomla! Intern
Joomla! Intern
Posts: 79
Joined: Wed Aug 17, 2005 3:19 pm
Location: United Kingdom
Contact:

Re: Discuss: A long day...

Post by Rochen » Sun Aug 19, 2007 9:48 am

As Louis says it has been a long day but I am glad the problem has been tracked down and isolated.

I think we are lucky that the particular component that was exploited is only used on the Joomla shop site and not by the community at large or this could be a much more serious problem.

You will see the main Joomla site coming up shortly and the others will follow not far behind. We are just sorting out the backups and then a final security sweep will be done before going live again.

- Chris
Chris Adams - CEO - Rochen Ltd. - 5 Years Industry Experience!
- Reseller Hosting & Multiple Domain Hosting
- www.rochen.com [b]| forums.rochen.com[/b]

User avatar
LorenzoG
Member of the Month!
Member of the Month!
Posts: 879
Joined: Fri Aug 19, 2005 8:46 am
Location: Stockholm, Sweden

Re: Discuss: A long day...

Post by LorenzoG » Sun Aug 19, 2007 9:51 am

Thanks Louis and the rest of the team.

Nice to hear that it seems to be a custom component that is the culprit and not the core itself.
I also think it's important to stress that we never should post who did it or any references and in this way give those hackers and script-kids any credits.
Joomla! Extensions Directory - http://extensions.joomla.org

Håll utkik efter svenska joomlaföreningen som håller på att bildas.

User avatar
RobInk
Joomla! Guru
Joomla! Guru
Posts: 517
Joined: Thu Aug 18, 2005 10:41 am
Location: The Netherlands

Re: Discuss: A long day...

Post by RobInk » Sun Aug 19, 2007 9:54 am

Thanks everyone, for all the hard work!
Regards Robin - Sites & Infrastructure

User avatar
infograf768
Joomla! Engineer
Joomla! Engineer
Posts: 366
Joined: Fri Aug 12, 2005 3:47 pm
Location: •Translation Matters•

Re: Discuss: A long day...

Post by infograf768 » Sun Aug 19, 2007 9:55 am

LorenzoG wrote:I also think it's important to stress that we never should post who did it or any references and in this way give those hackers and script-kids any credits.

Can't agree more!
When reporting such events, the best way to act is to propose to mods in the forum concerned to send a pm with the details if these are no more available.
Jean-Marie Simonet / infograf · http://www.info-graf.fr · GMT +1
Qui vult dare parva non debet magna rogare.

JacquesR
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Sat Aug 18, 2007 11:28 pm

Re: Discuss: A long day...

Post by JacquesR » Sun Aug 19, 2007 9:56 am

Thank you Louis for your open and frank announcement.

It does however still concern me that various other Joomla sites (mostly foreign language) were also defaced yesterday and today by the same person/group.

Since you state that the suspected component was (to your knowledge) never publicly released, was other exploits used for those sites, or do other components share a similar vulnerability?

regards,
Jacques

User avatar
RussW
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 173
Joined: Sun Oct 22, 2006 4:42 am
Location: Melbourne, Australia
Contact:

Re: Discuss: A long day...

Post by RussW » Sun Aug 19, 2007 9:56 am

Louis

Thanks for the prompt and detailed announcement, I am sure it will put a lot of peoples minds at rest.

Also, a massive thank you to those "at-the-coal-face" behind the scenes .....


Maybe we can take some good away from this unfortunate occurrence and take this opportunity to remind the Joomla! Community at large to be vigilant in their configurations and mindful of their sites' security.

  - Joomla! Security Announcements
  - Joomla! Security Forum
  - Joomla! Administrators' Security Guide
  - Joomla! Security and Performance FAQ's Index
  - 3rd Party Extensions Security Forum
Checkout the Joomla! Administrators Security Checklist in the Security Forum...
Installation or Configuration Problems? Joomla! Tools Suite? viewtopic.php?t=136328l

Kursat
Joomla! Apprentice
Joomla! Apprentice
Posts: 25
Joined: Thu Nov 09, 2006 5:56 pm

Re: Discuss: A long day...

