Your Role

Your Industry

Service Directory

Touring a compromised Joomla CMS website

 E-mail
Monday, 04 January 2010
This specific website compromise changes titles and descriptions of your website in Google search Engine results and is designed not to be visible on your website if you use Firefox, IE, Chrome or other popular browser.
Google Page Result Example with Viagra

Last week, our staff member discovered an interesting and very serious issue while working on a different project for the same site. Page titles and descriptions produced by the Joomla website where different if the site was visited by standard web browsers (Firefox, IE, etc) than by Googlebot (Google's search engine spider).

Translated in the simpliest business terms, it would mean that two site visitors would see distinct differences on the same site depending on what type of technology they used to view it. Sometimes this may happen depending on what and how old browser you are using but in this case, the issue was related to a compromise where I will provide some basic information in this blog post about what this malicious hack does. 

Page results in Google for this particular website were shown as below which confirmed our initial finding.

page-titles-descriptions.png

The website that I'm referring here does not sell Levitra or Viagra. It's a reputable institution with thousands of users. The seriousness of this security threat is enormous. 

Considering that the client was hosting on their own server and did not have any type of maintenance agreement with us, we had to wait for the client to decide what they would like to do (decision makers on vacation, cannot reach appropriate individuals etc). We implemented a quick fix which removed the hacked lines of code and removed cached pages from the Google's Search index but the full investigation on their server and site could not begin until we received necessary approvals that hours spent on this issue would be paid for later.

Now, since we have temporarily fixed the hacked files once, the issue has appeared again because the security hole still existed in the system considering that the full investigation was not launched and issue fully resolved until now. Our more comprehensive recommendation included: 

  • Scan files for more dropped hacker files: - compare w/ good version of the site.
  • Audit Joomla's and server's security settings and make recommendations if any; we'll implement easy changes immediately and provide recommendations/estimate for those that require more time.  This analysis is based on the official Joomla security checklist.
  • Check log files for how the issue might have happened ( up to 6 hours & more may be needed). Find the root of the issue & how the site has been compromised.

While we have still not received an approval for this funding (which was really minimal in my opinion considering the seriousness of this issue), to satisfy my own curiosity I ordered a couple of support staff members to research what this hack does.

And here is what they have found: 

The file: administrator/index_old[DOT]php was found under path administrator/ on the website. Once examined, it became obvious that it is a backdoor script with very high capabilities which will be described here along with screenshots. After downloading tpassword-prompt.pnghe script, installing it on a local web server and pointing a browser to it, it prompted for a password.

By looking at code, we found the line containing the password : $admin['pass'] = '11666611'; After succesfully loging in, we found a control panel with the following capabilities.

  • File Manager: Enables script user to create, delete, rename, upload, download or change permissions on files and folders, as shown on the image above.
  • MySQL Manager: Enables script user to connect to the database and execute queries.
  • MySQL Upload & Download: Enables script user to export or import entire database.
  • Execute Program: This can execute custom commands on server and if the php privileges are not set correctly, can compromise entire web server.
    Server Environment: It alows script user to view various php and server related configuration variables.
  • Eval php code: Alows script user to execute custom php code directly through script interface.

Notice "Get plugins" link marked with red color that leads to download page where one can download plugins that improve script capabilities even further.

Conclusion: In business terms, nothing on this website is safe. In technical terms, since this script allows easy manipulation and access to any file in the website root folder, it could be used to modify meta tags and insert other potentially malicious code in Joomla scripts and/or database. This script can easily compromise site, database, and perhaps (depending on particular settings) entire server.
For possible methods of infection & recommended measures in this case, please contact our friendly OGO Sense representative for more info. If you would like to avoid or minimize a chance of similar events, you should consider our Joomla regular or custom maintenance plans that you could sign up for after having your website designed by OGO Sense. Alternatively, you could request hourly technical support for your issues until you decide to migrate your website to a newever version where we could take over technical maintenance of the website. 

