One of my coworkers runs a Joomla based site for his Milsim Shop (wikipedia) and today he was faced with the following when opening his site:
Apparently it had been replaced with a defacement, like many others.
Seems to me that is that this is an automated attack exploiting vulnerable Joomla installs, where it exploits a security issue that allows for remote administrator password changes.
The issue was reported and fixed on the 12th of August 2008 when a new 1.5.6 release was made available. Joomla themselves has also been bit by this when a non-public development site was used to deface joomla.org itself.
So far it seems like all the attacker did was to change the administrator password and replace the template index.php file. I recovered the admin password my putting a raw md5sum of a known string manually into the MySQL database Joomla uses
2 Comments so far
Tom Raef, on October 10, 2008 at 1:01pm, said:
Don't feel too bad. Many other CMS, forum and blogging software has been hit too.
Since June '08 thousands of sites have just discovered they've been hacked.
Your coworker is lucky it was defaced and not hacked in other ways. A defacement is very obvious. Other hacks use the traffic from sites to either boost their PR or to do a silent redirect to attempt infection of all visitors.
There are so many automated SQL Injection, XSS and other exploit tools that it's just a matter of finding one tool that works and let it loose on the Internet.
BTW, defacing is considered lame in the world of hackers. The serious ones think that if you're going to hack into a website, you may as well get something in return.
Just an FYI...
Edit Comment
Christian Mohn, on October 10, 2008 at 2:34pm, said:
I'm well aware of this Tom and I agree that he was indeed lucky that nothing else was changed. The attackers could have done basically whatever they wanted. The way this attack was conducted, and the attack vector it used, it would have been noticed though. They changed the administrator password remotely and you can't not notice that.
Edit Comment