Flexi Component entry removed

More
14 years 5 months ago #7043 by gnomeontherun
I have possibly survived a hacking attempt, assessing the situation. The only thing that alerted me to attempt was that the site was borked, but that was because the row for Flexi in the components table was removed. I didn't do it, but somehow it happened. It *appears* to be the only issue I've uncovered.

Any ideas? I see a lot of post requests to the admin (blind password attempts) and a few carefully molded uris related to Flexi, but all returned 404.

Please Log in or Create an account to join the conversation.

More
14 years 5 months ago #7048 by kenmcd
.
Quite odd. Worth investigating further.

The only way someone could delete that row in the database is to:
- have access to the database, or
- run the FLEXIcontent un-install script, or
- ??

What are the "molded URIs" you are seeing in the logs?


.

Please Log in or Create an account to join the conversation.

More
14 years 5 months ago #7071 by gnomeontherun
The strange urls I saw were trying to call the base password apache file like

index.php?option=com_flexicontent&controler=../../../../../#passfile

I know, its very bizzare. How does the db row get removed, but all files and the rest of the flexi tables not? So far, no luck figuring out what the issue was, not with my host either. Just very...odd.

Please Log in or Create an account to join the conversation.

More
14 years 5 months ago #7088 by kenmcd
.

Hmmmm. . . there is a hack going around which has not yet been fully explained.
At first it was thought to be only WordPress sites, then added Joomla sites, and now it appears it is not related to the specific application but the hosting service.

They gain access to the website and add some code to every file, and then delete their tracks.
Have you found any odd files or modified files?
The files have base64 encoded code so a search for "base64_decode" finds the code.
Some users have downloaded all their website files and run a search locally within those files.

Since it is actually a server hack, your example URL would seem to fit.
Appears they are actually trying to get access to the server.

This is being discussed in the Joomla security forum, and on the WordPress website, and on some security websites ( blog.sucuri.net/ ).
It may be related to a hosting configuration.
GoDaddy and a couple others have been particularly hard hit.

But this still does not explain the one row deleted from the database. :?

.

Please Log in or Create an account to join the conversation.

Moderators: vistamediajoomlacornerggppdk
Time to create page: 0.281 seconds
Save
Cookies user preferences
We use cookies to ensure you to get the best experience on our website. If you decline the use of cookies, this website may not function as expected.
Accept all
Decline all
Essential
These cookies are needed to make the website work correctly. You can not disable them.
Display
Accept
Analytics
Tools used to analyze the data to measure the effectiveness of a website and to understand how it works.
Google Analytics
Accept
Decline