+ Post New Thread
Results 1 to 2 of 2
*nix Thread, my joomla got hacked in Technical; Im pretty sure.. I setup a joomla on one of my vhosts as a test, and forgot about it.. For ...
  1. #1

    RabbieBurns's Avatar
    Join Date
    Apr 2008
    Location
    Sydney
    Posts
    5,512
    Thank Post
    1,320
    Thanked 469 Times in 306 Posts
    Blog Entries
    6
    Rep Power
    199

    my joomla got hacked

    Im pretty sure..

    I setup a joomla on one of my vhosts as a test, and forgot about it.. For well over a year or more..

    Happened to look through my apache logs, and found a whole load of random GETs..

    I immediately shut down apache, moved apache over to another box, and moved the other websites (all non-joomla) over to it.

    I setup password protection on the main site, and only allowed the vhosts

    I panicked, and deleted the folder which had the stuff which I reckon was the hacked stuff, but in the apache logs, the bad stuff was listed as
    Code:
    66.249.66.129 - - [11/Mar/2011:11:25:46 +0000] "GET /components/com_facileforms/startdownload-Lisa-Gerrard-With-Klaus-Schulze-Come-Quietly-CD-2009-JUST.rar.html HTTP/1.1"
    but each GET was for a different filename. I did a search, and none of those files appear to be on the local system, but I cannot be 100% sure?

    IVe reset the root password, and killed apache..

    I did a search for the
    Code:
    /components/com_facileforms/
    and that was a path that appeard within the joomla install, albiet it had a newer creation date than the actual joomla install. I had a quick look at the php files in there, and one seemed to be a re-write of google bot IPS, whichi is probably why all the logs in my access_log for apache resolve to googlebot IPs. I shouldnt have deleted the files so hastily, but I panicked.

    Since moving the sites (same domains and same IPs) over to a new box, I am still getting a load of hits in the logs, although now they are 401 (access denied I hope?) But thiey still seem to be coming from googlebot IPs?

