Solved

My postfix/Joomla Ubuntu machine hacked

Posted on 2014-09-06
7
301 Views
Last Modified: 2014-09-19
Hi,
I'm running on old version of Joomla (1.5) on Ubuntu. The machine has postfix running on it.
Joomla got hacked, I'm not sure how, but I see various .php files appearing in my web site home directory from time to time. I'm removing the files of course, but they keep coming back.
I know the 'right' way to do this, but I don't  have time to take care of that now.

The hacker is using my machine to send out spam. I see in /var/spool there are lots of spam messages and I see a lot of smtp process running. For now, I've stopped Postfix, though I actually need to to run to send out results of a form I have on my website.
So, I'm asking this:
If I remove all of the hacker uploaded php files, but mail is still being sent out, how else can they be getting in to send the mail out?
I need a quick fix for this and some places to look for things. I can't upgrade Joomla right now and I can't move to another machine. Need to keep this one up as long as possible.

Thanks!
Nacht






postfix   4065  3977  0 13:21 ?        00:00:00 bounce -z -t unix -u -c
postfix   4066  3977  0 13:21 ?        00:00:00 smtp -t unix -u -c
postfix   4067  3977  0 13:21 ?        00:00:00 smtp -t unix -u -c
postfix   4068  3977  0 13:21 ?        00:00:00 smtp -t unix -u -c
postfix   4069  3977  0 13:21 ?        00:00:00 smtp -t unix -u -c
postfix   4070  3977  0 13:21 ?        00:00:00 smtp -t unix -u -c
postfix   4073  3977  0 13:21 ?        00:00:00 smtp -t unix -u -c
postfix   4080  3977  1 13:21 ?        00:00:00 smtp -t unix -u -c
postfix   4082  3977  0 13:21 ?        00:00:00 smtp -t unix -u -c
postfix   4083  3977  1 13:21 ?        00:00:00 smtp -t unix -u -c
0
Comment
Question by:nachtmsk
7 Comments
 
LVL 58

Expert Comment

by:Gary
ID: 40308143
Check all your joomla files for inserted code (usually base64)
Change all your passwords.

Of course if you are not going to upgrade they will likely just break in again an hour later.
0
 
LVL 42

Expert Comment

by:Rob Jurd, EE MVE
ID: 40308156
And check your database for Cross Site Scripting / SQL Injection attacks (See section 5. The Code).  If you allow comments in your CMS, I'd be checking there first.
0
 
LVL 50

Expert Comment

by:Steve Bink
ID: 40308331
Seconding Gary's comment - you need to upgrade this installation.  No one ever has time to upgrade - you need to make that time, especially when you are two major versions behind current.  This will reoccur, guaranteed.

My experience is limited to J2.5 and J3, but I've generally seen file upload vulnerabilities, and intrusions on the admin panel through brute force, or maybe an information leak.  The usual method is the attacker uploads and installs a new module into Joomla, which acts as a remote server admin panel.  In many cases, this panel is equipped to do nasty things like gather information, send spam, etc.  

Start with going through /components, /modules, and /plugins.  You can also query the database to see all installed items:
SELECT name,type,element,enabled,protected FROM ##_extensions;

Open in new window

Pay close attention to the names.  Many of the bogus installs I've seen use tricky naming conventions, like webllinks and systym.  If you don't know what an item is, take a quick look at some of the code.  IME, the panel code is always heavily obfuscated (e.g., minified, uses base64 encoding with calls to eval(), etc.), and they use short, generic variable names.  If you find any, delete them, and try to remove the extension from Joomla.  Where there is one, there are probably others.  Keep looking until you've covered everything.

There are also file upload vulnerabilities in older Joomla versions.  I have forgotten many of the details, but IIRC, some can overwrite existing files, like Joomla's core files.  If you've been hit with this, good luck.  Their code could be sitting anywhere inside the site's document root.  

Again ... can't stress this enough ... upgrade the installation.  Yup, it's a pain, but is it more pain than dealing with this over and over?  Recovering from this one (hopefully) intrusion will not solve the problem of how the intruder got in.  As long as you leave the door open, they will come right in and make themselves at home.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:nachtmsk
ID: 40308438
Thanks everyone. I really appreciate the comments.
I know an upgrade is necessary but it's not something I can do now, so I needed some band-aids.

Nacht
0
 
LVL 24

Accepted Solution

by:
lenamtl earned 500 total points
ID: 40312031
Most of the time hacker will edit the Joomla template file (index file) and add a php file in the template directory.
Remove the code form the template and delete the php file which usually name random letter & number (the file name doesn't make sens) like this xrtt756jaue.php

When I find this I check the date and time of these files and I'm looking for other files that have the same date and time to find out if other files where modified too.

You could check the awstat or other stats apps to find the Ip address related to that date and time and block it using htaccess.
Also you can block some countries IP (you can find a list of countries to block) till you update or change the site cms.

It's not perfect but it can help you for now.

I personally stop using Joomla because too much security bugs and updates.
0
 

Author Comment

by:nachtmsk
ID: 40312634
Thanks. Yeah, I would stop using Joomla too if I could. This site was inherited and I just keep it together as best I can.
0
 
LVL 24

Expert Comment

by:lenamtl
ID: 40312790
I understand I was in similar situation and its require a lot of time to convert to something new if there is a lot of content.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

Linux users are sometimes dumbfounded by the severe lack of documentation on a topic. Sometimes, the documentation is copious, but other times, you end up with some obscure "it varies depending on your distribution" over and over when searching for …
This article discusses how to create an extensible mechanism for linked drop downs.
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
The viewer will learn how to count occurrences of each item in an array.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now