When people contact us about hacked website they often state that there website must have been hacked due to running an outdated version of a CMS (WordPress, Joomla, Drupal, etc.). In most cases this isn’t true; there are a number of other issues that lead to most hackings. Unfortunately there are a lot of people providing security advice – including web hosts and security companies – who don’t know what they are talking about that will tell people that website must have been hacked due to an outdated CMS without actually determining that, which likely leads to the people contacting us believing that. Because we actually determine how a website gets hacked we actually know when it is a vulnerability in an outdated version of a CMS that is at fault and it is worth mentioning.
Based on a website we just cleaned up we can see that a vulnerability that existed in Joomla 1.6, 1.7, and 2.5.0-2.5.2 is actively being exploited now. The vulnerability isn’t new; it was publicly disclosed on March 15, 2012. Exploitation of the vulnerability isn’t new either; we found that the website had also been exploited in July and August of last year. The vulnerability allows a hacker to register a new user with “Administrator” privileges and then they can use the access provided by that user for malicious purposes. The best way to protect your website against the vulnerability is to upgrade to the latest version of Joomla 2.5, as number of other security issues have been fixed in subsequent version. If you are unable to do that in a timely manner, disabling user registration should protect the website as that will block a hacker from being able to register a new user.
Determining How a Website Got Hacked
One of the first things we do when trying to determine how a website is hacked is to look over the files. Most hacks are contained in the files and the metadata and location of the files can provide important information. In some cases the ownership of the file will point to a possible source. In other cases the last modified date on the file can be used to narrow where we need to start looking in the log files for indication of the source. In some cases the hacker sets the last modified dates on files to match other files so that cannot be done. If a hacker is using a backdoor script that they placed on the website, which allows them remote access to the website, we can find that access in the logs. In this case the last modified dates had not been tampered with by the hacker and backdoor script had been accessed, so we had a good starting point.
First up we spotted the first access to the backdoor script in the log of requests to the website (we replaced some of the identifying information from the log entries shown):
78.47.55.70 – - [07/Jan/2014:03:53:31 -0700] “GET example.com/modules/mod_administrator/config.php HTTP/1.1″ 200 189 “-” “Opera/9.80 (Windows NT 6.0) Presto/2.12.388 Version/12.14″ 9 “x-httpd-php” “/var/chroot/home/content/59/2190232/html/modules/mod_administrator/config.php” 11922
The entries right before that shed more light on the situation. They show that the same person had just logged in to the administrator area of Joomla and installed an extension. The extension they installed would have contained the backdoor script that they would access right afterwards.
78.47.55.70 – - [07/Jan/2014:03:53:22 -0700] “GET example.com/administrator/index.php HTTP/1.1″ 200 4362 “-” “Opera/9.80 (Windows NT 6.0) Presto/2.12.388 Version/12.14″ 0 “x-httpd-php” “/var/chroot/home/content/59/2190232/html/administrator/index.php” 1344521
78.47.55.70 – - [07/Jan/2014:03:53:23 -0700] “POST example.com/administrator/index.php HTTP/1.1″ 303 220 “http://example.com/administrator/” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36″ 1 “x-httpd-php” “/var/chroot/home/content/59/2190232/html/administrator/index.php” 536578
78.47.55.70 – - [07/Jan/2014:03:53:24 -0700] “GET example.com/administrator/index.php HTTP/1.1″ 200 31537 “http://example.com/administrator/” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36″ 2 “x-httpd-php” “/var/chroot/home/content/59/2190232/html/administrator/index.php” 1282790
78.47.55.70 – - [07/Jan/2014:03:53:26 -0700] “GET example.com/administrator/index.php HTTP/1.1″ 200 31537 “-” “Opera/9.80 (Windows NT 6.0) Presto/2.12.388 Version/12.14″ 3 “x-httpd-php” “/var/chroot/home/content/59/2190232/html/administrator/index.php” 231378
78.47.55.70 – - [07/Jan/2014:03:53:27 -0700] “GET example.com/administrator/index.php?option=com_installer HTTP/1.1″ 200 23546 “-” “Opera/9.80 (Windows NT 6.0) Presto/2.12.388 Version/12.14″ 4 “x-httpd-php” “/var/chroot/home/content/59/2190232/html/administrator/index.php” 743778
78.47.55.70 – - [07/Jan/2014:03:53:28 -0700] “POST example.com/administrator/index.php?option=com_installer&view_install HTTP/1.1″ 303 504 “mainaadmin/administrator/” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36″ 5 “x-httpd-php” “/var/chroot/home/content/59/2190232/html/administrator/index.php” 1080171
78.47.55.70 – - [07/Jan/2014:03:53:29 -0700] “GET example.com/administrator/index.php?option=com_installer&view=install HTTP/1.1″ 200 23817 “mainaadmin/administrator/” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36″ 6 “x-httpd-php” “/var/chroot/home/content/59/2190232/html/administrator/index.php” 199474
78.47.55.70 – - [07/Jan/2014:03:53:29 -0700] “POST example.com/administrator/index.php HTTP/1.1″ 200 23554 “http://example.com/administrator/index.php?option=com_installer” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36″ 7 “x-httpd-php” “/var/chroot/home/content/59/2190232/html/administrator/index.php” 500162
78.47.55.70 – - [07/Jan/2014:03:53:30 -0700] “GET example.com/administrator/index.php?option=com_installer&view_install HTTP/1.1″ 200 23529 “-” “Opera/9.80 (Windows NT 6.0) Presto/2.12.388 Version/12.14″ 8 “x-httpd-php” “/var/chroot/home/content/59/2190232/html/administrator/index.php” 172137
Those log entries contained the username of the user that had accessed the admin, mainaadmin. With that we could take a look at the details for that user in the database to get some idea of if the user is an account that was comprised or a malicious account. The email address, [email protected], was from a Russian website, so that made it likely that it was a malicious user as the website is a locally focused US website with a webmaster in the US. Also included in the data is the date the account was registered, which we could then use to see how the account was created in the log file.
