When people contact us about hacked website they often state that there website must have been hacked due to running an outdated version of a CMS (WordPress, Joomla, Drupal, etc.). In most cases this isn’t true; there are a number of other issues that lead to most hackings. Unfortunately there are a lot of people providing security advice – including web hosts and security companies – who don’t know what they are talking about that will tell people that website must have been hacked due to an outdated CMS without actually determining that, which likely leads to the people contacting us believing that. Because we actually determine how a website gets hacked we actually know when it is a vulnerability in an outdated version of a CMS that is at fault and it is worth mentioning.<\/p>\n
Based on a website we just cleaned up we can see that a vulnerability that existed in Joomla 1.6, 1.7, and 2.5.0-2.5.2 is actively being exploited now. The vulnerability<\/a> isn’t new; it was publicly disclosed on March 15, 2012. Exploitation of the vulnerability isn’t new either; we found that the website had also been exploited in July and August of last year. The vulnerability allows a hacker to register a new user with “Administrator” privileges and then they can use the access provided by that user for malicious purposes. The best way to protect your website against the vulnerability is to upgrade<\/a> to the latest version of Joomla 2.5, as number of other security issues have been fixed in subsequent version. If you are unable to do that in a timely manner, disabling user registration<\/a> should protect the website as that will block a hacker from being able to register a new user.<\/p>\n One of the first things we do when trying to determine how a website is hacked is to look over the files. Most hacks are contained in the files and the metadata and location of the files can provide important information. In some cases the ownership of the file will point to a possible source. In other cases the last modified date on the file can be used to narrow where we need to start looking in the log files for indication of the source. In some cases the hacker sets the last modified dates on files to match other files so that cannot be done. If a hacker is using a backdoor script that they placed on the website, which allows them remote access to the website, we can find that access in the logs. In this case the last modified dates had not been tampered with by the hacker and backdoor script had been accessed, so we had a good starting point.<\/p>\n First up we spotted the first access to the backdoor script in the log of requests to the website (we replaced some of the identifying information from the log entries shown):<\/p>\n 78.47.55.70 – – [07\/Jan\/2014:03:53:31 -0700] “GET example.com\/modules\/mod_administrator\/config.php HTTP\/1.1” 200 189 “-” “Opera\/9.80 (Windows NT 6.0) Presto\/2.12.388 Version\/12.14” 9 “x-httpd-php” “\/var\/chroot\/home\/content\/59\/2190232\/html\/modules\/mod_administrator\/config.php” 11922<\/p>\n The entries right before that shed more light on the situation. They show that the same person had just logged in to the administrator area of Joomla and installed an extension. The extension they installed would have contained the backdoor script that they would access right afterwards.<\/p>\n 78.47.55.70 – – [07\/Jan\/2014:03:53:22 -0700] “GET example.com\/administrator\/index.php HTTP\/1.1” 200 4362 “-” “Opera\/9.80 (Windows NT 6.0) Presto\/2.12.388 Version\/12.14” 0 “x-httpd-php” “\/var\/chroot\/home\/content\/59\/2190232\/html\/administrator\/index.php” 1344521 Those log entries contained the username of the user that had accessed the admin, mainaadmin. With that we could take a look at the details for that user in the database to get some idea of if the user is an account that was comprised or a malicious account. The email address,\u00a0ivan.kachelya@yandex.ru, was from a Russian website, so that made it likely that it was a malicious user as the website is a locally focused US website with a webmaster in the US. Also included in the data is the date the account was registered, which we could then use to see how the account was created in the log file.