Server Injected via old Joomla install - be warned!

17 replies
When I started working with my bosses (3 months ago) they had a couple of sites that have an old version of Joomla. Not being familiar with Joomla (I do Wordpress sites), I didn't realize the danger.

I recently moved the two sites to new hosting (the old host company was insistent we had to move them off - now I think I understand why). the one site which has a version 1.5.22 on Joomla, was injected with a perl script just before Christmas and again on the 9th of January 2014. I found 8 files and have deleted all of them and have combed through the folders looking for other suspicious code.

In the end the injection shut down the server with 150 sites (very important sites too).

I have copies of the perl script files and read through them, wondering what they were up to.

My question is this - what would be the purpose of doing this? The code has a line "Open Server Socket" and there are many many urls listed in the code, along with a lot of commenting - like die... killall and rest.... does anyone have any clues?

The other interesting file I found at the cpanel level was gen.roc - a Ruby Script execution. The date of this file was the first day the WHM/cpanel were set up for me....??? thoughts?

I will be re-building the site with WP starting tomorrow... any hints on this are welcome also!

Thank you Susie
#injected #install #joomla #server #warned
  • Profile picture of the author kpmedia
    Who was hosting that? Because a properly managed server would NOT harm all the other sites. That doesn't sound like a good host!

    ... unless you had them as add-on domains, of course, not full accounts. That's a security risk waiting to be exploited.

    Joomla is fine as a CMS. But Joomla 1.5.x is old and has exploits.
    Joomla Joomla! version 1.5.2 : Security vulnerabilities

    WordPress isn't any better. Keep this in mind. It gets hacked, too. You need proper security, and this does NOT mean plugins.
    {{ DiscussionBoard.errors[8862491].message }}
  • Profile picture of the author Weblover50
    Wordpress is actually better, from my experience. In any case keep the script up to date, no matter which open source you are using.

    The injection seems to be doing some kind of spamming, opening a socket connetction to somewhere else and probably sending emails etc. Anyway, that doesn't really matter. Stick to what you understand best.
    Signature

    Hosting specials - Hostgator Review and Inmotion Coupon

    {{ DiscussionBoard.errors[8863146].message }}
  • Profile picture of the author alamest
    What can i give advice is that join with that hosting company who's support knows little bit of Wordpress or Joomla cause they can help you for FREE, one the Hosting Company Names called GVO I use it regularly and for forever..
    {{ DiscussionBoard.errors[8863155].message }}
  • Yes indeed this happened with one our clients joomla sites.
    Signature
    WebDevelopmentGroup NYC & CA- Small Business Web Development, App Development, WordPress Development, Graphic Designs, Online Marketing, Local Marketing & more!. "Call us 1.800.219.1314 or message us!". Visit us today! "Now On Live Chat Mon-Fri.". www.WebDevelopmentGroup.org
    (Whitelable our Services)
    ===================================
    ==> #1 OFFLINE MARKETING FORUM ON THE WEB! <==
    www.OFFLINEMARKETINGFORUM.com
    (Register Now)
    {{ DiscussionBoard.errors[8863726].message }}
    • Profile picture of the author SusieJones
      Thank you all for your suggestions - yes I am a bit worried about the hosting - as I have usually used Hostgator without any problems, this is a brand new company to me.

      I have many many Wordpress sites and have never had a problem. It definitely is a result of the old install, so I will have to change it over asap.

      I am still not sure I wan to stay with this hosting though.

      Thank you for your words Susie
      {{ DiscussionBoard.errors[8864717].message }}
      • Profile picture of the author shahriyar
        Joomla or Wordpress, you always have your platform & plugins updated. In most cases hackers use a vulnerability in outdated plugins & themes to break in.

        A hacked server can be used for many things, can become a part of a bigger DDOS attack, sends 1000s of spam emails using your server etc. etc.

