Joomla.it Forum
Non solo Joomla... => Sicurezza => : pandronic 03 Feb 2016, 13:04:38
-
Ciao a tutti! è molto che non scrivo e mi spiace scrivere per una cosa del genere.
Ultimamente un sito mi ha dato molto da fare. Tutto il software è aggiornato alle ultime versioni, le password sicure e cambiate più volte, ho cercato di seguire i consigli, ma sono riusciti ancora una volta ad entrare.
Non riesco a registrarmi al forum di joomla.org mi dice sempre che la mail non va bene, ho provato sia con provider americani arcinoti, sia con il mio dominio. Non so perché ma ho avuto sempre questo problema con joomla.org
Sono riuscito a "beccare" il colpevole sui log, in particolare si trattava del file "object.php" che ho trovato nella cartella /modules/mod_finder/object.php
Ho creato il post seguente con il forum-post-assistant ma non riesco a caricarlo su joomla.org per il motivo spiegato prima. Qualcuno riesce ad aiutarmi per favore?
:'(
[size=85]Cracker able to upload malicious file vie POST request [/size]
[size=85]61.100.180.31 - - [01/Feb/2016:09:45:00 +0100] "GET /modules/sxbscm.php HTTP/1.1" 303 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:45:01 +0100] "GET /en/modules/sxbscm.php HTTP/1.1" 404 1641 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:45:03 +0100] "POST /modules/mod_weblinks/functions.php HTTP/1.1" 404 1641 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:45:10 +0100] "POST /plugins/finder/weblinks/weblinks.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:45:17 +0100] "POST /libraries/vendor/joomla/plugin.php HTTP/1.1" 404 1641 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:45:24 +0100] "POST /layouts/plugins/user/proxy.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:45:26 +0100] "POST /components/com_contact/helpers/association.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:45:28 +0100] "POST /components/com_phocagallery/views/phocagallerylinkcats/plugin.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:45:30 +0100] "POST /components/com_phocagallery/assets/plupload/css/cache.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:45:32 +0100] "POST /libraries/joomla/mediawiki/pages.php HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:45:33 +0100] "POST /layouts/joomla/form/renderlabel.php HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:45:34 +0100] "POST /cli/update_cron.php HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:45:35 +0100] "POST /libraries/vendor/phpmailer/phpmailer/xml.php HTTP/1.1" 404 1641 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:45:41 +0100] "POST /libraries/joomla/database/query.php HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:45:43 +0100] "POST /libraries/fof/form/field/title.php HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:45:44 +0100] "POST /modules/mod_cookiesaccept/press.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:45:45 +0100] "POST /libraries/legacy/table/menu/db.php HTTP/1.1" 404 1641 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:45:52 +0100] "POST /layouts/joomla/tinymce/togglebutton.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:45:59 +0100] "POST /components/com_weblinks/language/en-GB/css.php HTTP/1.1" 404 1641 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:46:06 +0100] "POST /libraries/import.legacy.php HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:46:07 +0100] "POST /includes/db.php HTTP/1.1" 404 1641 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:46:09 +0100] "POST /press.php HTTP/1.1" 404 1638 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:46:11 +0100] "POST /libraries/cms/html/icons.php HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:46:33 +0100] "POST /components/com_config/model/modules.php HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:46:34 +0100] "POST /libraries/joomla/microdata/microdata.php HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:46:35 +0100] "POST /libraries/joomla/twitter/statuses.php HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:46:36 +0100] "POST /libraries/joomla/input/json.php HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:46:59 +0100] "POST /libraries/cms/html/tag.php HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:47:00 +0100] "POST /libraries/cms/help/help.php HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:47:01 +0100] "POST /modules/mod_dn/helper.php HTTP/1.1" 200 17 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:47:03 +0100] "POST /templates/beez3/error.