1

I am supposed to manage the content of a site and it got defaced.
The site is hosted on a Linux server running Apache. Apache version: 2.2.13
Linux version is Debian 4.0(I think I don't really have access to anything more than a ftp account and phpmyadmin).
The index.php page was replaced with a blank page with the attacker's internet moniker.
I installed a Backtrack 5 virtual machine.
I ran Armitage on the site with a "Hail Mary" and it found no exploitable services
I ran joomla scan I got the following output(I'm only pasting the vulnerable bits for the sake of being concise): 

# 1 Info -> Generic: htaccess.txt has not been renamed. Versions Affected: Any Check: /htaccess.txt Exploit: Generic defenses implemented in .htaccess are not available, so exploiting is more likely to succeed. Vulnerable? Yes

# 2 Info -> Generic: Unprotected Administrator directory Versions Affected: Any Check: /administrator/ Exploit: The default /administrator directory is detected. Attackers can bruteforce administrator accounts. Read: http://yehg.net/lab/pr0js/view.php/MULTIPLE%20TRICKY%20WAYS%20TO%20PROTECT.pdf Vulnerable? Yes


# 19 Info -> CorePlugin: TinyMCE TinyBrowser addon multiple vulnerabilities Versions effected: Joomla! 1.5.12 Check: /plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/ Exploit: While Joomla! team announced only File Upload vulnerability, in fact there are many. See: http://www.milw0rm.com/exploits/9296 Vulnerable? Yes

The conclusion that I drew from these 2 scans is that the attacker didn't compromise the system but only the web application.
I tried to reproduce the supposed TinyMCE attack but that got me nowhere.
I found the instructions here:
http://bl0g.yehg.net/2009/07/tinybrowser-tinymce-editor-plugin-1416.html

But they don't work for me I get "Restricted Access" when I try to navigate to those supposedly vulnerable urls and no folders or files are created as described in the document.
So I am stuck.
How did they do it?
How can I stop them from doing it in the future?
I cannot update the Joomla version this is a very old website and the theme stops working in newer versions of Joomla. I could modify it but that will eat up a lot of my time especially as I haven't worked much with Joomla since about 2008(other than simple content management and a few tweaks here and there).
I'd like a simple solution to keep attackers from defacing my site without modifying too much.
Thank you.

Upadte 1: w3af says: The URL: **/index.php/component/k2/itemlist/search is vulnerable to cross-site request forgery.
Could they have defaced my site with xssf? Isn't that just for compromising the machines of people that visit a particular website?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Para
  • 113
  • 1
  • 6

1 Answers1

4

I'd bet the TinyMCE addon is how they got in.

Here's how I'd clean it up without trashing the whole box:

  • Make a full database backup. Check the users table and delete any you don't recognise.
  • Back up all media files (uploaded directory) and check through them for any shells / PHP files.
  • Download version 1.5.14 and install it.
  • Restore the old database.
  • Download the newest version of the 1.5.x branch and upgrade your installation.
  • Install the latest versions of your plugins.

You might want to take a look at some of the Joomla Security documentation too.

Polynomial
  • 132,208
  • 43
  • 298
  • 379