Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

My postfix/Joomla Ubuntu machine hacked

Posted on 2014-09-06
7
Medium Priority
?
346 Views
Last Modified: 2014-09-19
Hi,
I'm running on old version of Joomla (1.5) on Ubuntu. The machine has postfix running on it.
Joomla got hacked, I'm not sure how, but I see various .php files appearing in my web site home directory from time to time. I'm removing the files of course, but they keep coming back.
I know the 'right' way to do this, but I don't  have time to take care of that now.

The hacker is using my machine to send out spam. I see in /var/spool there are lots of spam messages and I see a lot of smtp process running. For now, I've stopped Postfix, though I actually need to to run to send out results of a form I have on my website.
So, I'm asking this:
If I remove all of the hacker uploaded php files, but mail is still being sent out, how else can they be getting in to send the mail out?
I need a quick fix for this and some places to look for things. I can't upgrade Joomla right now and I can't move to another machine. Need to keep this one up as long as possible.

Thanks!
Nacht






postfix   4065  3977  0 13:21 ?        00:00:00 bounce -z -t unix -u -c
postfix   4066  3977  0 13:21 ?        00:00:00 smtp -t unix -u -c
postfix   4067  3977  0 13:21 ?        00:00:00 smtp -t unix -u -c
postfix   4068  3977  0 13:21 ?        00:00:00 smtp -t unix -u -c
postfix   4069  3977  0 13:21 ?        00:00:00 smtp -t unix -u -c
postfix   4070  3977  0 13:21 ?        00:00:00 smtp -t unix -u -c
postfix   4073  3977  0 13:21 ?        00:00:00 smtp -t unix -u -c
postfix   4080  3977  1 13:21 ?        00:00:00 smtp -t unix -u -c
postfix   4082  3977  0 13:21 ?        00:00:00 smtp -t unix -u -c
postfix   4083  3977  1 13:21 ?        00:00:00 smtp -t unix -u -c
0
Comment
Question by:nachtmsk
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 58

Expert Comment

by:Gary
ID: 40308143
Check all your joomla files for inserted code (usually base64)
Change all your passwords.

Of course if you are not going to upgrade they will likely just break in again an hour later.
0
 
LVL 43

Expert Comment

by:Rob
ID: 40308156
And check your database for Cross Site Scripting / SQL Injection attacks (See section 5. The Code).  If you allow comments in your CMS, I'd be checking there first.
0
 
LVL 51

Expert Comment

by:Steve Bink
ID: 40308331
Seconding Gary's comment - you need to upgrade this installation.  No one ever has time to upgrade - you need to make that time, especially when you are two major versions behind current.  This will reoccur, guaranteed.

My experience is limited to J2.5 and J3, but I've generally seen file upload vulnerabilities, and intrusions on the admin panel through brute force, or maybe an information leak.  The usual method is the attacker uploads and installs a new module into Joomla, which acts as a remote server admin panel.  In many cases, this panel is equipped to do nasty things like gather information, send spam, etc.  

Start with going through /components, /modules, and /plugins.  You can also query the database to see all installed items:
SELECT name,type,element,enabled,protected FROM ##_extensions;

Open in new window

Pay close attention to the names.  Many of the bogus installs I've seen use tricky naming conventions, like webllinks and systym.  If you don't know what an item is, take a quick look at some of the code.  IME, the panel code is always heavily obfuscated (e.g., minified, uses base64 encoding with calls to eval(), etc.), and they use short, generic variable names.  If you find any, delete them, and try to remove the extension from Joomla.  Where there is one, there are probably others.  Keep looking until you've covered everything.

There are also file upload vulnerabilities in older Joomla versions.  I have forgotten many of the details, but IIRC, some can overwrite existing files, like Joomla's core files.  If you've been hit with this, good luck.  Their code could be sitting anywhere inside the site's document root.  

Again ... can't stress this enough ... upgrade the installation.  Yup, it's a pain, but is it more pain than dealing with this over and over?  Recovering from this one (hopefully) intrusion will not solve the problem of how the intruder got in.  As long as you leave the door open, they will come right in and make themselves at home.
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 1

Author Comment

by:nachtmsk
ID: 40308438
Thanks everyone. I really appreciate the comments.
I know an upgrade is necessary but it's not something I can do now, so I needed some band-aids.

Nacht
0
 
LVL 26

Accepted Solution

by:
lenamtl earned 2000 total points
ID: 40312031
Most of the time hacker will edit the Joomla template file (index file) and add a php file in the template directory.
Remove the code form the template and delete the php file which usually name random letter & number (the file name doesn't make sens) like this xrtt756jaue.php

When I find this I check the date and time of these files and I'm looking for other files that have the same date and time to find out if other files where modified too.

You could check the awstat or other stats apps to find the Ip address related to that date and time and block it using htaccess.
Also you can block some countries IP (you can find a list of countries to block) till you update or change the site cms.

It's not perfect but it can help you for now.

I personally stop using Joomla because too much security bugs and updates.
0
 
LVL 1

Author Comment

by:nachtmsk
ID: 40312634
Thanks. Yeah, I would stop using Joomla too if I could. This site was inherited and I just keep it together as best I can.
0
 
LVL 26

Expert Comment

by:lenamtl
ID: 40312790
I understand I was in similar situation and its require a lot of time to convert to something new if there is a lot of content.
0

Featured Post

How To Reduce Deployment Times With Pre-Baked AMIs

Even if we can't include all the files in the base image, we can sometimes include some of the larger files that we would otherwise have to download, and we can also sometimes remove the most time-consuming steps. This can help a lot with reducing deployment times.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

These days socially coordinated efforts have turned into a critical requirement for enterprises.
In part one, we reviewed the prerequisites required for installing SQL Server vNext. In this part we will explore how to install Microsoft's SQL Server on Ubuntu 16.04.
The viewer will learn how to count occurrences of each item in an array.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question