Joomla site - Hacked

[afonic]

elfishtroll, I think you need to back off a little and stop your stupid behavior.

It may be the first time I personally attack a forum member in my life, but I've seen all of your posts in this thread and they are just about:

- how much (free open source) Joomla sucks
- why the core team (aka unpaid volunteers) are evil
- all kind of insane conspiracy theories
- how well the Joomla folks lie and put the blame elsewhere
- praising the script kiddies
- being EXTREMELY happy as in your mind Joomla (a software that thousand people use and enjoy) is unsecure

You don't accept anyone that tries to say something against your points, you always blame the "core team" and don't even THINK that yes, a site can be hacked/defaced/destroyed because the admin is not doing his job correctly OR that there CAN actually be an unsecure component.

IMHO you are the kind of person always to blame someone and never trying to help. If you don't like Joomla DON'T USE IT. I don't see the reason to constantly blame it and the core team all over those days.

[anna.young]

Afonic, I might be wrong, but the way I read it, I don't think that Elfishtroll has issues with 'free open source Joomla' software project itself. I use it myself and loved it all this time. The issue is with the human element of that project and the way they seem to be handling problems and their obvious attempts to manipulate both us, end users AND the facts.

In all fairness there have been no AmyStaphens's truthiness here since Sunday...  so the topic will hopefully go to rest on its own soon...

Anna

[elfishtroll]

lol.

I never said free open source sucks.

I never praise "script kiddies"

why the core team (aka unpaid volunteers) are evil?

What does their "payment status" have to do with anything? If anything, they are quite well paid for what they get out of the joomla cow as by what they put in!

If anything, they are richly paid with the effeminate fawnings of  gushing sycophants @ home and abroad, that strokes the....umm.."long days"
As for evil, cooking up a "newfound adherence to the GPL in order to kick out the 3pd developers previously welcomed and encouraged so as to occupy the now vacant niche does seem mighty scummy to me, if not downright evil "

My "insane conspiracy theories" are all bound by fact (but since you would 'give them credence' by even attempting to rebut them, I guess you are between a rock and a hard place arent you?

"you don't even THINK that yes, a site can be hacked/defaced/destroyed because the admin is not doing his job correctly OR that there CAN actually be an unsecure component.
"

Where do you get THAT from? LOL (must be that extra bran you had this morning,lol)
Thats probably the ONLY way a site can be hacked these days as most hosts have locked down "null code" insertions and the like, the way to BE hacked is via loose extensions (which Joomla/Mambo encourages - i.e. Code peer review)

Even something as simple as a "security checklist" which all code submitters must sign and attest to before submission (in lieu of a formal 'approval process' is ignored)


Pah, your logic has been found wanting and your arguments lacking -begone!
(or "attack" away, thy words are but those of a gnat behind my mosquito screen of common sense/crass bravado!)


<insert LOL here>

[青山 素子]

If anything, they are richly paid with the effeminate fawnings of  gushing sycophants @ home and abroad, that strokes the....umm.."long days"

Still hitting the Sterno, eh?

"you don't even THINK that yes, a site can be hacked/defaced/destroyed because the admin is not doing his job correctly OR that there CAN actually be an unsecure component.
"

Where do you get THAT from? LOL (must be that extra bran you had this morning,lol)
Thats probably the ONLY way a site can be hacked these days as most hosts have locked down "null code" insertions and the like, the way to BE hacked is via loose extensions (which Joomla/Mambo encourages - i.e. Code peer review)

Not all hosts are secure, however, and the Joomla! project is on their own dedicated boxes, leaving security up to them. Obviously, they messed up on that security issue, but I would hope they actually learned and have better lock-down procedures now.

[Storman™]

Thank you for stepping in and getting back on-topic Motoko-chan (hint, hint..)

[afonic]

You are making jokes about the Joomla team and you are insulting people in your previous posts or not? Why? Do you think they lie and that this component that Marko wrote had nothing to do with it? And please show me the area in the original Joomla announcement that says "it was not our fault".

Think is, this was a security problem caused by poor administration of the server and a problematic component. Bad for those doing the job, nothing to do for Joomla as a software.

I'm just tired watching the whole internet blaming Joomla team about this whole "we allow GPL extensions only" thing. Yes, I do believe that all your comments in this thread are biased on that fact.

These "GPL Jihad" comments etc are plain bull******, imo always.

[青山 素子]

Think is, this was a security problem caused by poor administration of the server and a problematic component. Bad for those doing the job, nothing to do for Joomla as a software.

If the same author that wrote this component is also writing for Joomla! itself, I do feel that people have a right to question the security of the product.

