Touring a compromised Joomla CMS website

 E-mail
Monday, 04 January 2010
This specific website compromise changes titles and descriptions of your website in Google search Engine results and is designed not to be visible on your website if you use Firefox, IE, Chrome or other popular browser.
Google Page Result Example with Viagra

Last week, our staff member discovered an interesting and very serious issue while working on a different project for the same site. Page titles and descriptions produced by the Joomla website where different if the site was visited by standard web browsers (Firefox, IE, etc) than by Googlebot (Google's search engine spider).

Translated in the simpliest business terms, it would mean that two site visitors would see distinct differences on the same site depending on what type of technology they used to view it. Sometimes this may happen depending on what and how old browser you are using but in this case, the issue was related to a compromise where I will provide some basic information in this blog post about what this malicious hack does. 

Page results in Google for this particular website were shown as below which confirmed our initial finding.

page-titles-descriptions.png

The website that I'm referring here does not sell Levitra or Viagra. It's a reputable institution with thousands of users. The seriousness of this security threat is enormous. 

Considering that the client was hosting on their own server and did not have any type of maintenance agreement with us, we had to wait for the client to decide what they would like to do (decision makers on vacation, cannot reach appropriate individuals etc). We implemented a quick fix which removed the hacked lines of code and removed cached pages from the Google's Search index but the full investigation on their server and site could not begin until we received necessary approvals that hours spent on this issue would be paid for later.

Now, since we have temporarily fixed the hacked files once, the issue has appeared again because the security hole still existed in the system considering that the full investigation was not launched and issue fully resolved until now. Our more comprehensive recommendation included: 

  • Scan files for more dropped hacker files: - compare w/ good version of the site.
  • Audit Joomla's and server's security settings and make recommendations if any; we'll implement easy changes immediately and provide recommendations/estimate for those that require more time.  This analysis is based on the official Joomla security checklist.
  • Check log files for how the issue might have happened ( up to 6 hours & more may be needed). Find the root of the issue & how the site has been compromised.

While we have still not received an approval for this funding (which was really minimal in my opinion considering the seriousness of this issue), to satisfy my own curiosity I ordered a couple of support staff members to research what this hack does.

And here is what they have found: 

The file: administrator/index_old[DOT]php was found under path administrator/ on the website. Once examined, it became obvious that it is a backdoor script with very high capabilities which will be described here along with screenshots. After downloading tpassword-prompt.pnghe script, installing it on a local web server and pointing a browser to it, it prompted for a password.

By looking at code, we found the line containing the password : $admin['pass'] = '11666611'; After succesfully loging in, we found a control panel with the following capabilities.

  • File Manager: Enables script user to create, delete, rename, upload, download or change permissions on files and folders, as shown on the image above.
  • MySQL Manager: Enables script user to connect to the database and execute queries.
  • MySQL Upload & Download: Enables script user to export or import entire database.
  • Execute Program: This can execute custom commands on server and if the php privileges are not set correctly, can compromise entire web server.
    Server Environment: It alows script user to view various php and server related configuration variables.
  • Eval php code: Alows script user to execute custom php code directly through script interface.

Notice "Get plugins" link marked with red color that leads to download page where one can download plugins that improve script capabilities even further.

Conclusion: In business terms, nothing on this website is safe. In technical terms, since this script allows easy manipulation and access to any file in the website root folder, it could be used to modify meta tags and insert other potentially malicious code in Joomla scripts and/or database. This script can easily compromise site, database, and perhaps (depending on particular settings) entire server.
For possible methods of infection & recommended measures in this case, please contact our friendly OGO Sense representative for more info. If you would like to avoid or minimize a chance of similar events, you should consider our Joomla regular or custom maintenance plans that you could sign up for after having your website designed by OGO Sense. Alternatively, you could request hourly technical support for your issues until you decide to migrate your website to a newever version where we could take over technical maintenance of the website. 

Ogy Nikolic
Joomla CMS Security & Technical Support

Last Updated ( Saturday, 09 January 2010 )
 
NORTH AMERICA:
OGO Sense
PO BOX 10225
Portland, Maine 04104
United States
Email: This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
US Phone: +1 (617) 418-4646
UK Phone: + 44 20 7617 7508
US Fax: +1 (617) 446-1468
Skype: ogosense
EUROPE:
OGO Sense
Brace Mazara. 47
78000 Banja Luka, RS
Bosnia and Herzegovina