<\/p>\n The log files showed the user being created through the User Registration page:<\/p>\n 94.244.157.180 – – [04\/Jan\/2014:07:43:34 -0700] “GET example.com\/index.php?option=com_users&view=registration HTTP\/1.1” 200 9676 “-” “Opera\/9.80 (Windows NT 6.0) Presto\/2.12.388 Version\/12.14” 0 “x-httpd-php” “\/var\/chroot\/home\/content\/59\/2190232\/html\/index.php” 2302755 Normally a user created that way would not be an “Administrator”, which this user was, so we checked to make sure that the registration settings had not been set to do that and there were not. The question then was how the user became an “Administrator”. A likely source would be a privilege escalation vulnerability that would allow a lower level user to change their account to have “Administrator” privileges. A quick check for Joomla privilege escalation brought the vulnerability<\/a> we mentioned earlier. The Joomla version in use was a vulnerable version and the log of the user registration appears to match with what needs to be done to exploit the vulnerability, so we then had the likely source of the hack.<\/p>\n","protected":false},"excerpt":{"rendered":" When people contact us about hacked website they often state that there website must have been hacked due to running an outdated version of a CMS (WordPress, Joomla, Drupal, etc.). In most cases this isn’t true; there are a number of other issues that lead to most hackings. Unfortunately there are a lot of people … Continue reading “Vulnerability in Joomla 1.6, 1.7, and 2.5.0-2.5.2 Being Exploited Now”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[19,15],"tags":[],"class_list":["post-1836","post","type-post","status-publish","format-standard","hentry","category-joomla","category-website-security"],"_links":{"self":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts\/1836","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/comments?post=1836"}],"version-history":[{"count":12,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts\/1836\/revisions"}],"predecessor-version":[{"id":1848,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts\/1836\/revisions\/1848"}],"wp:attachment":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/media?parent=1836"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/categories?post=1836"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/tags?post=1836"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Determining How a Website Got Hacked<\/h2>\n
\n78.47.55.70 – – [07\/Jan\/2014:03:53:23 -0700] “POST example.com\/administrator\/index.php HTTP\/1.1” 303 220 “http:\/\/example.com\/administrator\/” “Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/30.0.1599.69 Safari\/537.36” 1 “x-httpd-php” “\/var\/chroot\/home\/content\/59\/2190232\/html\/administrator\/index.php” 536578
\n78.47.55.70 – – [07\/Jan\/2014:03:53:24 -0700] “GET example.com\/administrator\/index.php HTTP\/1.1” 200 31537 “http:\/\/example.com\/administrator\/” “Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/30.0.1599.69 Safari\/537.36” 2 “x-httpd-php” “\/var\/chroot\/home\/content\/59\/2190232\/html\/administrator\/index.php” 1282790
\n78.47.55.70 – – [07\/Jan\/2014:03:53:26 -0700] “GET example.com\/administrator\/index.php HTTP\/1.1” 200 31537 “-” “Opera\/9.80 (Windows NT 6.0) Presto\/2.12.388 Version\/12.14” 3 “x-httpd-php” “\/var\/chroot\/home\/content\/59\/2190232\/html\/administrator\/index.php” 231378
\n78.47.55.70 – – [07\/Jan\/2014:03:53:27 -0700] “GET example.com\/administrator\/index.php?option=com_installer HTTP\/1.1” 200 23546 “-” “Opera\/9.80 (Windows NT 6.0) Presto\/2.12.388 Version\/12.14” 4 “x-httpd-php” “\/var\/chroot\/home\/content\/59\/2190232\/html\/administrator\/index.php” 743778
\n78.47.55.70 – – [07\/Jan\/2014:03:53:28 -0700] “POST example.com\/administrator\/index.php?option=com_installer&view_install HTTP\/1.1” 303 504 “mainaadmin\/administrator\/” “Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/30.0.1599.69 Safari\/537.36” 5 “x-httpd-php” “\/var\/chroot\/home\/content\/59\/2190232\/html\/administrator\/index.php” 1080171
\n78.47.55.70 – – [07\/Jan\/2014:03:53:29 -0700] “GET example.com\/administrator\/index.php?option=com_installer&view=install HTTP\/1.1” 200 23817 “mainaadmin\/administrator\/” “Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/30.0.1599.69 Safari\/537.36” 6 “x-httpd-php” “\/var\/chroot\/home\/content\/59\/2190232\/html\/administrator\/index.php” 199474