However, I do agree that comments instantly painting the software as bad without any evidence to back that up are bad. In the interest of free speech, I haven't been removing anything, but I might just lock this topic if I see more baseless assertions.

[elfishtroll]

Actually, the thread is more a "chit chat" type topic than actually belonging to "Joomla Bridge support" as its not as if it (Joomla being "hacked/defaced") really affects the bridge (or lack of a bridge) in a significant way.

So with that said, it's hard to be "on topic" as by its very nature, the conversation is going to meander a bit (or be infused with speculation: who did it? why? how?)

The interesting thing is (as I pointed out earlier) if the component was vulnerable, it was vulnerable from DAY ONE of its installation. Granted, assuming it was not an inside job the exact source code may not have been available - still, the URL architecture of Joomla/Mambo is such that you can probably guess the appropriate vector for a MosConfig  injection attack  for any component, once you know that it is installed.


The scenario exists that multiple users may have downloaded modified versions of Joomla and may be  hacks waiting to happen!*

http://wordpress.org/development/2007/03/upgrade-212/
This actually happened to WordPress some months ago where the WordPress server was hacked and A NEW WORDPRESS DISTRIBUTION PUT IN THE DOWNLOAD SLOT!
* This means that several people downloaded a specially modified ( with a backdoor) installation of wordpress!

That ANY SUGGESTION THAT THAT IS EVEN POSSIBLE IS DELETED FROM THE JOOMLA FORUMS is rather odd, isnt it?*


however, it will all blow over (or under) and all things will pass.

Even the hot 'indispensable' CMS of the day will ebb and flow...when's the last time anyone installed a copy of PostNuke?





* if that is even true, AFAIK, Joomla people NEVER delete posts in the forums (or even move them to locked/admin response only areas )





For the record I never said that the Joomla software was bad or (excepting the above reference) has any blatant security holes (deficiencies yes, but not holes per se)
However, I stand by my assertion, backed up by the evidence both private and public, that the Joomla core devs HAVE acted less than honorably/competently in the "GPL saga" AND that some of the reasons espoused for  recent changes (The password changes for "security" which break all  bridges and integrations) have been disingenuous  to say the least

if you could read my posts ( without having someone send you over here with "talking points") you would have figured it out for yourself !

ps. I am NOT "Hooked On Afonic!"

</lol>

[zwaldowski]

While I feel your post was intended to be at least partially funny, elfishtroll, but this hacking backdoor is more than possible.  I know they restored a backup and fixed security, this could've been an issue for a long time.  Since they have had the mosConfig issue for a while, somebody could have uploaded a file on the forums that was a modded core file that alters the database schema, or installed a backdoor.  After all, components, like the JH bridge, can alter files in Joomla.  Hell... it could've been a conspiracy in every file uploaded!  :-P

Good thing the hackers didn't get hold of the Forge... they could've installed a backdoor in SVN!

[elfishtroll]

ALL my posts are designed to be 'partially funny'.

Though I often fail, I resolve to keep trying until someone laughs or the forum breaks (whichever comes first)

I WAS serious about the 'backdoor' possibility tho....
THAT particular issue was/is being squelched on the Joomla side


if they are SURE there has been no access prior to the ultimate defacement, the question is... how?

[eddyyanto]

elfishtroll,

you're meddling the GPL issue with this Joomla! custom component vulnerability issue.
and that is somewhat out off topic from the purpose of this thread.

[Raul Dias]

I WAS serious about the 'backdoor' possibility tho....
THAT particular issue was/is being squelched on the Joomla side

if they are SURE there has been no access prior to the ultimate defacement, the question is... how?

The same thing that happened with wordpress happened with Sendmail a few years ago.
The solution that every serious software distribution have to detect this is:
* MD5 sum of all files to download (this only garantee integrity).
* PGP, GPG signing of the files.

Neither Joomla or SMF does this, and they should start specially to give trust to its users.

In the Joomla side I have being doing diffs since 1.0.9(or 10) to keep up with the changes at source level.

[elfishtroll]

elfishtroll,

you're meddling the GPL issue with this Joomla! custom component vulnerability issue.
and that is somewhat out off topic from the purpose of this thread.

I am flattered that the quoted was your FIRST POST!

( if I were you though, I would have saved your "SMF Virginity" for one more worthy )

Like hastily discarded virginity, dont you even now, feel the pangs of regret? "oh, if only I had not been so impetuous! If only I had waited, and made MY FIRST POST something to remember!  Alas, in your haste, it seems you are spent, done, before your tangled misspelt words sprayed onto this thread.

so what is left for you? to slink off, perhaps to return nine months later with an idea or thought?)