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:47:05 +0100] "POST /components/com_finder/session.php HTTP/1.1" 404 1641 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:47:07 +0100] "POST /libraries/joomla/mail/mail.php HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:47:19 +0100] "POST /libraries/joomla/facebook/album.php HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:47:20 +0100] "POST /libraries/joomla/mail/wrapper/css.php HTTP/1.1" 404 1641 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:47:22 +0100] "POST /libraries/joomla/linkedin/linkedin.php HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:47:23 +0100] "POST /components/com_jce/views/popup/view.html.php HTTP/1.1" 500 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:47:30 +0100] "POST /plugins/content/emailcloak/search.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:47:37 +0100] "POST /components/com_contact/helpers/gallery.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:47:43 +0100] "POST /media/editors/codemirror/mode/asciiarmor/include.php HTTP/1.1" 404 1641 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:47:50 +0100] "POST /templates/caedbalos_home/index.php HTTP/1.1" 200 17 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:47:52 +0100] "POST /components/com_phocagallery/views/info/view.html.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:47:54 +0100] "POST /plugins/content/flike/flike.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:48:01 +0100] "POST /templates/protostar/html/layouts/proxy.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:48:08 +0100] "POST /templates/beez5/html/com_content/featured/functions.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:48:10 +0100] "POST /templates/caedbalos_2_col/test.php HTTP/1.1" 404 1641 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:48:12 +0100] "POST /modules/mod_dn/language/ru-RU/sql.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:48:19 +0100] "POST /templates/protostar/header.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:48:31 +0100] "POST /components/com_content/views/archive/alias.php HTTP/1.1" 404 1641 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:48:33 +0100] "POST /media/editors/codemirror/mode/haxe/include.php HTTP/1.1" 404 1641 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:48:46 +0100] "POST /images/dirs.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:48:53 +0100] "POST /components/com_finder/controllers/suggestions.json.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:48:59 +0100] "POST /libraries/vendor/joomla/session/files.php HTTP/1.1" 404 1641 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:49:02 +0100] "POST /modules/mod_tags_popular/tmpl/article.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:49:08 +0100] "POST /modules/mod_phocagallery_image/models/fields/phocahead.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:49:10 +0100] "POST /plugins/finder/weblinks/weblinks.php HTTP/1.1" 200 3925 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:49:13 +0100] "POST /libraries/joomla/form/fields/url.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:49:15 +0100] "POST /libraries/legacy/dispatcher/dispatcher.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:49:17 +0100] "POST /modules/mod_search/mod_search.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:49:19 +0100] "POST /components/com_phocagallery/models/info.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:49:20 +0100] "POST /libraries/fof/form/form.