Joomla CMS hacked - JusNytt attacked

Detaljer
Kategori: JusNytt

jusnytt_cd_lock_drm(Denne artikkelen er på engelsk slik at flere kan få hjelp til å få nettstedene sine opp igjen)

The JusNytt website was recently moved from an old computer in my basement to an external third party provider. Most Internet sites are run off similar providers, and this sometimes results in less control over security and access setttings than you can pull off at home. In addition, many Internet sites are built on standard CMS (content management systems). It is now clear that the Joomla CMS suffers from a critical vulnerability, leaving it and the site hosted by the system open to malicious hacker attacks. This has resulted in an automated mass-attack the last hours, targeting thousands of net sites powered by Joomla . This article briefly describes the issue, and how to defeat the attack. (note: I am not a techie, I just get motivated by someone messing with my site...)

.

The problem - Joomla exploit for superadministrator

The Joomla exploit seems to affect all versions in the newly released 1.5 major upgrade of the system. One of the many sites affected, was the Joomla site itself - along with JusNytt.no and many others. The hackers have been able to take administrative control over the sites, effectively gaining access as superadministrators with all access and control priviliges. The fault seems to lie with the proscess for handling user initiated password requests. A user can request a password reset, causing a token to be returned to the user my email. When this token is later presented to the issuing system, this would allow the validation system to be bypassed. The user would then be allowed access to the first registered and enabled user in the system. The first such user in a typical Joomla installation would be the Superadministrator.

Due to the sheer scale of the attack on Joomla based Internet sites, it seems that the hackers follow a standard and automated protocol: It would seem that the typical site will suffer from a splash frontpage stating that the site has been hacked, and with all subpages displaying this same statement throughout the site. Access to your site will be denied, as the hackers will have altered the required password to logon. The changes to the site presentation will have been done by altering the template html file which all other pages are built upon.

For any site owner or administrator, this means that you are effectively shut out from your own site.

 

The Joomla CMS fix - shutting the hackers out

The Joomla team have made a patch, version 1.5.6 which should installed by all Joomla 1.5 users immidiately. The patch effectively closes the exploit. As an alternative to patching, the prudent site owner should at least patch the file /components/com_user/models/reset.php with the following code (from the Joomla developers site):

 On line 113, after global $mainframe; 

 if(strlen($token) != 32) {
$this->setError(JText::_('INVALID_TOKEN'));
return false;
}

The site fix - how to regain access and privileges

First you need to regain control over your site, meaning that you must be able to logon to your cms administrative module. Since the password has been changed, you must either access your SQL database and reset the password, or change the existing requirement for passwords alltogether. In my case, accessing mysql was a bit troublesome with my new ISP. I followed this procedure instead, which worked nicely. Obviously, this is a little risky - in that your site will be  vulnerable for the few seconds it takes to logon and regain control:

Locate and transfer the file \plugins\authentication\joomla.php from your site to your local computer. You should save a copy of this file as a future backup, before modifying the following line (open the file in a text editor, and locate this line in the file

if ($crypt == $testcrypt)

...and alter this line to read


if (true /* $crypt == $testcrypt */)

This enables all logins, which is obviosly something you do not want as a permanent solution. This is why you now logon as administrator into the administration module, and immediately update your password under the User Administration. I would also recommend that you at the same time change the name of your administrator account, as this would make it more difficult for the hackers to gain access based on their automated attack protocols (they will most likely assume that you are using the default admininstrator user name).

Other recommendations you may consider would be to alter your secrets in the config.php, altering the location of the Joomla configuration file, resetting (use CHMOD or any FTP program) the access settings for all public/joomla folders (at least 755) and files (644), for Apache servers you should consider setting your .htaccess parameters, upgrade to PHP5, remove templates you do not actively use and make sure your installations folder and files have actually been deleted.

Good luck.