Post by Kursat » Sun Aug 19, 2007 9:58 am

Now it is time to see these guys in jail.

I know Turkish Police Department has an efficient impact on hackers.
Most hackers are catch in 24-36 hours and put in to jail at least 2+ years.


Here some evidences to go hackers.


I http://forum.joomla.org/index.php/topic ... #msg954536

I have also contact phone numbers to help to reach these,
i can give them to joomla officials if needed.
Last edited by Kursat on Sun Aug 19, 2007 10:13 am, edited 1 time in total.

User avatar
Wendy
Joomla! Intern
Joomla! Intern
Posts: 78
Joined: Tue Nov 22, 2005 5:20 pm
Location: Canada

Re: Discuss: A long day...

Post by Wendy » Sun Aug 19, 2007 9:59 am

Many thanks to you all for the work and time you are putting in to this.  :)
“The key to everything is patience. You get the chicken by hatching the egg, not by smashing it.”

User avatar
louis.landry
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 101
Joined: Wed Aug 17, 2005 11:03 pm
Location: New Orleans, Louisiana
Contact:

Re: Discuss: A long day...

Post by louis.landry » Sun Aug 19, 2007 10:01 am

JacquesR wrote:Thank you Louis for your open and frank announcement.

It does however still concern me that various other Joomla sites (mostly foreign language) were also defaced yesterday and today by the same person/group.

Since you state that the suspected component was (to your knowledge) never publicly released, was other exploits used for those sites, or do other components share a similar vulnerability?

regards,
Jacques



I am sorry but I have no way of knowing what exploits may have been used to attack other sites.  There is just no way for me to know.  It does seem, however that the recent wave of vain and childish defacing is much bigger than just the Joomla! world.  I am guessing that this is a concerted effort that has been planned.

These site owners have IPs and such in logs, they should contact the ISPs and file complaints.  It is possible that nothing comes of it, probable in fact ... but it is something.

Louis
Project Manager :: Developer
http://www.webimagery.net
A hacker does for love what others would not do for money.

JacquesR
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Sat Aug 18, 2007 11:28 pm

Re: Discuss: A long day...

Post by JacquesR » Sun Aug 19, 2007 10:10 am

louis.landry wrote:I am sorry but I have no way of knowing what exploits may have been used to attack other sites.  There is just no way for me to know.  It does seem, however that the recent wave of vain and childish defacing is much bigger than just the Joomla! world.  I am guessing that this is a concerted effort that has been planned.


I appreciate that you cannot possibly know the cause of the other sites's hacking.

There does seem to be a focus by this person on Joomla sites, and even though we now know how access was gained to joomla.org sites, it is still not clear how the other sites was hacked, and therefore the real concern remains that more sites could follow using a possible similar exploit.

In trying to find a common exploit, I'm trying to help to prevent this person (or copy-cats) from affecting other Joomla-based sites.

I sent a link to RobS (though your site) for your info. (mailboxes are full)

regards,
Jacques
Last edited by JacquesR on Sun Aug 19, 2007 10:16 am, edited 1 time in total.

User avatar
hornos
Joomla! Apprentice
Joomla! Apprentice
Posts: 29
Joined: Fri Aug 19, 2005 7:08 pm
Location: France
Contact:

Re: Discuss: A long day...

Post by hornos » Sun Aug 19, 2007 10:15 am

JacquesR wrote:In trying to find a common exploit, I'm trying to help to prevent this person (or copy-cats) from affecting other Joomla-based sites.

the answer:
Rochen wrote:I think we are lucky that the particular component that was exploited is only used on the Joomla shop site and not by the community at large or this could be a much more serious problem.

User avatar
TomT
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 100
Joined: Thu Aug 18, 2005 5:50 am
Location: Amsterdam
Contact:

Re: Discuss: A long day...