    Code:
    66.249.66.129 - - [11/Mar/2011:11:20:03 +0000] "GET /components/com_facileforms/startdownload-22.Tech.N9ne.-.Like.Yeah.vob.html HTTP/1.1" 401 475
    66.249.66.129 - - [11/Mar/2011:11:20:17 +0000] "GET /components/com_facileforms/startdownload-Kimberley-Walsh---Sport-Relief---Appeal---19th-March-2010-EDIT-snoop-.mpg.html HTTP/1.1" 401 475
    66.249.66.129 - - [11/Mar/2011:11:20:32 +0000] "GET /components/com_facileforms/startdownload-Petro-The-Soldier.rar.html HTTP/1.1" 401 475
    66.249.66.129 - - [11/Mar/2011:11:20:42 +0000] "GET /components/com_facileforms/startdownload-Gran-Torino.BDRip.part01.rar.html HTTP/1.1" 401 475
    66.249.66.129 - - [11/Mar/2011:11:20:48 +0000] "GET /components/com_facileforms/startdownload-Brussels-Bruges-Antwerp-Ghent-Top-10.rar.html HTTP/1.1" 401 475
    66.249.71.19 - - [11/Mar/2011:11:21:03 +0000] "GET /components/com_facileforms/startdownload-The-Ultimate-Club-Penguin-Hacking-Pack.rar.html HTTP/1.1" 401 475
    66.249.66.129 - - [11/Mar/2011:11:21:19 +0000] "GET /components/com_facileforms/startdownload-Cross-Stitch-Gold-35.zip.html HTTP/1.1" 401 475
    66.249.66.129 - - [11/Mar/2011:11:21:20 +0000] "GET /components/com_facileforms/startdownload-Antarctica-Satellite-Map.rar.html HTTP/1.1" 401 475
    66.249.66.129 - - [11/Mar/2011:11:21:35 +0000] "GET /components/com_facileforms/startdownload-Kyou-Kara-Maou-12.mkv.html HTTP/1.1" 401 475
    66.249.66.129 - - [11/Mar/2011:11:21:50 +0000] "GET /components/com_facileforms/startdownload-COMIC-Penguin-Club-2008-11-EPIDEM.RU.rar.html HTTP/1.1" 401 475
    66.249.66.129 - - [11/Mar/2011:11:21:58 +0000] "GET /components/com_facileforms/startdownload-1927-sugar-daddies.part2.rar.html HTTP/1.1" 401 475
    66.249.66.129 - - [11/Mar/2011:11:22:06 +0000] "GET /components/com_facileforms/startdownload-The-Good-Shepherd---DVDrip.part1.rar.html HTTP/1.1" 401 475
    66.249.71.19 - - [11/Mar/2011:11:22:22 +0000] "GET /components/com_facileforms/startdownload-One-Piece---125---Light-the-Fire-of-Loftra--Wyler-the-Warrior-.rmvb.html HTTP/1.1" 401 475
    66.249.66.129 - - [11/Mar/2011:11:22:37 +0000] "GET /components/com_facileforms/startdownload-Gran-Torino.BDRip.part03.rar.html HTTP/1.1" 401 475
    66.249.66.129 - - [11/Mar/2011:11:22:38 +0000] "GET /components/com_facileforms/startdownload-Optitex-9-6-full---fashion-design-software.7z.rar.html HTTP/1.1" 401 475
    127.0.0.1 - - [11/Mar/2011:11:22:47 +0000] "GET / HTTP/1.0" 401 456
    66.249.66.129 - - [11/Mar/2011:11:22:53 +0000] "GET /components/com_facileforms/startdownload-Avast.Professional.v4.8.1229.Incl.Keymaker.rar.html HTTP/1.1" 401 475
    66.249.66.129 - - [11/Mar/2011:11:23:09 +0000] "GET /components/com_facileforms/startdownload-Chevrolet-Astro-Van--1988------.part2.rar.html HTTP/1.1" 401 475
    66.249.66.129 - - [11/Mar/2011:11:23:15 +0000] "GET /components/com_facileforms/startdownload-02x14---Pod-tlakem.part1.rar.html HTTP/1.1" 401 475
    66.249.71.19 - - [11/Mar/2011:11:23:24 +0000] "GET /components/com_facileforms/startdownload-Cisco.Press.Cisco.Multiservice.Switching.Networks.chm.html HTTP/1.1" 401 475
    66.249.66.129 - - [11/Mar/2011:11:23:40 +0000] "GET /components/com_facileforms/startdownload-Book-04-On-the-Banks-of-Plum-Creek-001.rar.html HTTP/1.1" 401 475
    66.249.66.129 - - [11/Mar/2011:11:23:54 +0000] "GET /components/com_facileforms/startdownload-6-Civil-War-Opening-Shot.cbr.html HTTP/1.1" 401 475
    66.249.66.129 - - [11/Mar/2011:11:23:56 +0000] "GET /components/com_facileforms/startdownload-Kurtlar.Vadisi.Pusu.82.Bolum.Rizeliusak.Dizi.rar.html HTTP/1.1" 401 475
    66.249.66.129 - - [11/Mar/2011:11:24:11 +0000] "GET /components/com_facileforms/startdownload-Instrukcja-obslugi-Nissan-Maxima-2000--ENG--up-by-dunaj2.rar.html HTTP/1.1" 401 475
    66.249.66.129 - - [11/Mar/2011:11:24:27 +0000] "GET /components/com_facileforms/startdownload-Dress-code---Ne-xochy.AVI.html HTTP/1.1" 401 475
    66.249.71.19 - - [11/Mar/2011:11:24:32 +0000] "GET /components/com_facileforms/startdownload-1x18.By.school-bus.part1.rar.html HTTP/1.1" 401 475
    66.249.66.129 - - [11/Mar/2011:11:24:43 +0000] "GET /components/com_facileforms/startdownload-Kurtlar-Vadisi-Pusu-1.Bolum---rip-by-zevkopat.3gp.html HTTP/1.1" 401 475
    66.249.66.129 - - [11/Mar/2011:11:24:59 +0000] "GET /components/com_facileforms/startdownload-Lock.Stock.and.Two.Smoking.Barrels.1998.720p-ESiR.dlc.html HTTP/1.1" 401 475
    66.249.66.129 - - [11/Mar/2011:11:25:12 +0000] "GET /components/com_facileforms/startdownload-08-04-90--Dodger-Stadium.rar.html HTTP/1.1" 401 475
    66.249.66.129 - - [11/Mar/2011:11:25:14 +0000] "GET /components/com_facileforms/startdownload-Avast-Professional-Edition-4.8.1351.rar.html HTTP/1.1" 401 475
    66.249.66.129 - - [11/Mar/2011:11:25:30 +0000] "GET /components/com_facileforms/startdownload-FTP-XviD-PDTV-WS-Worker-Social-Undercover-Dispatches-Sparhawk.r00.html HTTP/1.1" 401 475
    66.249.66.129 - - [11/Mar/2011:11:25:46 +0000] "GET /components/com_facileforms/startdownload-Lisa-Gerrard-With-Klaus-Schulze-Come-Quietly-CD-2009-JUST.rar.html HTTP/1.1" 401 475
    66.249.66.129 - - [11/Mar/2011:11:25:50 +0000] "GET /components/com_facileforms/startdownload-WWII-Battle-Tanks.part01.rar.html HTTP/1.1" 401 475
    66.249.71.19 - - [11/Mar/2011:11:26:02 +0000] "GET /components/com_facileforms/startdownload-D-Nox---Sprout-Radio--Proton-Radio--SBD-04-06-2010-TALiON-INT-NewSceneFiles.net.rar.html HTTP/1.1" 401 475
    66.249.66.129 - - [11/Mar/2011:11:26:18 +0000] "GET /components/com_facileforms/startdownload-Land-Rover-Microcat.part01.rar.html HTTP/1.1" 401 475
    66.249.66.129 - - [11/Mar/2011:11:26:29 +0000] "GET /components/com_facileforms/startdownload-06x09---Closet-Cases.avi.001.html HTTP/1.1" 401 475
    66.249.66.129 - - [11/Mar/2011:11:26:34 +0000] "GET /components/com_facileforms/startdownload-Digital-Signal-Processing.pdf.html HTTP/1.1" 401 475
    66.249.66.129 - - [11/Mar/2011:11:26:49 +0000] "GET /components/com_facileforms/startdownload-Apress.Learn.Xcode.Tools.for.Mac.OS.X.and.iPhone.Development.Dec.2009.rar.html HTTP/1.1" 401 475
    66.249.66.129 - - [11/Mar/2011:11:27:05 +0000] "GET /components/com_facileforms/startdownload-Feat.-Ja-Rule-and-Caddilac-Tah-Aint-It-Funny-www.sparthis.blogspot.com.rar.html HTTP/1.1" 401 475
    66.249.66.129 - - [11/Mar/2011:11:27:07 +0000] "GET /components/com_facileforms/startdownload-Avatar-Trailer-new-video.flv.html HTTP/1.1" 401 475
    66.249.66.129 - - [11/Mar/2011:11:27:20 +0000] "GET /components/com_facileforms/startdownload-HDTV-Rodeo-Last-The-Dunn-and-Brooks-Presents-ACM-Sparhawk.rar.html HTTP/1.1" 401 475
    is just a sample.