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:49:27 +0100] "POST /templates/beez3/component.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:49:29 +0100] "POST /components/com_content/models/form.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:49:36 +0100] "POST /libraries/joomla/linkedin/oauth.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:49:43 +0100] "POST /libraries/joomla/mediawiki/search.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:49:45 +0100] "POST /modules/mod_tags_popular/helper.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:49:47 +0100] "POST /object.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:49:54 +0100] "POST /templates/caedbalos_home/user.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:49:55 +0100] "POST /components/com_banners/models/inc.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:49:57 +0100] "POST /layouts/joomla/toolbar/global.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:49:59 +0100] "POST /layouts/libraries/system.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:50:17 +0100] "POST /libraries/joomla/filesystem/functions.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:50:19 +0100] "POST /images/phocagallery/azienda/thumbs/alias.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:50:20 +0100] "POST /templates/protostar/html/global.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:50:22 +0100] "POST /modules/mod_random_image/tmpl/press.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:50:24 +0100] "POST /libraries/cms/form/field/system.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"[/size]
[size=85]I deleted the file, but I think the door is still open[/size]
[size=85]Joomla! Instance :: Joomla! 3.4.8-Stable (Ember) 24-December-2015
Joomla! Platform :: Joomla Platform 13.1.0-Stable (Curiosity) 24-Apr-2013
Joomla! Configured :: Yes | Read-Only (444) | Owner: mymoscat (uid: 1/gid: 1) | Group: mymoscat (gid: 1) | Valid For: 1.5
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 1 | SEF ReWrite: 1 | .htaccess/web.config: Yes | GZip: 0 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: none | Site Debug: 0 | Language Debug: 0 | Default Access: N/A | Unicode Slugs: N/A | Database Credentials Present: Yes
Host Configuration :: OS: Linux | OS Version: 2.6.32-531.29.2.lve1.3.11.1.el6.x86_64 | Technology: x86_64 | Web Server: Apache | Encoding: gzip, deflate | Doc Root: /home/mymoscat/public_html | System TMP Writable: Yes
PHP Configuration :: Version: 5.5.31 | PHP API: cgi-fcgi | Session Path Writable: Yes | Display Errors: | Error Reporting: 32767 | Log Errors To: | Last Known Error: | Register Globals: | Magic Quotes: | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 128M | Max. POST Size: 128M | Max. Input Time: -1 | Max. Execution Time: 300 | Memory Limit: 256M
MySQL Configuration :: Version: 5.6.23-cll-lve (Client:5.6.23) | Host: --protected-- (--protected--) | Collation: latin1_swedish_ci (Character Set: latin1) | Database Size: 6.15 MiB | #of Tables: 83[/size]
[size=85]PHP Extensions :: Core (5.5.31) | date (5.5.31) | ereg () | libxml () | openssl () | pcre () | sqlite3 (0.7-dev) | zlib (2.0) | bz2 () | calendar () | ctype () | curl () | hash (1.0) | filter (0.11.0) | ftp () | gettext () | gmp () | SPL (0.2) | iconv () | pcntl () | readline (5.5.31) | Reflection ($Id: dc76d2fe0f3e9c327c1d4ca617d94e26c7fae98 d $) | session () | standard (5.5.31) | shmop () | SimpleXML (0.1) | mbstring () | tokenizer (0.1) | xml () | cgi-fcgi () | PDO (1.0.4dev) | pdo_mysql (1.0.2) | fileinfo (1.0.5) | intl (1.1.0) | tidy (2.0) | bcmath () | Phar (2.0.2) | gd () | mysql (1.0) | xmlwriter (0.1) | sockets () | pgsql () | json (1.2.1) | exif (1.4 $Id: ff29fdd0fa0b922fd32e2f5704857dcc8543f62 8 $) | soap () | pdo_pgsql (1.0.2) | zip (1.11.0) | xmlrpc (0.51) | mysqli (0.1) | imap () | dom (20031129) | pdo_sqlite (1.0.1) | xmlreader (0.1) | posix () | mcrypt () | xsl (0.1) | mhash () | ionCube Loader () | Zend OPcache (7.0.4-devFE) | Zend Guard Loader () | Zend Engine (2.5.0) |