Post by TomT » Sun Aug 19, 2007 10:16 am

It's such a waist of time for everyone, this vandalism..... I hope you can all get some much deserved rest soon.

Thanks, Tom

User avatar
masterflafer
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Tue Aug 07, 2007 8:52 pm

Re: Discuss: A long day...

Post by masterflafer » Sun Aug 19, 2007 10:19 am

I hope they will end up in jail.

Googling their names I found couple sites where they show their "success". WTF ???
They have also site and forum.
There must be way to find them and bring them to justice.

JacquesR
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Sat Aug 18, 2007 11:28 pm

Re: Discuss: A long day...

Post by JacquesR » Sun Aug 19, 2007 10:22 am

hornos wrote:
JacquesR wrote:In trying to find a common exploit, I'm trying to help to prevent this person (or copy-cats) from affecting other Joomla-based sites.

the answer:
Rochen wrote:I think we are lucky that the particular component that was exploited is only used on the Joomla shop site and not by the community at large or this could be a much more serious problem.


You may be miss-understanding what I'm saying here.

I won't post the link here that confirms what I'm trying to say, but the same cracker defaced various private sites (yesterday and today) using an unknown exploit. These sites are not related to the joomla.org sites, but are community sites that are built on Joomla.

Though limited in number (currently), it does seem to suggest that this incident is not confined to joomla.org and needs further attention/investigation.

regards,
Jacques

edit: added clarification
Last edited by JacquesR on Sun Aug 19, 2007 10:28 am, edited 1 time in total.

User avatar
fw116
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Tue Sep 06, 2005 11:18 am
Location: Germany

Re: Discuss: A long day...

Post by fw116 » Sun Aug 19, 2007 10:33 am

thanx for ur report and nice to hear thats not the joomla core..
Greg: [thinking] Let's see what the tech support E-Mails have to say today.
E-Mail: Hello. I just set up my new PC and it doesn't work correctly. Do you have any ideas? Signed, A Paying Customer.
Greg: [ rappy tap tap jab] Yep, I sure do. Signed, Tech Support.

User avatar
RobS
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 102
Joined: Mon Dec 05, 2005 10:17 am
Location: New Orleans, LA, USA
Contact:

Re: Discuss: A long day...

Post by RobS » Sun Aug 19, 2007 10:34 am

Alright, the main sites are up now.  Yes, I know... not all of them.  I am absolutely exhausted, it is 5:30 in the morning and I am going to bed.  We will finish the other sites  in the morning later.
Rob Schley - Joomla! Core Team
WebImagery - http://www.webimagery.net/

User avatar
masterchief
Joomla! Intern
Joomla! Intern
Posts: 58
Joined: Fri Aug 12, 2005 2:45 am
Location: Toowoomba, Australia
Contact:

Re: Discuss: A long day...

Post by masterchief » Sun Aug 19, 2007 10:50 am

Thanks everyone involved for working the problem and sacrificing the better parts of you collective weekends for the benefits of all.
Andrew Eddie - Joomla! Lead Developer
<><
http://www.theartofjoomla.com - FREE Joomla! 1.5 MAGAZINE for Developers, Admins, and Users
http://www.newlifeinit.com - J!1.5 GPL Reporting tools, Magazines, Comments, Catalogs - more coming in 2008!

User avatar
hornos
Joomla! Apprentice
Joomla! Apprentice
Posts: 29
Joined: Fri Aug 19, 2005 7:08 pm
Location: France
Contact:

Re: Discuss: A long day...

Post by hornos » Sun Aug 19, 2007 11:15 am

JacquesR wrote:I won't post the link here that confirms what I'm trying to say, but the same cracker defaced various private sites (yesterday and today) using an unknown exploit. These sites are not related to the joomla.org sites, but are community sites that are built on Joomla.
Attacks were not directed to joomla based sites exclusively !!