    I am going to wipe the affected box soon, just wondering if anyone has had anything similar happen, or knows what the com_facileforms exploit might be (im sure i didnt have this component installed) or can suggest where all these get requests are coming from?

    cheers!

  2. #2

    powdarrmonkey's Avatar
    Join Date
    Feb 2008
    Location
    Alcester, Warwickshire
    Posts
    4,859
    Thank Post
    412
    Thanked 777 Times in 650 Posts
    Rep Power
    182
    There have previously been disclosures for SQL injection vulnerabilities and XSS vulnerabilities in that component, so this looks like the SQL attack. All the quoted requests returned HTTP 401, which is "Unauthorized, but specifically when authentication is possible and has failed or not yet been provided", so that's good. Always wipe the box clean before you bring it back up (and next time, preserve the evidence!)

SHARE:
+ Post New Thread

Similar Threads

  1. Have we been hacked?
    By wesleyw in forum Virtual Learning Platforms
    Replies: 13
    Last Post: 22nd June 2009, 10:11 PM
  2. Joomla Site Hacked
    By drewinc in forum EduGeek Joomla 1.5 Package
    Replies: 9
    Last Post: 1st December 2008, 02:24 PM
  3. Our school website (with edugeek joomla package) HACKED
    By dhasmet in forum EduGeek Joomla 1.5 Package
    Replies: 21
    Last Post: 6th October 2008, 10:11 AM
  4. hacked?
    By uk101man in forum *nix
    Replies: 3
    Last Post: 2nd August 2007, 11:22 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •