Web site with problems (with Linux browsers only)
Hi, a friend of mine is running a Joomla based website http://www.DeutscheInMelbourne.net . The first page renders fine on Windows and Apple devices but has a full page of spam gibberish <a href>'s to the most wanted items if I believe in spam) before the header menu starts (so I have to scroll down to see any useful content) I tried on two Ubuntu machines running Ubuntu 12.04, and tried Chrome and Firefox, always with the rubbish in it. Stranger, it does not even appear in the page source if I look at it using Windows or Apple machines. I did not look at the server yet (and my friend isn't an IT expert) but I find it that weired that I don't have a slightest idea what the cause might be. Any ideas? Thanks for answers Peter
Hi,
a friend of mine is running a Joomla based website http://www.DeutscheInMelbourne.net .
The first page renders fine on Windows and Apple devices
but has a full page of spam gibberish <a href>'s to the most wanted items if I believe in spam) before the header menu starts (so I have to scroll down to see any useful content)
I tried on two Ubuntu machines running Ubuntu 12.04, and tried Chrome and Firefox, always with the rubbish in it.
Stranger, it does not even appear in the page source if I look at it using Windows or Apple machines.
I did not look at the server yet (and my friend isn't an IT expert) but I find it that weired that I don't have a slightest idea what the cause might be.
Peter The site has been hacked. Your friend may have inadvertently left a file as read write or the ISP is hacked, quite a number are these days but are in denial. Is he using a shared VPS? Some code may have been placed into a core file somewhere, probably in a .inc file, or maybe in a free text field and inserted into the database. I hope he had backup from say a month ago. The code may have been placed any time while developing so even a month may not be enough. Google "hacking Drupal" or " hacking Joomla", etc, there are quite good tuts and videos on how to hack CMS systems and better still how to reduce the probability. Further, If he (is developing on a windows home pc and) has no intrusion protection, high quality fire walls, etc, he could find that his personal machine is also hacked and that he is inadvertently placing the code while developing. Hope this helps Roger
On 28/09/2012, at 9:40, Roger <arelem@bigpond.com> wrote:
Further, If he (is developing on a windows home pc and) has no intrusion protection, high quality fire walls, etc, he could find that his personal machine is also hacked and that he is inadvertently placing the code while developing.
The FTP credentials stored on a desktop with malware are the most common cause of inserted malicious code, I've found. Another common one is a vulnerable version of Joomla, which is easy for spiders to find on the web. I'd recursive grep over the whole sites files for eval( and variations of '<scr'+'ipt>' used to inject html. also often the bad code will only be served to specific users to e.g. prevent google from detecting the site hosts malicious code
On 09/28/2012 09:55 AM, hannah commodore wrote:
On 28/09/2012, at 9:40, Roger <arelem@bigpond.com> wrote:
Further, If he (is developing on a windows home pc and) has no intrusion protection, high quality fire walls, etc, he could find that his personal machine is also hacked and that he is inadvertently placing the code while developing. The FTP credentials stored on a desktop with malware are the most common cause of inserted malicious code, I've found.
Another common one is a vulnerable version of Joomla, which is easy for spiders to find on the web.
I'd recursive grep over the whole sites files for eval( and variations of '<scr'+'ipt>' used to inject html.
also often the bad code will only be served to specific users to e.g. prevent google from detecting the site hosts malicious code _______________________________________________
Thanks Hannah, you have given me something else to consider. I'll run those on our server. If my understanding is correct, Joomla has had, and still has security issues as did/does Typo3. They are being addressed but may be still an issue to be dealt with. Trouble with the above approach is denial. The fellow doesn't know web security, personal computer security and probably is not going to have a clue what the above means let alone trying it. He won't know grep or what else to look for. Add this to "it doesn't' happen to me", "my pc is secure", " it's not my fault". Roger
On Fri, 28 Sep 2012, Roger wrote:
If my understanding is correct, Joomla has had, and still has security issues as did/does Typo3.
Nearly every software has security issues. Joomla was chosen because it can be used by "non-techies" to get a website up and running. Personally, PHP stands for "Peter hates PHP (Peter hosting PHP)", because I have seen quite a few hacks on PHP based websites. I try to avoid being admin for public PHP based websites (but I was not always lucky in this regard). I don't know whether it is the language itself, or the fact that it is used by less experienced people. Regards Peter
Peter Ross wrote:
I don't know whether it is the language itself, or the fact that it is used by less experienced people.