Potential Missing Extensions :: suhosin |
Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No [/size]
[size=85]Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |
Elevated Permissions (First 10) :: [/size]
[size=85]Components :: SITE :: com_mailto (3.0.0) | com_wrapper (3.0.0) | Default (1.0.0) | WF_INLINEPOPUPS_TITLE (2.5.12) | WF_HR_TITLE (2.5.12) | WF_FONTSELECT_TITLE (2.5.12) | WF_FONTCOLOR_TITLE (2.5.12) | WF_SEARCHREPLACE_TITLE (2.5.12) | WF_FULLSCREEN_TITLE (2.5.12) | WF_STYLESELECT_TITLE (2.5.12) | WF_CLIPBOARD_TITLE (2.5.12) | WF_NONBREAKING_TITLE (2.5.12) | WF_LAYER_TITLE (2.5.12) | WF_AUTOSAVE_TITLE (2.5.12) | WF_KITCHENSINK_TITLE (2.5.12) | WF_LINK_TITLE (2.5.12) | WF_PRINT_TITLE (2.5.12) | WF_IMGMANAGER_TITLE (2.5.12) | WF_STYLE_TITLE (2.5.12) | WF_XHTMLXTRAS_TITLE (2.5.12) | WF_CLEANUP_TITLE (2.5.12) | WF_ANCHOR_TITLE (2.5.12) | WF_VISUALBLOCKS_TITLE (2.5.12) | WF_CONTEXTMENU_TITLE (2.5.12) | WF_DIRECTIONALITY_TITLE (2.5.12) | WF_TABLE_TITLE (2.5.12) | WF_MEDIA_TITLE (2.5.12) | WF_CHARMAP_TITLE (2.5.12) | WF_BROWSER_TITLE (2.5.12) | WF_LISTS_TITLE (2.5.12) | WF_ARTICLE_TITLE (2.5.12) | WF_SPELLCHECKER_TITLE (2.5.12) | WF_PREVIEW_TITLE (2.5.12) | WF_SOURCE_TITLE (2.5.12) | WF_TEXTCASE_TITLE (2.5.12) | WF_FONTSIZESELECT_TITLE (2.5.12) | WF_VISUALCHARS_TITLE (2.5.12) | WF_FORMATSELECT_TITLE (2.5.12) | WF_AGGREGATOR_VIMEO_TITLE (2.5.12) | WF_AGGREGATOR_YOUTUBE_TITLE (2.5.12) | WF_AGGREGATOR_VINE_TITLE (2.5.12) | WF_AGGREGATOR_DAILYMOTION_TITL (2.5.12) | WF_MEDIAPLAYER_JCEPLAYER_TITLE (2.5.12) | WF_LINK_SEARCH_TITLE (2.5.12) | WF_FILESYSTEM_JOOMLA_TITLE (2.5.12) | WF_POPUPS_WINDOW_TITLE (2.5.12) | WF_POPUPS_JCEMEDIABOX_TITLE (2.5.12) | WF_LINKS_JOOMLALINKS_TITLE (2.5.12) |
Components :: ADMIN :: com_postinstall (3.2.0) | com_templates (3.0.0) | com_search (3.0.0) | com_config (3.0.0) | com_languages (3.0.0) | com_banners (3.0.0) | com_modules (3.0.0) | com_categories (3.0.0) | com_menus (3.0.0) | com_weblinks (3.4.1) | com_cache (3.0.0) | com_admin (3.0.0) | com_contenthistory (3.2.0) | com_content (3.0.0) | com_phocagallery (4.1.2) | com_redirect (3.0.0) | com_users (3.0.0) | com_cpanel (3.0.0) | com_ajax (3.2.0) | com_login (3.0.0) | com_newsfeeds (3.0.0) | com_plugins (3.0.0) | com_installer (3.0.0) | com_tags (3.1.0) | com_finder (3.0.0) | Unknown (-) | JCE (2.5.12) | com_media (3.0.0) | com_joomlaupdate (3.0.0) | com_messages (3.0.0) | com_checkin (3.0.0) |
Modules :: SITE :: mod_articles_archive (3.0.0) | mod_articles_news (3.0.0) | mod_phocagallery_image (4.0.0) | mod_whosonline (3.0.0) | mod_breadcrumbs (3.0.0) | mod_articles_categories (3.0.0) | mod_syndicate (3.0.0) | mod_articles_popular (3.0.0) | mod_footer (3.0.0) | mod_banners (3.0.0) | mod_login (3.0.0) | mod_users_latest (3.0.0) | mod_tags_popular (3.1.0) | Facebook Like (1.4.5) | mod_custom (3.0.0) | mod_menu (3.0.0) | mod_random_image (3.0.0) | mod_stats (3.0.0) | mod_finder (3.0.0) | mod_feed (3.0.0) | mod_related_items (3.0.0) | mod_search (3.0.0) | mod_weblinks (3.4.1) | mod_tags_similar (3.1.0) | mod_articles_latest (3.0.0) | mod_languages (3.0.0) | mod_articles_category (3.0.0) | DisplayNews (2.7) | mod_wrapper (3.0.0) | CookiesAccept (1.3) |
Modules :: ADMIN :: mod_submenu (3.0.0) | mod_multilangstatus (3.0.0) | mod_version (3.0.0) | mod_login (3.0.0) | mod_logged (3.0.0) | mod_status (3.0.0) | mod_custom (3.0.0) | mod_quickicon (3.0.0) | mod_menu (3.0.0) | mod_feed (3.0.0) | mod_popular (3.0.0) | mod_title (3.0.0) | mod_toolbar (3.0.0) | mod_stats_admin (3.0.0) | mod_latest (3.0.0) |