Ogy Nikolic
Joomla CMS Security & Technical Support

Add Comment (2)
Last Updated ( Saturday, 09 January 2010 )
 

Happy Holidays from OGO Sense!

 E-mail
Friday, 25 December 2009

Wishing you happy holidays & looking forward to successful 2010 together!

happy-holidays.jpg

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Add Comment (0)
Last Updated ( Friday, 25 December 2009 )
 

5 Approaches to Help You Decide What Clients to Serve

 E-mail
Wednesday, 02 December 2009

Our Facebook fan Adam Dawes has asked a question on our wall about "deciding what clients to serve."

In short, I would recommend concentrating on clients that have mission critical needs in your industry that you can meet. Mission critical is something that is essential to the accomplishment of an organization’s core responsibilities.
 
The more critical and complex your client essential needs are, the bigger chance they are willing to pay you more for meeting them.

To find out what areas will be mission critical, hot and profitable in the future, I use:
  1. Research Papers: Research companies or consultants could cost a lot of money but you could start with their free sample papers. There are tons of good research companies out there that predict what will be hot in the future. For example, Gartner is a great IT research & consulting company.
  2. Current Clients: If you are in business already, you probably have some current clients and could generate a list of the most profitable ones. See how they benefit the most from your services and concentrate on serving more clients with those needs.
  3. Social Media: It's never been easier to hear what issues people are complaining about on Twitter, Facebook and LinkedIn. People are constantly talking and writing about issues that they have. Which of  those issues are mission critical that you can meet?
  4. Blogs & Forums: There are many quality blogs and forums out there where people talk about your areas of interest. Do the research, make conclusions for yourself and keep yourself up to speed on hot trends.
  5. Conferences: Find out what top experts in your area of business are discussing.  I went to Joomla Day NYC 2009 that refreshed and reinforced my thoughts about what we do.
Finally, you may need to readjust your strategy and decision on what clients to serve over time because their mission critical needs may shift. At OGO Sense I spend about 50% of my time researching new opportunities. If you're serving only a local market and depending on your company size, you may be able to spend more or less time.

If you have any other ideas for what you would like to hear about on our blog related to Business Consulting, Joomla Development and Support, please join our Facebook fan page or leave a comment below. 

Ogy Nikolic
 Be my FB Friend

Add Comment (0)
Last Updated ( Wednesday, 02 December 2009 )
 

5 reasons NOT to use Joomla CMS in 2010

 E-mail
Friday, 27 November 2009

1. Why update your own content when you can pay your traditional graphics designer hundreds of dollars for updating basic content.

2. You don't need any advanced functionalities. It's much better to have a brochure style website that never changes.

3. Automating manual tasks can be dangerous and could lead some staff to have extra free time and they may be in danger of having to do something else.

4. If it was easy to add new content to your website, you would feel a need to do so because search engines like new content. Who needs any extra work at their job?

5. Online technology is moving too fast for you. Why would you want to try to catch up when it is much easier to give up right now?

Do you know any other reasons NOT to use Joomla CMS in 2010?

--
Ogy Nikolic | Managing Director | OGO Sense
tel.+1 (617) 418-4646 | send me an email | skype: ogosense  

Add Comment (1)
Last Updated ( Friday, 27 November 2009 )
 

Joomla Event Registration Workflow

 E-mail
Tuesday, 08 September 2009

1.jpg

2.jpg

3.jpg

 4.jpg

 5.jpg

6.jpg

7.jpg


8.jpg



 

 

Add Comment (0)
Last Updated ( Tuesday, 08 September 2009 )
 
NORTH AMERICA:
OGO Sense
PO BOX 10225
Portland, Maine 04104
United States
Email: This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
US Phone: +1 (617) 418-4646
UK Phone: + 44 20 7617 7508
US Fax: +1 (617) 446-1468
Skype: ogosense
EUROPE:
OGO Sense
Brace Mazara. 47
78000 Banja Luka, RS
Bosnia and Herzegovina