The log files showed the user being created through the User Registration page:
94.244.157.180 – - [04/Jan/2014:07:43:34 -0700] “GET example.com/index.php?option=com_users&view=registration HTTP/1.1″ 200 9676 “-” “Opera/9.80 (Windows NT 6.0) Presto/2.12.388 Version/12.14″ 0 “x-httpd-php” “/var/chroot/home/content/59/2190232/html/index.php” 2302755
94.244.157.180 – - [04/Jan/2014:07:43:36 -0700] “POST example.com/index.php?option=com_users&task=registration.register HTTP/1.1″ 303 231 “http://example.com” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36″ 1 “x-httpd-php” “/var/chroot/home/content/59/2190232/html/index.php” 409104
94.244.157.180 – - [04/Jan/2014:07:43:37 -0700] “GET example.com/component/users/?view=registration HTTP/1.1″ 200 9611 “http://example.com” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36″ 2 “redirect-handler” “/var/chroot/home/content/59/2190232/html/index.php” 279085
94.244.157.180 – - [04/Jan/2014:07:43:37 -0700] “POST example.com/index.php?option=com_users&task=registration.register HTTP/1.1″ 303 247 “http://example.com” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36″ 3 “x-httpd-php” “/var/chroot/home/content/59/2190232/html/index.php” 1082792
94.244.157.180 – - [04/Jan/2014:07:43:38 -0700] “GET example.com/component/users/?view=registration&layout=complete HTTP/1.1″ 200 5977 “http://example.com” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36″ 4 “redirect-handler” “/var/chroot/home/content/59/2190232/html/index.php” 290820
94.244.157.180 – - [04/Jan/2014:07:43:39 -0700] “GET example.com/index.php?option=com_user&view=register HTTP/1.1″ 302 201 “-” “Opera/9.80 (Windows NT 6.0) Presto/2.12.388 Version/12.14″ 5 “x-httpd-php” “/var/chroot/home/content/59/2190232/html/index.php” 125098
94.244.157.180 – - [04/Jan/2014:07:43:39 -0700] “GET example.com/index.php?option=com_content&view=article&id=26&Itemid=162 HTTP/1.1″ 200 14916 “-” “Opera/9.80 (Windows NT 6.0) Presto/2.12.388 Version/12.14″ 6 “x-httpd-php” “/var/chroot/home/content/59/2190232/html/index.php” 799530
94.244.157.180 – - [04/Jan/2014:07:43:40 -0700] “POST example.com/index.php?option=com_user HTTP/1.1″ 200 7318 “http://example.com” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36″ 7 “x-httpd-php” “/var/chroot/home/content/59/2190232/html/index.php” 586594
94.244.157.180 – - [04/Jan/2014:07:43:41 -0700] “POST example.com/index.php?option=com_user HTTP/1.1″ 200 7318 “http://example.com” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36″ 8 “x-httpd-php” “/var/chroot/home/content/59/2190232/html/index.php” 496821
94.244.157.180 – - [04/Jan/2014:07:43:44 -0700] “GET example.com/index.php?option=com_users&view=registration HTTP/1.1″ 200 9539 “-” “Opera/9.80 (Windows NT 6.0) Presto/2.12.388 Version/12.14″ 9 “x-httpd-php” “/var/chroot/home/content/59/2190232/html/index.php” 288962
94.244.157.180 – - [04/Jan/2014:07:43:44 -0700] “POST example.com/index.php?option=com_users&task=registration.register HTTP/1.1″ 303 231 “http://example.com” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36″ 10 “x-httpd-php” “/var/chroot/home/content/59/2190232/html/index.php” 306529
94.244.157.180 – - [04/Jan/2014:07:43:45 -0700] “GET example.com/component/users/?view=registration HTTP/1.1″ 200 9611 “http://example.com” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36″ 11 “redirect-handler” “/var/chroot/home/content/59/2190232/html/index.php” 294107
94.244.157.180 – - [04/Jan/2014:07:43:45 -0700] “POST example.com/index.php?option=com_users&task=registration.register HTTP/1.1″ 303 231 “http://example.com” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36″ 12 “x-httpd-php” “/var/chroot/home/content/59/2190232/html/index.php” 305668
94.244.157.180 – - [04/Jan/2014:07:43:46 -0700] “GET example.com/component/users/?view=registration HTTP/1.1″ 200 9609 “http://example.com” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36″ 13 “redirect-handler” “/var/chroot/home/content/59/2190232/html/index.php” 278854
94.244.157.180 – - [04/Jan/2014:07:43:46 -0700] “GET example.com/index.php?option=com_user&view=register HTTP/1.1″ 302 201 “-” “Opera/9.80 (Windows NT 6.0) Presto/2.12.388 Version/12.14″ 14 “x-httpd-php” “/var/chroot/home/content/59/2190232/html/index.php” 61939