As mentionned in the annoucement:
Of all of our sites, there was one that still had register globals emulation on.  Of all of our sites there was one that had the htaccess file missing and most importantly ... that one site has a remote file inclusion vulnerability
It just means that the guys in charge of http://shop.joomla.org didn't not follow security baselines :P : http://help.joomla.org/component/option ... temid,268/
Last edited by hornos on Sun Aug 19, 2007 11:18 am, edited 1 time in total.

User avatar
brad
Joomla! Hero
Joomla! Hero
Posts: 2212
Joined: Fri Aug 12, 2005 12:38 am
Skype: tested
Location: Sydney - Australia
Contact:

Re: Discuss: A long day...

Post by brad » Sun Aug 19, 2007 11:17 am

Great work guys. Thanks for picking up the slack while I was busy this weekend.
Brad Baker - Joomla! Core Team, Sites & Infrastructure.
http://www.rochen.com - Managed Dedicated, Reseller & Multiple Domain Hosting.
http://www.joomlatutorials.com <-- Joomla! 1.5 & 1.0.x
^New Joomla 1.5 Tutorials are out!

jmc
Joomla! Apprentice
Joomla! Apprentice
Posts: 26
Joined: Thu Aug 18, 2005 9:10 pm

Re: Discuss: A long day...

Post by jmc » Sun Aug 19, 2007 11:29 am

this incident is not confined to joomla.org and needs further attention/investigation.

Yes. By the site owners. Who are probably (just like every doofus who comes to these forums bleating about a hack/crack) running any number of insecure components, incorrect chmod, globals on ( :-[), Joomla 1.0.4 (upgrade? why would I wanna do that???) and God knows what else. I hope you'll be as diligent in your pursuit of their answers as you seem to be in hounding the Joomla! team.
There's only one sure-fire method of protecting yourself in these cases - backup - regularly and fully! Be ready to take the hit if you don't. And don't blame anyone but yourself!
And one other thing... what's with all of this "He's not a hacker... he's a cracker" crap that I've seen kicking around in the 6+ pages of posts. WTF??? It's almost like we're giving the scumbags recognised levels of professional qualification!
I've decided that, should I ever be a victim to a defacement of one of my sites, I will take this stance - I have NOT been "hacked" or "cracked" - I've been "SCUMMED". Seems a much more fitting term.  ;)

Kursat
Joomla! Apprentice
Joomla! Apprentice
Posts: 25
Joined: Thu Nov 09, 2006 5:56 pm

Re: Discuss: A long day...

Post by Kursat » Sun Aug 19, 2007 11:49 am

This morning i spoke with one officer friend at Turkish Police Dep. on joomla case.
He told me that if the attacked server (as a starting point) is staying in Turkey they examine the hacked server with website personel and pick attacker to jail in a few days.

If the server is at EU and USA, these countries police dept.s are in tight connection with Turkish PDs. In this case server (area attacked) is examined by those PDs and evidences
examined by Turkish PDs concurrently. Necessary action is taken to the attacker.

In these cases when website owner claims the police help, the case becomes a public case
in all these countries. So the attacker has no chance to live freely at least a few years of time.

Officer said that police help is a necessary to find attacker because website owners can only investigate their own servers and their ISP's helps, but police depts have power to control all the related routers, equipments, related other ISPs/networks information globally.
Last edited by Kursat on Sun Aug 19, 2007 11:52 am, edited 1 time in total.

JacquesR
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Sat Aug 18, 2007 11:28 pm

Re: Discuss: A long day...

Post by JacquesR » Sun Aug 19, 2007 12:19 pm

jmc wrote:
this incident is not confined to joomla.org and needs further attention/investigation.

Yes. By the site owners. Who are probably (just like every doofus who comes to these forums bleating about a hack/crack) running any number of insecure components, incorrect chmod, globals on ( :-[), Joomla 1.0.4 (upgrade? why would I wanna do that???) and God knows what else. I hope you'll be as diligent in your pursuit of their answers as you seem to be in hounding the Joomla! team.