\n78.47.55.70 – – [07\/Jan\/2014:03:53:29 -0700] “POST example.com\/administrator\/index.php HTTP\/1.1” 200 23554 “http:\/\/example.com\/administrator\/index.php?option=com_installer” “Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/30.0.1599.69 Safari\/537.36” 7 “x-httpd-php” “\/var\/chroot\/home\/content\/59\/2190232\/html\/administrator\/index.php” 500162
\n78.47.55.70 – – [07\/Jan\/2014:03:53:30 -0700] “GET example.com\/administrator\/index.php?option=com_installer&view_install HTTP\/1.1” 200 23529 “-” “Opera\/9.80 (Windows NT 6.0) Presto\/2.12.388 Version\/12.14” 8 “x-httpd-php” “\/var\/chroot\/home\/content\/59\/2190232\/html\/administrator\/index.php” 172137<\/p>\n
\n94.244.157.180 – – [04\/Jan\/2014:07:43:36 -0700] “POST example.com\/index.php?option=com_users&task=registration.register HTTP\/1.1” 303 231 “http:\/\/example.com” “Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/30.0.1599.69 Safari\/537.36” 1 “x-httpd-php” “\/var\/chroot\/home\/content\/59\/2190232\/html\/index.php” 409104
\n94.244.157.180 – – [04\/Jan\/2014:07:43:37 -0700] “GET example.com\/component\/users\/?view=registration HTTP\/1.1” 200 9611 “http:\/\/example.com” “Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/30.0.1599.69 Safari\/537.36” 2 “redirect-handler” “\/var\/chroot\/home\/content\/59\/2190232\/html\/index.php” 279085
\n94.244.157.180 – – [04\/Jan\/2014:07:43:37 -0700] “POST example.com\/index.php?option=com_users&task=registration.register HTTP\/1.1” 303 247 “http:\/\/example.com” “Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/30.0.1599.69 Safari\/537.36” 3 “x-httpd-php” “\/var\/chroot\/home\/content\/59\/2190232\/html\/index.php” 1082792
\n94.244.157.180 – – [04\/Jan\/2014:07:43:38 -0700] “GET example.com\/component\/users\/?view=registration&layout=complete HTTP\/1.1” 200 5977 “http:\/\/example.com” “Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/30.0.1599.69 Safari\/537.36” 4 “redirect-handler” “\/var\/chroot\/home\/content\/59\/2190232\/html\/index.php” 290820
\n94.244.157.180 – – [04\/Jan\/2014:07:43:39 -0700] “GET example.com\/index.php?option=com_user&view=register HTTP\/1.1” 302 201 “-” “Opera\/9.80 (Windows NT 6.0) Presto\/2.12.388 Version\/12.14” 5 “x-httpd-php” “\/var\/chroot\/home\/content\/59\/2190232\/html\/index.php” 125098
\n94.244.157.180 – – [04\/Jan\/2014:07:43:39 -0700] “GET example.com\/index.php?option=com_content&view=article&id=26&Itemid=162 HTTP\/1.1” 200 14916 “-” “Opera\/9.80 (Windows NT 6.0) Presto\/2.12.388 Version\/12.14” 6 “x-httpd-php” “\/var\/chroot\/home\/content\/59\/2190232\/html\/index.php” 799530
\n94.244.157.180 – – [04\/Jan\/2014:07:43:40 -0700] “POST example.com\/index.php?option=com_user HTTP\/1.1” 200 7318 “http:\/\/example.com” “Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/30.0.1599.69 Safari\/537.36” 7 “x-httpd-php” “\/var\/chroot\/home\/content\/59\/2190232\/html\/index.php” 586594
\n94.244.157.180 – – [04\/Jan\/2014:07:43:41 -0700] “POST example.com\/index.php?option=com_user HTTP\/1.1” 200 7318 “http:\/\/example.com” “Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/30.0.1599.69 Safari\/537.36” 8 “x-httpd-php” “\/var\/chroot\/home\/content\/59\/2190232\/html\/index.php” 496821
\n94.244.157.180 – – [04\/Jan\/2014:07:43:44 -0700] “GET example.com\/index.php?option=com_users&view=registration HTTP\/1.1” 200 9539 “-” “Opera\/9.80 (Windows NT 6.0) Presto\/2.12.388 Version\/12.14” 9 “x-httpd-php” “\/var\/chroot\/home\/content\/59\/2190232\/html\/index.php” 288962
\n94.244.157.180 – – [04\/Jan\/2014:07:43:44 -0700] “POST example.com\/index.php?option=com_users&task=registration.register HTTP\/1.1” 303 231 “http:\/\/example.com” “Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/30.0.1599.69 Safari\/537.36” 10 “x-httpd-php” “\/var\/chroot\/home\/content\/59\/2190232\/html\/index.php” 306529
\n94.244.157.180 – – [04\/Jan\/2014:07:43:45 -0700] “GET example.com\/component\/users\/?view=registration HTTP\/1.1” 200 9611 “http:\/\/example.com” “Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/30.0.1599.69 Safari\/537.36” 11 “redirect-handler” “\/var\/chroot\/home\/content\/59\/2190232\/html\/index.php” 294107
\n94.244.157.180 – – [04\/Jan\/2014:07:43:45 -0700] “POST example.com\/index.php?option=com_users&task=registration.register HTTP\/1.1” 303 231 “http:\/\/example.com” “Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/30.0.1599.69 Safari\/537.36” 12 “x-httpd-php” “\/var\/chroot\/home\/content\/59\/2190232\/html\/index.php” 305668