94.244.157.180 – - [04/Jan/2014:07:43:47 -0700] “GET example.com/index.php?option=com_content&view=article&id=26&Itemid=162 HTTP/1.1″ 200 14722 “-” “Opera/9.80 (Windows NT 6.0) Presto/2.12.388 Version/12.14″ 15 “x-httpd-php” “/var/chroot/home/content/59/2190232/html/index.php” 298259
94.244.157.180 – - [04/Jan/2014:07:43:47 -0700] “POST example.com/index.php?option=com_user HTTP/1.1″ 200 7318 “http://example.com” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36″ 16 “x-httpd-php” “/var/chroot/home/content/59/2190232/html/index.php” 497553
94.244.157.180 – - [04/Jan/2014:07:43:48 -0700] “POST example.com/index.php?option=com_user HTTP/1.1″ 200 7318 “http://example.com” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36″ 17 “x-httpd-php” “/var/chroot/home/content/59/2190232/html/index.php” 527134
94.244.157.180 – - [04/Jan/2014:07:43:50 -0700] “GET example.com/index.php?option=com_users&view=registration HTTP/1.1″ 200 9601 “-” “Opera/9.80 (Windows NT 6.0) Presto/2.12.388 Version/12.14″ 18 “x-httpd-php” “/var/chroot/home/content/59/2190232/html/index.php” 263082
94.244.157.180 – - [04/Jan/2014:07:43:51 -0700] “POST example.com/index.php?option=com_users&task=registration.register HTTP/1.1″ 303 231 “http://example.com” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36″ 19 “x-httpd-php” “/var/chroot/home/content/59/2190232/html/index.php” 313744
94.244.157.180 – - [04/Jan/2014:07:43:51 -0700] “GET example.com/component/users/?view=registration HTTP/1.1″ 200 9611 “http://example.com” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36″ 20 “redirect-handler” “/var/chroot/home/content/59/2190232/html/index.php” 291806
94.244.157.180 – - [04/Jan/2014:07:43:52 -0700] “POST example.com/index.php?option=com_users&task=registration.register HTTP/1.1″ 303 231 “http://example.com” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36″ 21 “x-httpd-php” “/var/chroot/home/content/59/2190232/html/index.php” 335271
94.244.157.180 – - [04/Jan/2014:07:43:52 -0700] “GET example.com/component/users/?view=registration HTTP/1.1″ 200 9609 “http://example.com” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36″ 22 “redirect-handler” “/var/chroot/home/content/59/2190232/html/index.php” 279791
94.244.157.180 – - [04/Jan/2014:07:43:53 -0700] “GET example.com/index.php?option=com_user&view=register HTTP/1.1″ 302 201 “-” “Opera/9.80 (Windows NT 6.0) Presto/2.12.388 Version/12.14″ 23 “x-httpd-php” “/var/chroot/home/content/59/2190232/html/index.php” 78710
94.244.157.180 – - [04/Jan/2014:07:43:53 -0700] “GET example.com/index.php?option=com_content&view=article&id=26&Itemid=162 HTTP/1.1″ 200 14722 “-” “Opera/9.80 (Windows NT 6.0) Presto/2.12.388 Version/12.14″ 24 “x-httpd-php” “/var/chroot/home/content/59/2190232/html/index.php” 364741
94.244.157.180 – - [04/Jan/2014:07:43:54 -0700] “POST example.com/index.php?option=com_user HTTP/1.1″ 200 7318 “http://example.com” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36″ 25 “x-httpd-php” “/var/chroot/home/content/59/2190232/html/index.php” 475204
94.244.157.180 – - [04/Jan/2014:07:43:54 -0700] “POST example.com/index.php?option=com_user HTTP/1.1″ 200 7318 “http://example.com” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36″ 26 “x-httpd-php” “/var/chroot/home/content/59/2190232/html/index.php” 502942
Normally a user created that way would not be an “Administrator”, which this user was, so we checked to make sure that the registration settings had not been set to do that and there were not. The question then was how the user became an “Administrator”. A likely source would be a privilege escalation vulnerability that would allow a lower level user to change their account to have “Administrator” privileges. A quick check for Joomla privilege escalation brought the vulnerability we mentioned earlier. The Joomla version in use was a vulnerable version and the log of the user registration appears to match with what needs to be done to exploit the vulnerability, so we then had the likely source of the hack.