Not hounding anyone. Only attempting to gain better understanding of the defacement of various sites built on Joomla, yesterday and today (by a spesific individual/group).

The other sites are mostly in Russian or Italian, and I'm unaware if they have forums.

I ask the questions here, since it is a public forum for the Joomla community, and security issues would be of concern to us all.

There is no contradiction in sincerely thanking the Joomla team for all their efforts in restoring the joomla.org sites, and at the same time trying to figure out what commonality there may be between these defacements and those of the other sites.

The knowledge gained could prevent myself and others from falling victim to the same attacks.

I do agree with you that regular backups is a must, since no software or system can ever be 100% secure (mostly due to the human element).

regards,
Jacques

User avatar
cbh
Joomla! Apprentice
Joomla! Apprentice
Posts: 9
Joined: Sun Aug 28, 2005 11:20 pm
Location: Toronto, Ontario, Canada

Re: Discuss: A long day...

Post by cbh » Sun Aug 19, 2007 1:44 pm

Thanks for the detailed information. Just a suggestion - should this announcement not also be posted in the security forum, so that those of use who registered for updates by email can receive it that way as well?

Thanks for all your hard work on this.

Cheers
Chris Hutcheson

User avatar
Tonie
Joomla! Ace
Joomla! Ace
Posts: 1585
Joined: Thu Aug 18, 2005 7:13 am
Contact:

Re: Discuss: A long day...

Post by Tonie » Sun Aug 19, 2007 1:59 pm

That's a hard one. Neither Joomla nor an extension has been hacked, so this luckily has no consequence for websites running Joomla. In that regard I would probably not mention it there.
Antonie de Wilde - Forum admin

Kursat
Joomla! Apprentice
Joomla! Apprentice
Posts: 25
Joined: Thu Nov 09, 2006 5:56 pm

Re: Discuss: A long day...

Post by Kursat » Sun Aug 19, 2007 2:01 pm

Tonie wrote: Neither Joomla nor an extension has been hacked, so this luckily has no consequence for websites running Joomla.


very nice for community
this is the best new of the day,

User avatar
cbh
Joomla! Apprentice
Joomla! Apprentice
Posts: 9
Joined: Sun Aug 28, 2005 11:20 pm
Location: Toronto, Ontario, Canada

Re: Discuss: A long day...

Post by cbh » Sun Aug 19, 2007 2:06 pm

Tonie wrote:That's a hard one. Neither Joomla nor an extension has been hacked, so this luckily has no consequence for websites running Joomla. In that regard I would probably not mention it there.


I see what you mean,  in terms of making the announcement and of it being a hard call. I'm not much on the technical side, so a lot of what's gone on, beyond the fact that there was a potential issue I should be watching out for. In that sense it some sort of heads up would be good just to make me aware. Perhaps an announcement along the lines of "not a Joomla issue diretly, but could be a problem" might be a good thing.

Cheers
Chris

User avatar
infograf768
Joomla! Engineer
Joomla! Engineer
Posts: 366
Joined: Fri Aug 12, 2005 3:47 pm
Location: •Translation Matters•

Re: Discuss: A long day...

Post by infograf768 » Sun Aug 19, 2007 2:41 pm

cbh wrote:
Tonie wrote:That's a hard one. Neither Joomla nor an extension has been hacked, so this luckily has no consequence for websites running Joomla. In that regard I would probably not mention it there.


I see what you mean,  in terms of making the announcement and of it being a hard call. I'm not much on the technical side, so a lot of what's gone on, beyond the fact that there was a potential issue I should be watching out for. In that sense it some sort of heads up would be good just to make me aware. Perhaps an announcement along the lines of "not a Joomla issue diretly, but could be a problem" might be a good thing.

Cheers
Chris


I posted this as sooon as we got the News concerning the solution of the problem.
http://forum.joomla.org/index.php/topic,203293.0.html
Jean-Marie Simonet / infograf · http://www.info-graf.fr · GMT +1
Qui vult dare parva non debet magna rogare.


Post Reply