@Raul
"Neither Joomla or SMF does this, and they should start specially to give trust to its users.
"

Actually, I believe Joomla has been listing SHAI/MD5 hashes for the zip and Tarballs for a while, not that it makes much difference since they can be recalculated and the source edited to show the new hash.

there is also an internal script that you can run that scans the files in your install and compares them against the hash (to detect tampering on your site)

[青山 素子]

The solution that every serious software distribution have to detect this is:
* MD5 sum of all files to download (this only garantee integrity).
* PGP, GPG signing of the files.

Neither Joomla or SMF does this, and they should start specially to give trust to its users.

I don't think every serious project does this, but it isn't a bad idea. I'll talk to the team on it.

[elfishtroll]

Well, its a little bit redundant in SMF's case and here's why.


Under GPL, ANYBODY can put a link up on their site and say "HERE'S THE LATEST JOOMLA!! get it here!"

So that kind of checksum authentication allows those whom are so inclined to validate their copy using the info from the 'head office'.


Similarly, the individual checksum for EACH FILE that the joomla/mambo diagnostic tool uses to check each file for tampering, is of limited utility in the SMF context as here, different from Joomla//Mambo, extensions actually MODIFY THE CODE ON DISK, (keeping track of the changes they made so they can be undone) which means a new checksum would have to be recalculated.


I bet the dev team will probably come to the same response.

Still, a program that you upload after you install a mod that scans everything, gives you a diagnostic file with the shai/md5 hash of every file you have (that you can then use as a tool periodically between updates to check for unauthorized changes) would be a GOOD THING (but somewhat different from what we are talking about here)

[青山 素子]

What Raul is talking about is signing the compressed archive so the paranoid can verify it is the correct file and hasn't been tampered with. If the download was to be tampered with, the intruder couldn't PGP sign the broken copy, so it would be detected faster.

[elfishtroll]

AH!

(note to self, insert READ before POST)

more useful now that you've explained it more, but still I think, maybe a little more work than benefit. Still, I guess if you have enough free time, and its not as if SMF releases a new version every week anyway ( but maybe they could do this for mods and Templates tho)

[afonic]

Back in the security facts I don't think Joomla people are so unreliable that if such an isssue exists they wouldn't send out a notice.

In fact, the Joomla forge is on a different server, making this possibility even more unlikely.

[Praedator]

Think is, this was a security problem caused by poor administration of the server and a problematic component. Bad for those doing the job, nothing to do for Joomla as a software.

If the same author that wrote this component is also writing for Joomla! itself, I do feel that people have a right to question the security of the product.

However, I do agree that comments instantly painting the software as bad without any evidence to back that up are bad. In the interest of free speech, I haven't been removing anything, but I might just lock this topic if I see more baseless assertions.

Most parts of this Shop Component are including Code from PrintMojo itself and is also contacting PrintMojo via fopen etc. so the fault i see here is only that the htaccess was not activated which would have prevented a hack, if this really was the whole, as on my testserver i was not able to hack it

Also there was not really time for testing when the shop was setuped.

[elfishtroll]

Think is, this was a security problem caused by poor administration of the server and a problematic component. Bad for those doing the job, nothing to do for Joomla as a software.

If the same author that wrote this component is also writing for Joomla! itself, I do feel that people have a right to question the security of the product.

However, I do agree that comments instantly painting the software as bad without any evidence to back that up are bad. In the interest of free speech, I haven't been removing anything, but I might just lock this topic if I see more baseless assertions.

Most parts of this Shop Component are including Code from PrintMojo itself and is also contacting PrintMojo via fopen etc. so the fault i see here is only that the htaccess was not activated which would have prevented a hack, if this really was the whole, as on my testserver i was not able to hack it

Also there was not really time for testing when the shop was setuped.

That has to be the LAMEST,DUMBEST "explanation" I've ever heard!

Btw, most of MY DNA (ME) comes from evolutionary monkeys, still I am responsible for the code I write (and the speeding tickets I get come in MY name, and is not shared by my ancestors)

Remote file inclusion is so fundamentally simple to guard against that any programmer with an ounce of shame would go out and cut of his fingers in shame for having committed so stupid a mistake!

- To say that there was no time for testing (there is ALWAYS time for testing) or to say that most of the "code came from ...." is the most lameass excuse schlepping I have EVER heard

personally, that kind of code exploit is so well known, and so clear cut, to have that in your code ( in 2007)  seems to be arguably criminal or willful negligence.