Hi,
I am sorry to interrupt in English, but I simply don't speak Italian.
I have been alerted recently on sh404SEF support forum that some people were reporting the sh404SEF was not secure. Some other seem to mistake 404SEF and 404SEFx for my component.
I am very sorry to hear these rumours going on, and sorry that some people spead them here.
To make it short :
1 -
sh404SEF is NOT the same component as 404SEFx (an unsecure component listed on joomla.org as vulnerable). The name are not the same and the components are not the same (though 404SEFx is the common ancestor to both sh404SEF and Joomsef)
2 -
My site was hacked a few weeks ago. My FTP password was accessed by hackers. For those of you who know a bit, you will realize Joomla and sh404SEF cannot be involved on discovering FTP password, as these are not anywhere on the site.
For those who don't know, here is the transcript of my conversation with live chat support when we were trying to clean up things. This is particularly for rollsappletree who seems to believe that I lied about this to hide vulnerability in sh404SEF :
Dusty [12:23]: Should work for you now.
[12:25]: Is there anything else I can do for you today?
Yannick gaultier [12:26]: OK, it works now. I'll pick another one. I am currently going through the logs to try find how they could get in again. There is something strange. this time I have FTP logs as well as http logs. And I can see they could upload some files on sat 1st:
[12:26]: Sat Sep 01 03:58:07 2007 0 82.128.15.196 389 /home/silianan/public_html/usbank/usbank/submit.php b _ o r silianan ftp 1 * c
Sat Sep 01 03:58:35 2007 1 82.128.15.196 392 /home/silianan/public_html/usbank/usbank/submit.php b _ i r silianan ftp 1 * c
Dusty [12:27]: ok
Yannick gaultier [12:27]: Global password was changed on aug. 30. How could they get access to my ftp password ? it is not available anywhere in my db or on the site itself
[12:30]: Actually, how could they get access to my ftp password at any time ? even before I changed it ?
Dusty [12:31]: The only way someone could get your password is if you gave it to them or you didn't use Secure FTP to upload
[12:31]: If you use plain FTP it does send the password in clear text
[12:31]: If someone used a packet sniffer they may view your password.
Yannick gaultier [12:32]: I am the only person using this account. Password is not written anywhere. So what you are saying is that they could sniff somehow my password because I did not use Secure ftp to upload ? I did not even know I could use secure FTP
Dusty [12:33]: Yes you can; however, you have to enable SSH in order to do this, but it is much more secure than FTP.
Yannick gaultier [12:35]: SSH is already enabled. But where would they have to listen to to be able to "sniff" what I am sending ? I mean where should they hook up to be able to intercept FTP data ?
Dusty [12:36]: They could use a packet sniffer like wireshark
Yannick gaultier [12:38]: So they simply listen to the internet, and when they see a ftp session init packet, they get the domain name, password and so they can connect later on ?
Dusty [12:39]: It is possible to do this. Yes
Yannick gaultier [12:42]: So how do I secure FTP ? is there a doc somewhere ? I am using filezilla
Dusty [12:45]: If you have SSH enabled all you have to do is click on File->Site Manager change the port to 22 and then in the drop down box check SFTP using SSH2
[12:47]: Is there anything else I can do for you today?
Yannick gaultier [12:49]: OK, I'll work on that and try using SFTP from now on. As we were talking, I successfuly change my master password to something else. So do you think the fact that I found FTP access from these people shows this was the initial breach ? I really don't know where to look other than that : joomla, its extensions, and mediawiki are upto date
Dusty [12:50]: Yes that probably was the initial breach
Yannick gaultier [12:51]: OK. So now I'll start cleaning up. Thanks a bunch. I'll contact live chat again when I think the site is clean, for re-opening! Thanks again
3 - I have tried to understand Zalexo other post where there is more details about the intrusion, but again I don't speak Italian. It seems he has the same problem as I had, with some people getting access to his FPT password. For some reason, he thinks this has something to do with sh404SEF. JOOMLA AND sh404SEF cannot be involved in giving FTP password because FTP password is not available on the site. If a hackers get your FTP password, it can only be through your host or through "sniffing" packets while your are connecting.
4 -
No vulnerability has been reported for sh404SEF todate. None. Zero.
If anyone has any information on any vulnerability, please report it to me at shumisha at gmail dot com, it will be fixed as soon as possible.
Until this happens, I would like to ask people to please stop spreading false rumors on the component. It is not about money, I am not a commercial developper, but this is very hard to take when you are putting many (hundreds) of hours of work to develop some software and support the people using it to see that happening.
Lastly, I hope someone can translate this message or part of this message in Italian, so that people can read it, and I also would like to thank the people who tried to explain 404SEFx and sh404SEF are not the same.
Best regards to all
Yannick Gaultier (shumisha)