Wikipedia's PHP article used to point out that while a quarter to a third of *ALL* vulnerabilities reported on MITRE were PHP-related, "only" about (IIRC) one in fifty of those were vulnerabilities in the PHP core (i.e. fuckups by the people who *write* PHP as opposed to the people who merely write *in* PHP). Sigh. Sadly, I didn't take a screenshot at the time and ICBF learning how to do version control in mediawiki. This still works: http://me.veekun.com/blog/2012/04/09/php-a-fractal-of-bad-design/
If my understanding is correct, Joomla has had, and still has security issues as did/does Typo3.
Nearly every software has security issues.
Joomla was chosen because it can be used by "non-techies" to get a website up and running.
Drupal I learned from zilch on Drupal, it has almost no requirement to learn php, I've been developing for a couple of years, lately on Drupal 7, I found it's easier than Joolma. Wouldnt go back to Drupal 6 as there are too many exploits on it. I'd love to move to Ruby but Typo3 is still, to my mind, immature, especially the installation and UI. Regards Roger
On Fri, 28 Sep 2012, Roger wrote:
Hi,
a friend of mine is running a Joomla based website http://www.DeutscheInMelbourne.net .
The first page renders fine on Windows and Apple devices
but has a full page of spam gibberish <a href>'s to the most wanted items if I believe in spam) before the header menu starts (so I have to scroll down to see any useful content)
I tried on two Ubuntu machines running Ubuntu 12.04, and tried Chrome and Firefox, always with the rubbish in it.
Stranger, it does not even appear in the page source if I look at it using Windows or Apple machines.
I did not look at the server yet (and my friend isn't an IT expert) but I find it that weired that I don't have a slightest idea what the cause might be.
Peter The site has been hacked.
I am afraid so too.. I just find it very odd that the spam seems to be delivered to Linux machines only.. hmmh, at least I don't see it in the page source under Windows or Apple... Do you have an explanation for that? Regards Peter
On 28/09/2012, at 9:57, Peter Ross <Peter.Ross@bogen.in-berlin.de> wrote:
I just find it very odd that the spam seems to be delivered to Linux machines only.. hmmh, at least I don't see it in the page source under Windows or Apple...
Do you have an explanation for that?
It could be using JavaScript to inject stuff into the DOM after the page is loaded. If you use the Web Inspector or Firebug you can see the source after it has been manipulated
On Fri, 28 Sep 2012, hannah commodore wrote:
On 28/09/2012, at 9:57, Peter Ross <Peter.Ross@bogen.in-berlin.de> wrote:
I just find it very odd that the spam seems to be delivered to Linux machines only.. hmmh, at least I don't see it in the page source under Windows or Apple...
Do you have an explanation for that?
It could be using JavaScript to inject stuff into the DOM after the page is loaded. If you use the Web Inspector or Firebug you can see the source after it has been manipulated
I disabled JavaScript in the browser and still see the spam. It took a while until he believed me (I am just this Linux geek who does not use proper computers;-) because he cannot see it at all, and AFAIK no other user notified him. To be hacked is one thing - but that it targets Linux users only?? I tried Windows on a VM (so it has the same IP address) then I don't see it. I also tried it from two different locations and IP addresses (different providers too) under Linux - always see the rubbish when I am using Linux. Regards Peter
Peter Ross wrote:
To be hacked is one thing - but that it targets Linux users only??
It would be clever for a spammer to inject the data only when the U-A is "hi I'm to googlebot", because then it would be far less obvious that it was compromised -- as you've seen. A naïve implementation might try to do that by blacklisting known end user UAs (i.e. IE, FF) rather than whitelisting known spider UAs, which would result in you seeing it if your UA happened to not match the blacklist.
Hi, Can you pastebin the output and/or the page source (if it's appropriate to)? Mike. On 28/09/12 10:40, Trent W. Buck wrote:
Peter Ross wrote:
To be hacked is one thing - but that it targets Linux users only?? It would be clever for a spammer to inject the data only when the U-A is "hi I'm to googlebot", because then it would be far less obvious that it was compromised -- as you've seen.