        Good luck with the wordpress site, be sure to install security plugins to secure the site from hackers.
        {{ DiscussionBoard.errors[8865846].message }}
      • Profile picture of the author shahriyar
        Originally Posted by SusieJones View Post

        Thank you all for your suggestions - yes I am a bit worried about the hosting - as I have usually used Hostgator without any problems, this is a brand new company to me.
        Hostgator is not a bad hosting, many of my clients host there without any problem. But I should warn you, even if you choose another host, don't go with Godaddy hosting, both their hosting and hosting support is poor.
        {{ DiscussionBoard.errors[8866247].message }}
        • Profile picture of the author JenChan
          Originally Posted by shahriyar View Post

          But I should warn you, even if you choose another host, don't go with Godaddy hosting, both their hosting and hosting support is poor.

          AGREE!!!! GoDAddy is the worst hosting provider. For me they have the same quality of host with 1&1, all crappy!!!

          Although I don't quiet agree with the poor support. I've bought SSL stuff with them and whenever I have questions they are always active in the phone in a very professional way. Although its mainly pre-sale stuff.. I have not tried the technical support though.
          Signature
          Build your next etsy or eBay website today!

          Get 70% discount with your Wordpress and Joomla Web Hosting with SiteGround.
          A complete web hosting and support platform with Cloudacess.
          {{ DiscussionBoard.errors[8869709].message }}
  • Profile picture of the author JenChan
    I would recommend to check other wordpress recommended hostings.

    bluehost
    siteground
    dreamhost
    Signature
    Build your next etsy or eBay website today!

    Get 70% discount with your Wordpress and Joomla Web Hosting with SiteGround.
    A complete web hosting and support platform with Cloudacess.
    {{ DiscussionBoard.errors[8866221].message }}
  • Profile picture of the author kpmedia
    Again:
    Originally Posted by kpmedia

    Don't use
    - Godaddy
    - Yahoo
    - 1&1
    - Dreamhost
    - the 50+ EIG brands, including Hostgator, Bluehost, Justhost, iPage, Fatcow, and a crapload others

    Hostgator is garbage:
    - http://www.warriorforum.com/main-int...-my-sites.html
    - http://www.warriorforum.com/main-int...s-traffic.html
    - http://www.warriorforum.com/main-int...-all-down.html
    - http://www.warriorforum.com/internet...hostgator.html
    - http://www.warriorforum.com/main-int...-want-out.html
    - http://www.warriorforum.com/main-int...-hour-now.html

    I have no idea why people still suggest that in 2014. It's terrible. It's not even the same "Hostgator" anymore, not since summer 2012, and is nothing more than an EIG brand now. There are better hosts.
    Some of the hosts being mentioned here are terrible, and years out of date in terms of being "good" or not. (Not that Hostgator was ever good, mind you.) Some are the same hosts with difference names (Bluehost, Hostgator)

    Better hosts include Arvixe, Site5, Stablehost and Veerotech. Use one of those if you need a good host.

    I'd still like to know who the host is used by the OP.

    (Note: Godaddy is making major changes, and I may one day suggest it. But I need to review it for 6 months. It's still a gamble right now.)
    {{ DiscussionBoard.errors[8866296].message }}
    • Profile picture of the author SusieJones
      kpmedia,

      Thank you very much for this informed reply! I have many sites on Hostgator - maybe I will move them once I get this mess sorted out!

      Cheers Susie
      {{ DiscussionBoard.errors[8868815].message }}
    • Profile picture of the author SusieJones
      Andrew H - thank you also for your comment - and yes that is my sense of it - it was the outdated version of the Joomla that caused the problem.

      I am currently looking at going straight from the version 1.5 to Wordpress, I found a plugin that can do it and has received great reviews.

      The site is quite big so to replicate it all be hand will be very time consuming - my bosses are considering going back to the support crowd they have used the last 2.75 years and get them to do it!

      I will check back to see if you have any suggestions regarding this!