\n94.244.157.180 – – [04\/Jan\/2014:07:43:46 -0700] “GET example.com\/component\/users\/?view=registration HTTP\/1.1” 200 9609 “http:\/\/example.com” “Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/30.0.1599.69 Safari\/537.36” 13 “redirect-handler” “\/var\/chroot\/home\/content\/59\/2190232\/html\/index.php” 278854
\n94.244.157.180 – – [04\/Jan\/2014:07:43:46 -0700] “GET example.com\/index.php?option=com_user&view=register HTTP\/1.1” 302 201 “-” “Opera\/9.80 (Windows NT 6.0) Presto\/2.12.388 Version\/12.14” 14 “x-httpd-php” “\/var\/chroot\/home\/content\/59\/2190232\/html\/index.php” 61939
\n94.244.157.180 – – [04\/Jan\/2014:07:43:47 -0700] “GET example.com\/index.php?option=com_content&view=article&id=26&Itemid=162 HTTP\/1.1” 200 14722 “-” “Opera\/9.80 (Windows NT 6.0) Presto\/2.12.388 Version\/12.14” 15 “x-httpd-php” “\/var\/chroot\/home\/content\/59\/2190232\/html\/index.php” 298259
\n94.244.157.180 – – [04\/Jan\/2014:07:43:47 -0700] “POST example.com\/index.php?option=com_user HTTP\/1.1” 200 7318 “http:\/\/example.com” “Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/30.0.1599.69 Safari\/537.36” 16 “x-httpd-php” “\/var\/chroot\/home\/content\/59\/2190232\/html\/index.php” 497553
\n94.244.157.180 – – [04\/Jan\/2014:07:43:48 -0700] “POST example.com\/index.php?option=com_user HTTP\/1.1” 200 7318 “http:\/\/example.com” “Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/30.0.1599.69 Safari\/537.36” 17 “x-httpd-php” “\/var\/chroot\/home\/content\/59\/2190232\/html\/index.php” 527134
\n94.244.157.180 – – [04\/Jan\/2014:07:43:50 -0700] “GET example.com\/index.php?option=com_users&view=registration HTTP\/1.1” 200 9601 “-” “Opera\/9.80 (Windows NT 6.0) Presto\/2.12.388 Version\/12.14” 18 “x-httpd-php” “\/var\/chroot\/home\/content\/59\/2190232\/html\/index.php” 263082
\n94.244.157.180 – – [04\/Jan\/2014:07:43:51 -0700] “POST example.com\/index.php?option=com_users&task=registration.register HTTP\/1.1” 303 231 “http:\/\/example.com” “Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/30.0.1599.69 Safari\/537.36” 19 “x-httpd-php” “\/var\/chroot\/home\/content\/59\/2190232\/html\/index.php” 313744
\n94.244.157.180 – – [04\/Jan\/2014:07:43:51 -0700] “GET example.com\/component\/users\/?view=registration HTTP\/1.1” 200 9611 “http:\/\/example.com” “Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/30.0.1599.69 Safari\/537.36” 20 “redirect-handler” “\/var\/chroot\/home\/content\/59\/2190232\/html\/index.php” 291806
\n94.244.157.180 – – [04\/Jan\/2014:07:43:52 -0700] “POST example.com\/index.php?option=com_users&task=registration.register HTTP\/1.1” 303 231 “http:\/\/example.com” “Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/30.0.1599.69 Safari\/537.36” 21 “x-httpd-php” “\/var\/chroot\/home\/content\/59\/2190232\/html\/index.php” 335271
\n94.244.157.180 – – [04\/Jan\/2014:07:43:52 -0700] “GET example.com\/component\/users\/?view=registration HTTP\/1.1” 200 9609 “http:\/\/example.com” “Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/30.0.1599.69 Safari\/537.36” 22 “redirect-handler” “\/var\/chroot\/home\/content\/59\/2190232\/html\/index.php” 279791
\n94.244.157.180 – – [04\/Jan\/2014:07:43:53 -0700] “GET example.com\/index.php?option=com_user&view=register HTTP\/1.1” 302 201 “-” “Opera\/9.80 (Windows NT 6.0) Presto\/2.12.388 Version\/12.14” 23 “x-httpd-php” “\/var\/chroot\/home\/content\/59\/2190232\/html\/index.php” 78710
\n94.244.157.180 – – [04\/Jan\/2014:07:43:53 -0700] “GET example.com\/index.php?option=com_content&view=article&id=26&Itemid=162 HTTP\/1.1” 200 14722 “-” “Opera\/9.80 (Windows NT 6.0) Presto\/2.12.388 Version\/12.14” 24 “x-httpd-php” “\/var\/chroot\/home\/content\/59\/2190232\/html\/index.php” 364741
\n94.244.157.180 – – [04\/Jan\/2014:07:43:54 -0700] “POST example.com\/index.php?option=com_user HTTP\/1.1” 200 7318 “http:\/\/example.com” “Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/30.0.1599.69 Safari\/537.36” 25 “x-httpd-php” “\/var\/chroot\/home\/content\/59\/2190232\/html\/index.php” 475204
\n94.244.157.180 – – [04\/Jan\/2014:07:43:54 -0700] “POST example.com\/index.php?option=com_user HTTP\/1.1” 200 7318 “http:\/\/example.com” “Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/30.0.1599.69 Safari\/537.36” 26 “x-httpd-php” “\/var\/chroot\/home\/content\/59\/2190232\/html\/index.php” 502942<\/p>\n