A naïve implementation might try to do that by blacklisting known end user UAs (i.e. IE, FF) rather than whitelisting known spider UAs, which would result in you seeing it if your UA happened to not match the blacklist. _______________________________________________ luv-main mailing list luv-main@luv.asn.au http://lists.luv.asn.au/listinfo/luv-main
On Fri, 28 Sep 2012, Michael Lindner wrote:
Can you pastebin the output and/or the page source (if it's appropriate to)?
I guess you can download it if you have a Linux box. Simply try "curl http://www.deutschinmelbourne.net" and look for cialis etc. As a friend just pointed out, many links redirect to puma-uk.com, and Google lists this (also Joomla based, btw) website as compromised. Regards Peter
Peter Ross wrote:
Simply try "curl http://www.deutschinmelbourne.net" and look for cialis etc.
It's by user agent. $ curl -s www.deutscheinmelbourne.net | grep -i cialis | head -3 buy cialis manila cialis price in dubai how does fake cialis look $ curl -sA"W3C standards are important. Stop fucking obsessing over user-agent already." www.deutscheinmelbourne.net | grep -i cialis
On Fri, 28 Sep 2012, Trent W. Buck wrote:
Peter Ross wrote:
Simply try "curl http://www.deutschinmelbourne.net" and look for cialis etc.
It's by user agent.
Yep. Thanks. The damage there does not make too much sense. Maybe just a test run to figure out whether the site is vulnerable? I have to admit, my criminal imagination isn't that great. So I better stop musing about it, and see what can be done to fix it. Thanks for hints, thoughts and ideas Peter
On 28/09/2012, at 14:40, Peter Ross <Peter.Ross@bogen.in-berlin.de> wrote:
The damage there does not make too much sense. Maybe just a test run to figure out whether the site is vulnerable?
I have to admit, my criminal imagination isn't that great. So I better stop musing about it, and see what can be done to fix it.
maybe whoever did it put the check in inverse by accident. :) it only takes a single !
On Fri, Sep 28, 2012 at 04:28:43PM +1000, hannah commodore wrote:
maybe whoever did it put the check in inverse by accident. :) it only takes a single !
That was my thought. so google sees that it's a spam site but the potential spam victims (windows users) see the unspammed site. ya just gotta respect competence like that. OTOH, it could be deliberate - maybe the point is to get google to blacklist the site while making it hard for the site owner to figure out WTF is going on. Probably not, though. script-kiddies aren't even that clever, and anyone clever/knowledgable enough to think of it would be capable of far more subtle and confusing mind-fuckery. craig -- craig sanders <cas@taz.net.au> BOFH excuse #256: You need to install an RTFM interface.
Peter Ross <Peter.Ross@bogen.in-berlin.de> wrote:
The damage there does not make too much sense. Maybe just a test run to figure out whether the site is vulnerable?
I have to admit, my criminal imagination isn't that great. So I better stop musing about it, and see what can be done to fix it.
I would expect that in the absence of a strong SELinux policy, whoever compromised the Web application could run a shell on the machine, at which stage it's only a local root exploit away from disaster. I would be looking carefully for root kits just in case they've taken that step. It's entirely possible, of course, that the crackers don't have the tools to carry out an exploit and install a root kit, but if it were my machine I wouldn't be making that assumption.
I agree, although I'd just be going further and do a complete rebuild - it is just a Joomla site after all. Unless they are super villains that have infected the database and image files... We used to use Joomla a lot, and Mambo before that, but reluctantly left it - over security concerns. Pity, Joomla has a great look and feel, but don't all the vulnerable ones... On 28/09/12 18:07, Jason White wrote:
Peter Ross <Peter.Ross@bogen.in-berlin.de> wrote:
The damage there does not make too much sense. Maybe just a test run to figure out whether the site is vulnerable?
I have to admit, my criminal imagination isn't that great. So I better stop musing about it, and see what can be done to fix it. I would expect that in the absence of a strong SELinux policy, whoever compromised the Web application could run a shell on the machine, at which stage it's only a local root exploit away from disaster.
I would be looking carefully for root kits just in case they've taken that step. It's entirely possible, of course, that the crackers don't have the tools to carry out an exploit and install a root kit, but if it were my machine I wouldn't be making that assumption.
_______________________________________________ luv-main mailing list luv-main@luv.asn.au http://lists.luv.asn.au/listinfo/luv-main
In terms of being hacked, some years ago the home PC of an employee of a client was hacked. The employee used a VPN to access work and had access to a Samba share which contained the company's web server. The attacker used SMB access over the VPN to install a trojan on the company's web site. On Fri, 28 Sep 2012, "Trent W. Buck" <trentbuck@gmail.com> wrote:
Peter Ross wrote:
To be hacked is one thing - but that it targets Linux users only??
