After applying the security patch my site was hacked.

I found x.php files within the images and root folders.

Vulnerability appears to originate within images folder and is similar to JCE exploit already documented however, without any specific information on the JomSocial exploit I was not able to search for specifics.

Prior to updating I searched my site for infected files, and also performed a search for rootkits, all came back clean.

Unfortunately due to site traffic the access logs do not stretch back to time of hacking.

I have removed the offending files that I can easily locate but am concerned that there is still a backdoor present.

Please advise.

Hi there.

Hm, this's strange the patch should fix all secruity holes within JomSocial. Are you completly sure that the leak is within our component?

Hi Chris,

Thanks for the prompt reply.

Without any further details on what your exploit is and how it is effected I have no way of knowing if this exploit is related or not, so at this stage it is an assumption on my part. The assumption is based on my previous checks showing clean at the time of the update and that my site and server security are up to date.

Of course it could just be a coincidence but as I have said, without any further information I am unable to determine the origin of the exploit.

Are you able to indicate any information relating to exploit signature? eg targeted files / directories?

I can understand if you do not want to publish such information in public, in which case are you able to check these yourself. My login details were provided in the original post.

TIA

Hi Chris, any update on this?

Our developers are already looking into the problem, I'll let you know as soon I'll get reply from them.

Thanks Chris,

Much appreciated.

HI there.

Could you make sure that there're no files indonesian.txt and x.php in your root folder? If they're there, then I suggest to delete them.

Have deleted x.php from root and images folders, scanned for rootkits, updated server software but the site still keeps getting compromised.

Have also searched for files added within timeframe of timestamp of x.php and found additional exploit files in other folders, which I have also deleted.

Since then I have then been compromised again and this time discovered folders with various phishing scams in root of site.

Cleaned these out again and checked system again for rootkits and recent file system changes along with a grep check for files containing common exploit code.

Each time I have checked I have been pretty happy that the system is clean however I still keep getting compromised.

(I have since been compromised again.)

One point to note is that I am pretty sure that the subsequent hacks have been carried out by different parties, as in each case the calling card is different. To me this says that there is still an exploit in play on the site.

No issue with any of my sites prior to this exploit - now I have issues on three sites. Two of which most definitely have been compromised after your update was applied.

Really hoping for a more proactive solution or some more specific information.

Feel free to get your devs to email me direct to discuss further. Would really like to get this issue resolved before my host decides that they have had enough.

Screen shot from one of my sites - note dates of items in blue - this is when update was applied - items in red are when site was hacked - note two different files on two different dates - each file contains different calling card.

Site was hacked after update, on two occasions by two different parties.

I checked this site prior to the update and these files were not present.

As you will not disclose the nature of the exploit all I can say is that the exploits to my sites seem to follow the same pattern as a well known exploit for the JCE image plugin that allows a file upload to the images folder. The file contains an upload function that can then be accessed by the hacker to upload further exploits.

I do not have the JCE extension installed on any of my sites - in fact on the site that this screen shot was taken from I only have a fresh install of Joomla and JomSocial. This installation is only a few weeks old and is up to date.

All evidence seem to point at this being a JomSocial issue.

Please advise.

Hi there,
About your problem, would you mind try to find out / work with these :
# Do backup your current website.
# Make sure all of shell files / backdoor are deleted. Because even you fixed your security hole but backdoor stil there than you still be hacked :)
# You must find out which thing be exploit. Yes, you have full access into your server than you can check with your system log/ Or you can ask you sysadmin.
One of way to do is track down access log: Who access backdoor file -> IP -> trace all -> find out root case

Thank you,
Viet Vu

Hi Viet.

Thanks for your reply.

Have already done as suggested, hence the reason for my post.

I managed to find some more info on the exploit. If you are interested you should read the following post which gives a full rundown. average-coder.blogspot.in/2014/01/exploi...on-in-jomsocial.html

After failing to find any specific files and after some research I have replaced all of the files in my site with those from a vanilla installation. It appears that the more discerning hackers will modify existing files to hide backdoor scripts / shells and make them harder to detect. I believe that this may be the case on my site. I am open to the possibility that on the site in question the hacker may have simply covered their tracks.

So far there has been no reappearance of any of the initial exploit files - although it has only been less than 24 hours.

For the information of others here is a run down of the exploit. What seems to happen is that the hacker sets an automated script to trawl the web looking for vulnerable sites, when the script finds a site that it can exploit it uses the exploit to upload a small script hidden within an image file. Basically the exploit is possible due to the lack of sanitization checking on the avatar / image upload function. This is the same for the recent JomSocial exploit as it also was for the previous JCE exploit. The uploaded script is a simple php uploader that allows the hacker to more easily upload files to your server. The successful exploit is logged on the hackers machine allowing the hacker to later visit your site. At this point the site has become compromised but nothing malicious has taken place.

Later on the hacker will visit your site and upload a shell script / backdoor to allow further easier access. The shell script will allow the hacker pretty much full access to your server as the www-data user. It also contains further tools for various activities including trying to hack the root account. What the hacker chooses to do will really depend on who they are and what their intentions are. If they are a script kiddy chances are they will want to leave their mark and deface your site by putting their own homepage or leaving a calling card (they are a vain lot). If they are a little more savvy they might want to hide their presence and if they intend to use your site for various scams / botnet attacks then chances are they will try to hide their presence completely. For the more organized hacker the last part may even be automated. I believe that the hacker that accessed my site was of the last type - simply because I found various phishing scams present. This indicates someone a bit more organised.

If you have been compromised I would advise not to update your site until you have found and removed any files left by the hacker. The easiest way to do this is to search for files added within the last x-days. As soon as you update you will overwrite a lot of files making this search a lot harder. Your search should also include a search for rootkits using something like rkhunter, an analysis of your access and error logs. A search of recent server logins may also show if your SSH has been compromised. If you don't have access to your server you will need to get your host to do this, although shared hosting is usually run within a chroot jail that limits access in case of attack. Of course you do not want to leave you site unpatched so disabling jomsocial whilst you investigate may be a good idea.

I think that most of the recent attacks are the result of script kiddies getting hold of the published exploit information, you can find this yourself if you search. I have seen exploits from at least four different sources across my sites. Only one of those exploits appeared to be from blackhat / criminal hackers.

Will keep you posted.

Hi DeeEmm,

Thanks for taking the time to reply with such a great explanation of how and what was happening. Quite often with this kind of situation we don't get a reply once the site is cleaned up. I am very happy that the hacks have stopped and as all people with web sites will understand occasionally it happens and it is unfortunate and time consuming to find it and clean it up.

You have also created a good article in the process as well and i wonder if you would mind us using your detailed explanation to publish this, so other users can benefit from your experience. Please let me know if that's ok with you and of course please keep us updated with how things go