Plugins :: SITE :: plg_twofactorauth_yubikey (3.2.0) | plg_twofactorauth_totp (3.2.0) | plg_user_joomla (3.0.0) | plg_user_profile (3.0.0) | plg_user_contactcreator (3.0.0) | plg_editors_tinymce (4.1.7) | plg_editors_codemirror (5.6) | plg_editors_jce (2.5.12) | plg_editors-xtd_readmore (3.0.0) | plg_editors-xtd_image (3.0.0) | plg_editors-xtd_phocagallery (4.1.2) | plg_editors-xtd_pagebreak (3.0.0) | plg_editors-xtd_article (3.0.0) | plg_installer_webinstaller (1.0.5) | plg_quickicon_extensionupdate (3.0.0) | plg_quickicon_jcefilebrowser (2.5.12) | plg_quickicon_joomlaupdate (3.0.0) | plg_search_contacts (3.0.0) | plg_search_newsfeeds (3.0.0) | plg_search_tags (3.0.0) | plg_search_weblinks (3.4.1) | plg_search_categories (3.0.0) | plg_search_content (3.0.0) | plg_finder_contacts (3.0.0) | plg_finder_newsfeeds (3.0.0) | plg_finder_tags (3.0.0) | plg_finder_weblinks (3.4.1) | plg_finder_categories (3.0.0) | plg_finder_content (3.0.0) | plg_system_languagecode (3.0.0) | plg_system_log (3.0.0) | plg_system_redirect (3.0.0) | plg_system_remember (3.0.0) | System - FunCaptcha (3.0) | plg_system_sef (3.0.0) | plg_system_languagefilter (3.0.0) | plg_system_debug (3.0.0) | plg_system_cache (3.0.0) | plg_sytem_marcosinterceptor (1.6) | plg_system_jce (2.5.12) | plg_system_logout (3.0.0) | plg_system_highlight (3.0.0) | plg_system_p3p (3.0.0) | plg_extension_joomla (3.0.0) | plg_authentication_joomla (3.0.0) | plg_authentication_gmail (3.0.0) | plg_authentication_cookie (3.0.0) | plg_authentication_ldap (3.0.0) | plg_captcha_nocaptcharecaptcha (1.0.0) | plg_captcha_recaptcha (3.4.0) | plg_content_phocagalleryslides (4.1.2) | plg_content_joomla (3.0.0) | plg_content_phocagallery (4.1.2) | plg_content_pagebreak (3.0.0) | plg_content_pagenavigation (3.0.0) | plg_content_geshi (2.5.0) | plg_content_vote (3.0.0) | plg_content_finder (3.0.0) | plg_content_emailcloak (3.0.0) | Content - Facebook Like Button (3.0.23) | plg_content_phoca_open_graph (3.0.1) | plg_content_loadmodule (3.0.0) | [/size]
[size=85]Templates :: SITE :: protostar (1.0) | beez_20 (2.5.0) | caedbalos_home (1.0.0) | atomic (2.5.0) | beez3 (3.1.0) | beez5 (2.5.0) | caedbalos_2_col (1.0.0) | caedbalos_default (1.0.0) |
Templates :: ADMIN :: hathor (3.0.0) | isis (1.0) | bluestork (2.5.0) | [/size]
-
sono andato a eliminare/sostituire tutti file dove ricorre la voce POST nel log, talvolta ho sostituito le cartelle intere dai pacchetti originali del core o delle estensioni installate.
Premesso che il sito non era stato realizzato da me, ma me lo sono ritrovato circa un anno fa a doverlo gestire, c'era una estensione chiamata "weblink" che non ho idea di cosa sia e a cosa servisse. Non ho trovato neanche informazioni su google, e penso non sia nella directory ufficiale di joomla, anzi penso sia la porta d'ingresso dell'attacco.
Sembra che questa estensione sia in qualche modo legata al finder, o almeno era inclusa nella cartella plugins/finder/weblinks
era installata anche come modulo mod_weblinks e componente com_weblinks
Qualcuno ha notizie su questa estensione?
grazie
-
Ho capito di cosa si tratta: weblinks è un'applicazione contenuta nel core di Joomla fino alla versione 2.5.
Io mi sono ritrovato con il sito alla versione 2.5, e quindi l'ho portato alla 3.0 (e successive) eseguendo l'installazione guidata.
Il problema di questi aggiornamenti è che hanno magari installato i nuovi file, ma evidentemente non hanno rimosso moduli datati (da una copia del sito mi risulta che il plugin weblinks risale addirittura al 2005, mentre il pacchetto modulo/componente/plugin al 2012).
non stupisce quindi che io come molti altri utenti ci siamo ritrovati con il sito crackato (non sto a riportare tutti i topic aperti recentemente con tematiche simili)
Il metodo dell'utente mariaelenaboschi http://forum.joomla.it/index.php/topic,256371.msg1190958.html#msg1190958 (http://forum.joomla.it/index.php/topic,256371.msg1190958.html#msg1190958)
funziona perché la vulnerabilità è nel weblinks del finder che si trova nella cartella libraries.
Aggiornare semplicemente Joomla da una vecchia versione alla 3.4.8 non basterà. Bisogna rimuovere com_weblinks, mod_weblinks e sostituire integralmente la cartella libraries, infine rimuovere la tabella "prefisso_weblinks" dal database per prudenza.
Una volta fatto questo NON dovrete diffondere la notizia, né investigare ulteriormente, né avvisare in qualche modo la community, perché lì fuori ci sono un sacco di hacker cattivi e il cliente può bersi qualsiasi cosa e per convincersi dovrebbe guardare una puntata di Mr.Robot