It would be clever for a spammer to inject the data only when the U-A is "hi I'm to googlebot", because then it would be far less obvious that it was compromised -- as you've seen.
Of course that wouldn't do what they desire in the case of different versions of Google and other search engines. Also there's the issue of general competence. People who are capable of doing good work can usually find legitimate work that pays well. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/
On 28/09/12 10:40, Trent W. Buck wrote:
Peter Ross wrote:
To be hacked is one thing - but that it targets Linux users only?? It would be clever for a spammer to inject the data only when the U-A is "hi I'm to googlebot", because then it would be far less obvious that it was compromised -- as you've seen.
A naïve implementation might try to do that by blacklisting known end user UAs (i.e. IE, FF) rather than whitelisting known spider UAs, which would result in you seeing it if your UA happened to not match the blacklist.
That's pretty much what I expect is happening. this sounds like the "Pharma hack", one characteristic of which is that there are zillions of versions of it. My impression is that there's a lot of mediocre programmers involved in this, reimplementing much the same thing as part of some larger overall spam campaign. Basically what pharma hack sets out to do is to steal your google rank. They don't want to be noticed by human users, but want to send modified pages to google that pass your google rank to a bunch of spam pages. The pharma hack infestation I dealt with a little while back certainly included a bunch of screw-ups, but it also included a whole bunch of techniques for hiding code that I hadn't seen before. That is to say code obfuscation techniques that are hard to search for. There's no simple string that you can search for to find the inserted code, but with some more complex regexes I was eventually able to clear the last of it. There were several hundred modified files involved. If you're lucky, you've got a good copy of your code in version control, and have good backups. If you're unlucky, you're using something silly like smarty which means you can't make a clean distinction between data areas (which the web server can write) and code areas (which the web server can only read). If you can just flush all the cached smarty stuff, then do so. Andrew McNaughton
Hi Andrew, thanks for the comment. My friend fixed it with a fresh install. He needed to upgrade Joomla anyway. On Thu, 24 Jan 2013, Andrew McNaughton wrote:
The pharma hack infestation I dealt with a little while back certainly included a bunch of screw-ups, but it also included a whole bunch of techniques for hiding code that I hadn't seen before. That is to say code obfuscation techniques that are hard to search for. There's no simple string that you can search for to find the inserted code, but with some more complex regexes I was eventually able to clear the last of it. There were several hundred modified files involved.
So a MD5 check (comparing with the sums taken after a fresh install) would have helped? Regards Peter
To be hacked is one thing - but that it targets Linux users only?? I just find it very odd that the spam seems to be delivered to Linux machines only.. hmmh, at least I don't see it in the page source under Windows or Apple..
Thank heavens for Linux. I don't see it as targeting Linux, just that windows has less scruitineering and doesn't see that stuff, which to me, is how they can get away with it for so long before discovery. Roger
Peter Ross wrote:
I did not look at the server yet (and my friend isn't an IT expert) but I find it that weired that I don't have a slightest idea what the cause might be.
Can you reproduce the issue with curl? If you dump the source content from the DB or whatever on the server, does it have the bad junk in it?
On Fri, 28 Sep 2012, Trent W. Buck wrote:
Can you reproduce the issue with curl?
Yes - get the Junk with curl under Ubuntu, don't get it with curl using a Windows 7 machine.
If you dump the source content from the DB or whatever on the server, does it have the bad junk in it?
As said, I haven't seen the server side yet (and I don't have access at the moment - I am not the site admin there) Your robot idea may point into the right direction. Anyway, I guess there is some work ahead:-( Thanks Peter
Peter Ross wrote:
On Fri, 28 Sep 2012, Trent W. Buck wrote:
Can you reproduce the issue with curl?
Yes - get the Junk with curl under Ubuntu, don't get it with curl using a Windows 7 machine.
tcpdump both conversations; confirm the behaviour is identical and therefore the difference is 100% on the server side. Then go jump up and down on the server until it tells you why.
participants (9)
-
Andrew McNaughton -
Craig Sanders -
hannah commodore -
Jason White -
Michael Lindner -
Peter Ross -
Roger -
Russell Coker -
Trent W. Buck