      Cheers Susie

      PS, love the reference to OZ - as I am here!
      {{ DiscussionBoard.errors[8868824].message }}
  • Profile picture of the author Andrew H
    Well, I don't know how the discussion got to hosting. The problem is 100% related to the insecure Joomla install. I have a very reputable host (Servint), and a Joomla 1.5 website was still hacked on my server (and replaced with a 'Taken over by xxx group, send money to _______@______ to reactivate'). Of course I didn't send the money, but got it all sorted.

    Anyways, yes there are bad hosting companies, and yes most of them listed above are bad. But the moral of the story is Joomla 1.5 is severely out of date. If you have to run it I strongly advise to place an .htaccess in the admin folder to prevent access when you are not in there, this will solve almost all problems.
    Signature
    "You shouldn't come here and set yourself up as the resident wizard of oz."
    {{ DiscussionBoard.errors[8866438].message }}
    • Profile picture of the author kpmedia
      Originally Posted by Andrew H View Post

      Well, I don't know how the discussion got to hosting. The problem is 100% related to the insecure Joomla install.
      Not necessarily.

      For example, is the host running mod_security? Because that can block many attack vectors.

      Sometimes a certain condition on a server, combined with a certain condition of an app, allows a breach. It can be *just* a site, or *just* a host, yes. But it's not necessarily true. It really depends on exactly what the exploit did. That takes analysis, not a ridiculous knee-jerk "update your site" piece of advice. Because MANY exploits have exactly diddly and squat to do with how updated something is.

      But again, you probably are right. The CMS has a hole it in. Yet having mod_security could have prevented it.

      Going back to original statement, "the injection shut down the server with 150 sites" is piss poor server management. Somebody did something completely stupid with that server. This should NEVER happen on a quality server setup.

      So that's how it got to hosting.
      {{ DiscussionBoard.errors[8870042].message }}
  • Profile picture of the author nettiapina
    Originally Posted by SusieJones View Post

    My question is this - what would be the purpose of doing this? The code has a line "Open Server Socket" and there are many many urls listed in the code, along with a lot of commenting - like die... killall and rest.... does anyone have any clues?
    Servers are powerful computers connected to very fast internet connections so criminals are looking to break in them. For example an average home PC is not very good at sending mail, but servers are configured for that purpose. Email and link spam is one reason, but the servers are also used as an attack platform against more valuable targets and other nefarious purposes. It's also possible that "it was there" is the only explanation that you can ever find.

    I've also heard that old Joomla sites are vulnerable. Your website just happened to be the weakest link in security.

    Die, killall and rest are probably methods of a programming language or Unix commands.
    Signature
    Links in signature will not help your SEO. Not on this site, and not on any other forum.
    Who told me this? An ex Google web spam engineer.

    What's your excuse?
    {{ DiscussionBoard.errors[8869884].message }}
  • Profile picture of the author BWHadam
    never run outdated scripts, hackers are more advanced now. That's why the latest releases and versions build for. Mostly they inject the codes to get other sites hacked or send spam emails.

    as you are switching to wordpress, make sure you have word-fence installed.
    Avoid downloading every free themes and plugins from low quality websites. usually this free stuff is injected with suspicious code that acts like a parasite.

    Though hosts offer backup, But for your own safety always have backups downloaded to your PC, I repeat always have backups of your important websites.
    Signature

    Lowest Possible Price Servers- PawnHost.com

    {{ DiscussionBoard.errors[8870065].message }}
    • Profile picture of the author SusieJones
      Excellent thoughts and advice regarding the version updates - I agree completely - the company that was supporting them really let them down over the last few years. Hopefully they will come to the party and help us fix it up!

      And yes, thank goodness I do have backups of everything - I installed backup programs on the main sits that have dynamic content updates (like the blog, etc.) and we use mostly straight WP install with Optimize Press themes running.

      I was burned many years ago with themes I purchased that were full of code that took any traffic away and stole the AdSense $$ !! So I do look at the code and spot any suspicious stuff.

      Thank you everyone that has responded - it is so valuable to be able to come into the WF and get some feedback, instead of people's eyes glazing over !!!

      S
      {{ DiscussionBoard.errors[8871440].message }}

Trending Topics