Solved

My postfix/Joomla Ubuntu machine hacked

Posted on 2014-09-06
7
331 Views
Last Modified: 2014-09-19
Hi,
I'm running on old version of Joomla (1.5) on Ubuntu. The machine has postfix running on it.
Joomla got hacked, I'm not sure how, but I see various .php files appearing in my web site home directory from time to time. I'm removing the files of course, but they keep coming back.
I know the 'right' way to do this, but I don't  have time to take care of that now.

The hacker is using my machine to send out spam. I see in /var/spool there are lots of spam messages and I see a lot of smtp process running. For now, I've stopped Postfix, though I actually need to to run to send out results of a form I have on my website.
So, I'm asking this:
If I remove all of the hacker uploaded php files, but mail is still being sent out, how else can they be getting in to send the mail out?
I need a quick fix for this and some places to look for things. I can't upgrade Joomla right now and I can't move to another machine. Need to keep this one up as long as possible.

Thanks!
Nacht






postfix   4065  3977  0 13:21 ?        00:00:00 bounce -z -t unix -u -c
postfix   4066  3977  0 13:21 ?        00:00:00 smtp -t unix -u -c
postfix   4067  3977  0 13:21 ?        00:00:00 smtp -t unix -u -c
postfix   4068  3977  0 13:21 ?        00:00:00 smtp -t unix -u -c
postfix   4069  3977  0 13:21 ?        00:00:00 smtp -t unix -u -c
postfix   4070  3977  0 13:21 ?        00:00:00 smtp -t unix -u -c
postfix   4073  3977  0 13:21 ?        00:00:00 smtp -t unix -u -c
postfix   4080  3977  1 13:21 ?        00:00:00 smtp -t unix -u -c
postfix   4082  3977  0 13:21 ?        00:00:00 smtp -t unix -u -c
postfix   4083  3977  1 13:21 ?        00:00:00 smtp -t unix -u -c
0
Comment
Question by:nachtmsk
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 58

Expert Comment

by:Gary
ID: 40308143
Check all your joomla files for inserted code (usually base64)
Change all your passwords.

Of course if you are not going to upgrade they will likely just break in again an hour later.
0
 
LVL 43

Expert Comment

by:Rob
ID: 40308156
And check your database for Cross Site Scripting / SQL Injection attacks (See section 5. The Code).  If you allow comments in your CMS, I'd be checking there first.
0
 
LVL 51

Expert Comment

by:Steve Bink
ID: 40308331
Seconding Gary's comment - you need to upgrade this installation.  No one ever has time to upgrade - you need to make that time, especially when you are two major versions behind current.  This will reoccur, guaranteed.

My experience is limited to J2.5 and J3, but I've generally seen file upload vulnerabilities, and intrusions on the admin panel through brute force, or maybe an information leak.  The usual method is the attacker uploads and installs a new module into Joomla, which acts as a remote server admin panel.  In many cases, this panel is equipped to do nasty things like gather information, send spam, etc.  

Start with going through /components, /modules, and /plugins.  You can also query the database to see all installed items:
SELECT name,type,element,enabled,protected FROM ##_extensions;

Open in new window

Pay close attention to the names.  Many of the bogus installs I've seen use tricky naming conventions, like webllinks and systym.  If you don't know what an item is, take a quick look at some of the code.  IME, the panel code is always heavily obfuscated (e.g., minified, uses base64 encoding with calls to eval(), etc.), and they use short, generic variable names.  If you find any, delete them, and try to remove the extension from Joomla.  Where there is one, there are probably others.  Keep looking until you've covered everything.

There are also file upload vulnerabilities in older Joomla versions.  I have forgotten many of the details, but IIRC, some can overwrite existing files, like Joomla's core files.  If you've been hit with this, good luck.  Their code could be sitting anywhere inside the site's document root.  

Again ... can't stress this enough ... upgrade the installation.  Yup, it's a pain, but is it more pain than dealing with this over and over?  Recovering from this one (hopefully) intrusion will not solve the problem of how the intruder got in.  As long as you leave the door open, they will come right in and make themselves at home.
0
[Live Webinar] The Cloud Skills Gap

As Cloud technologies come of age, business leaders grapple with the impact it has on their team's skills and the gap associated with the use of a cloud platform.

Join experts from 451 Research and Concerto Cloud Services on July 27th where we will examine fact and fiction.

 
LVL 1

Author Comment

by:nachtmsk
ID: 40308438
Thanks everyone. I really appreciate the comments.
I know an upgrade is necessary but it's not something I can do now, so I needed some band-aids.

Nacht
0
 
LVL 25

Accepted Solution

by:
lenamtl earned 500 total points
ID: 40312031
Most of the time hacker will edit the Joomla template file (index file) and add a php file in the template directory.
Remove the code form the template and delete the php file which usually name random letter & number (the file name doesn't make sens) like this xrtt756jaue.php

When I find this I check the date and time of these files and I'm looking for other files that have the same date and time to find out if other files where modified too.

You could check the awstat or other stats apps to find the Ip address related to that date and time and block it using htaccess.
Also you can block some countries IP (you can find a list of countries to block) till you update or change the site cms.

It's not perfect but it can help you for now.

I personally stop using Joomla because too much security bugs and updates.
0
 
LVL 1

Author Comment

by:nachtmsk
ID: 40312634
Thanks. Yeah, I would stop using Joomla too if I could. This site was inherited and I just keep it together as best I can.
0
 
LVL 25

Expert Comment

by:lenamtl
ID: 40312790
I understand I was in similar situation and its require a lot of time to convert to something new if there is a lot of content.
0

Featured Post

Moving data to the cloud? Find out if you’re ready

Before moving to the cloud, it is important to carefully define your db needs, plan for the migration & understand prod. environment. This wp explains how to define what you need from a cloud provider, plan for the migration & what putting a cloud solution into practice entails.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Originally, this post was published on Monitis Blog, you can check it here . In business circles, we sometimes hear that today is the “age of the customer.” And so it is. Thanks to the enormous advances over the past few years in consumer techno…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question