[Gentoo] my joomla got hacked

[RabbieBurns]

Im pretty sure..

I setup a joomla on one of my vhosts as a test, and forgot about it.. For well over a year or more..

Happened to look through my apache logs, and found a whole load of random GETs..

I immediately shut down apache, moved apache over to another box, and moved the other websites (all non-joomla) over to it.

I setup password protection on the main site, and only allowed the vhosts

I panicked, and deleted the folder which had the stuff which I reckon was the hacked stuff, but in the apache logs, the bad stuff was listed as

Code:

66.249.66.129 - - [11/Mar/2011:11:25:46 +0000] "GET /components/com_facileforms/startdownload-Lisa-Gerrard-With-Klaus-Schulze-Come-Quietly-CD-2009-JUST.rar.html HTTP/1.1"

but each GET was for a different filename. I did a search, and none of those files appear to be on the local system, but I cannot be 100% sure?

IVe reset the root password, and killed apache..

I did a search for the

Code:

/components/com_facileforms/

and that was a path that appeard within the joomla install, albiet it had a newer creation date than the actual joomla install. I had a quick look at the php files in there, and one seemed to be a re-write of google bot IPS, whichi is probably why all the logs in my access_log for apache resolve to googlebot IPs. I shouldnt have deleted the files so hastily, but I panicked.

Since moving the sites (same domains and same IPs) over to a new box, I am still getting a load of hits in the logs, although now they are 401 (access denied I hope?) But thiey still seem to be coming from googlebot IPs?

Code:

66.249.66.129 - - [11/Mar/2011:11:20:03 +0000] "GET /components/com_facileforms/startdownload-22.Tech.N9ne.-.Like.Yeah.vob.html HTTP/1.1" 401 475
66.249.66.129 - - [11/Mar/2011:11:20:17 +0000] "GET /components/com_facileforms/startdownload-Kimberley-Walsh---Sport-Relief---Appeal---19th-March-2010-EDIT-snoop-.mpg.html HTTP/1.1" 401 475
66.249.66.129 - - [11/Mar/2011:11:20:32 +0000] "GET /components/com_facileforms/startdownload-Petro-The-Soldier.rar.html HTTP/1.1" 401 475
66.249.66.129 - - [11/Mar/2011:11:20:42 +0000] "GET /components/com_facileforms/startdownload-Gran-Torino.BDRip.part01.rar.html HTTP/1.1" 401 475
66.249.66.129 - - [11/Mar/2011:11:20:48 +0000] "GET /components/com_facileforms/startdownload-Brussels-Bruges-Antwerp-Ghent-Top-10.rar.html HTTP/1.1" 401 475
66.249.71.19 - - [11/Mar/2011:11:21:03 +0000] "GET /components/com_facileforms/startdownload-The-Ultimate-Club-Penguin-Hacking-Pack.rar.html HTTP/1.1" 401 475
66.249.66.129 - - [11/Mar/2011:11:21:19 +0000] "GET /components/com_facileforms/startdownload-Cross-Stitch-Gold-35.zip.html HTTP/1.1" 401 475
66.249.66.129 - - [11/Mar/2011:11:21:20 +0000] "GET /components/com_facileforms/startdownload-Antarctica-Satellite-Map.rar.html HTTP/1.1" 401 475
66.249.66.129 - - [11/Mar/2011:11:21:35 +0000] "GET /components/com_facileforms/startdownload-Kyou-Kara-Maou-12.mkv.html HTTP/1.1" 401 475
66.249.66.129 - - [11/Mar/2011:11:21:50 +0000] "GET /components/com_facileforms/startdownload-COMIC-Penguin-Club-2008-11-EPIDEM.RU.rar.html HTTP/1.1" 401 475
66.249.66.129 - - [11/Mar/2011:11:21:58 +0000] "GET /components/com_facileforms/startdownload-1927-sugar-daddies.part2.rar.html HTTP/1.1" 401 475
66.249.66.129 - - [11/Mar/2011:11:22:06 +0000] "GET /components/com_facileforms/startdownload-The-Good-Shepherd---DVDrip.part1.rar.html HTTP/1.1" 401 475
66.249.71.19 - - [11/Mar/2011:11:22:22 +0000] "GET /components/com_facileforms/startdownload-One-Piece---125---Light-the-Fire-of-Loftra--Wyler-the-Warrior-.rmvb.html HTTP/1.1" 401 475
66.249.66.129 - - [11/Mar/2011:11:22:37 +0000] "GET /components/com_facileforms/startdownload-Gran-Torino.BDRip.part03.rar.html HTTP/1.1" 401 475
66.249.66.129 - - [11/Mar/2011:11:22:38 +0000] "GET /components/com_facileforms/startdownload-Optitex-9-6-full---fashion-design-software.7z.rar.html HTTP/1.1" 401 475
127.0.0.1 - - [11/Mar/2011:11:22:47 +0000] "GET / HTTP/1.0" 401 456
66.249.66.129 - - [11/Mar/2011:11:22:53 +0000] "GET /components/com_facileforms/startdownload-Avast.Professional.v4.8.1229.Incl.Keymaker.rar.html HTTP/1.1" 401 475
66.249.66.129 - - [11/Mar/2011:11:23:09 +0000] "GET /components/com_facileforms/startdownload-Chevrolet-Astro-Van--1988------.part2.rar.html HTTP/1.1" 401 475
66.249.66.129 - - [11/Mar/2011:11:23:15 +0000] "GET /components/com_facileforms/startdownload-02x14---Pod-tlakem.part1.rar.html HTTP/1.1" 401 475
66.249.71.19 - - [11/Mar/2011:11:23:24 +0000] "GET /components/com_facileforms/startdownload-Cisco.Press.Cisco.Multiservice.Switching.Networks.chm.html HTTP/1.1" 401 475
66.249.66.129 - - [11/Mar/2011:11:23:40 +0000] "GET /components/com_facileforms/startdownload-Book-04-On-the-Banks-of-Plum-Creek-001.rar.html HTTP/1.1" 401 475
66.249.66.129 - - [11/Mar/2011:11:23:54 +0000] "GET /components/com_facileforms/startdownload-6-Civil-War-Opening-Shot.cbr.html HTTP/1.1" 401 475
66.249.66.129 - - [11/Mar/2011:11:23:56 +0000] "GET /components/com_facileforms/startdownload-Kurtlar.Vadisi.Pusu.82.Bolum.Rizeliusak.Dizi.rar.html HTTP/1.1" 401 475
66.249.66.129 - - [11/Mar/2011:11:24:11 +0000] "GET /components/com_facileforms/startdownload-Instrukcja-obslugi-Nissan-Maxima-2000--ENG--up-by-dunaj2.rar.html HTTP/1.1" 401 475
66.249.66.129 - - [11/Mar/2011:11:24:27 +0000] "GET /components/com_facileforms/startdownload-Dress-code---Ne-xochy.AVI.html HTTP/1.1" 401 475
66.249.71.19 - - [11/Mar/2011:11:24:32 +0000] "GET /components/com_facileforms/startdownload-1x18.By.school-bus.part1.rar.html HTTP/1.1" 401 475
66.249.66.129 - - [11/Mar/2011:11:24:43 +0000] "GET /components/com_facileforms/startdownload-Kurtlar-Vadisi-Pusu-1.Bolum---rip-by-zevkopat.3gp.html HTTP/1.1" 401 475
66.249.66.129 - - [11/Mar/2011:11:24:59 +0000] "GET /components/com_facileforms/startdownload-Lock.Stock.and.Two.Smoking.Barrels.1998.720p-ESiR.dlc.html HTTP/1.1" 401 475
66.249.66.129 - - [11/Mar/2011:11:25:12 +0000] "GET /components/com_facileforms/startdownload-08-04-90--Dodger-Stadium.rar.html HTTP/1.1" 401 475
66.249.66.129 - - [11/Mar/2011:11:25:14 +0000] "GET /components/com_facileforms/startdownload-Avast-Professional-Edition-4.8.1351.rar.html HTTP/1.1" 401 475
66.249.66.129 - - [11/Mar/2011:11:25:30 +0000] "GET /components/com_facileforms/startdownload-FTP-XviD-PDTV-WS-Worker-Social-Undercover-Dispatches-Sparhawk.r00.html HTTP/1.1" 401 475
66.249.66.129 - - [11/Mar/2011:11:25:46 +0000] "GET /components/com_facileforms/startdownload-Lisa-Gerrard-With-Klaus-Schulze-Come-Quietly-CD-2009-JUST.rar.html HTTP/1.1" 401 475
66.249.66.129 - - [11/Mar/2011:11:25:50 +0000] "GET /components/com_facileforms/startdownload-WWII-Battle-Tanks.part01.rar.html HTTP/1.1" 401 475
66.249.71.19 - - [11/Mar/2011:11:26:02 +0000] "GET /components/com_facileforms/startdownload-D-Nox---Sprout-Radio--Proton-Radio--SBD-04-06-2010-TALiON-INT-NewSceneFiles.net.rar.html HTTP/1.1" 401 475
66.249.66.129 - - [11/Mar/2011:11:26:18 +0000] "GET /components/com_facileforms/startdownload-Land-Rover-Microcat.part01.rar.html HTTP/1.1" 401 475
66.249.66.129 - - [11/Mar/2011:11:26:29 +0000] "GET /components/com_facileforms/startdownload-06x09---Closet-Cases.avi.001.html HTTP/1.1" 401 475
66.249.66.129 - - [11/Mar/2011:11:26:34 +0000] "GET /components/com_facileforms/startdownload-Digital-Signal-Processing.pdf.html HTTP/1.1" 401 475
66.249.66.129 - - [11/Mar/2011:11:26:49 +0000] "GET /components/com_facileforms/startdownload-Apress.Learn.Xcode.Tools.for.Mac.OS.X.and.iPhone.Development.Dec.2009.rar.html HTTP/1.1" 401 475
66.249.66.129 - - [11/Mar/2011:11:27:05 +0000] "GET /components/com_facileforms/startdownload-Feat.-Ja-Rule-and-Caddilac-Tah-Aint-It-Funny-www.sparthis.blogspot.com.rar.html HTTP/1.1" 401 475
66.249.66.129 - - [11/Mar/2011:11:27:07 +0000] "GET /components/com_facileforms/startdownload-Avatar-Trailer-new-video.flv.html HTTP/1.1" 401 475
66.249.66.129 - - [11/Mar/2011:11:27:20 +0000] "GET /components/com_facileforms/startdownload-HDTV-Rodeo-Last-The-Dunn-and-Brooks-Presents-ACM-Sparhawk.rar.html HTTP/1.1" 401 475

is just a sample.

I am going to wipe the affected box soon, just wondering if anyone has had anything similar happen, or knows what the com_facileforms exploit might be (im sure i didnt have this component installed) or can suggest where all these get requests are coming from?

cheers!

[powdarrmonkey]

There have previously been disclosures for SQL injection vulnerabilities and XSS vulnerabilities in that component, so this looks like the SQL attack. All the quoted requests returned HTTP 401, which is "Unauthorized, but specifically when authentication is possible and has failed or not yet been provided", so that's good. Always wipe the box clean before you bring it back up (and next time, preserve the evidence!)