Support

Admin Tools

#41507 Image file replaced by hacker without any sign of intrustion

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
5.2.2
PHP version
8.2
Admin Tools version
7.6.2 (Pro)

Latest post by davidascher on Tuesday, 21 January 2025 06:26 CST

davidascher

Some hacker managed to replace an image file on the site with an "inappropriate" image file. I don't see any evidence of any other files getting overwritten and I don't see any evidence of the original file being accessed in any of the log files I have examined. I don't see any evidence that anybody used the credentials of any of the few users that the site has. 

I have Admin Tools configured to either prevent or report any activity that might be suspicious or harmful and I don't see any report of any of that.

Do you have any ideas about how I might further investigate how this hack was accomplished? Until I find out how it was done and plug that hole, the site is vulnerable to further serious attacks.

I can provide you with credentials to allow you to access the site as a Super User if you would prefer to investigate yourself. Thanks.

System Task
system
The ticket information has been edited by david ascher (davidascher).

System Task
system
The ticket information has been edited by david ascher (davidascher).

nicholas
Akeeba Staff
Manager

If, as you say, there is nothing in the web server's access log then the problem is with the FTP or SFTP access. Change the passwords on all FTP accounts, change the password of your hosting account (used for SFTP), and review all of the allowed login certificates (can also be used for SFTP access).

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

nicholas
Akeeba Staff
Manager

Hold on. Caffeine just kicked in.

So far I assumed that you were right in your assessment that a. you were hacked and b. there is no log trace. However, something doesn't add up. A real attacker with the ability to upload arbitrary files to your site (even just into images) would NOT be defacing your site. They would've uploaded a web shell script at the low end of skill level, or a custom script to thoroughly hack you if they are good. Defacing is something 15 year olds do to boast to their friends that they're l33t h4x0rz or something. It's also what disgruntled ex-employees/-interns/-volunteers do, at least when their IQ would be room temperature or lower. But I digress.

The lowest hanging fruit is stolen / leaked / easily guessable credentials on user accounts with access to the media manager. Find 'em, round 'em up, force 'em to reset their password, and enforce MFA. I contributed the MFA code to Joomla, including the option to force specific groups to use MFA to continue using the site.

Another thing to check is whether legitimate access goes too far. For example, it's pretty easy to mess up JCE's media manager configuration, allowing everyone with access to an editor box on a public page (e.g. a Guest or Registered user accessing a contact page) to upload images anywhere, essentially allowing everyone and their dog to overwrite images. In your logs it looks like any other legitimate image upload. There's an option in JCE to limit each user to their own subdirectory which needs to be explicitly enabled in this use case.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

davidascher

The attacker took advantage of a file they'd uploaded six months ago. At that time I had found one file that had been used as an attack route, but I had missed a second file, the one they used this time. For some reason their new attack appears to have been limited to replacing a single image file relating to Martin Luther King Day. I don't think it is a coincidence that they did this on Martin Luther King Day. I suspect that they limited their attack hoping to make it less likely that we'd find evidence of the attack. In any case, the file enabling the attack has been removed and a scan of the site for malicious code hasn't found any other suspicious files.

Sorry about freaking out.

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!