#15663 – table _user hacked, administrator name changed to "admin"

Posted in ‘Akeeba Admin Tools for Joomla!’
This is a public ticket. Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.
Monday, 08 April 2013 05:19 CDT
amorim
Mandatory information about my setup:

Have I read the related troubleshooter articles above before posting (which pages?)? YES
Have I searched the tickets before posting? YES
Have I read the documentation before posting (which pages?)? Couldn't find anything
Joomla! version: 2.5.9
PHP version: 5.2.17
MySQL version: 5.0.96-community-log - MySQL Community Edition (GPL)
Host: nativespace UK
Admin Tools version: 2.4.4

Description of my issue:
After been blocked by the firewall for failed logins I checked the MySQL database and to my surprise both administrator names (ID 42 and the other one) had been changed to "admin" (I use another name).

It seems that despite this the hacker didn't log in (probably blocked by pass-word protection for adminstrator folder). At least I coundn't find anything suspicious:
• No change in content
• I checked for links in the database (you know, to other sites selling Viagra and stuff) but nothing was added.
• I did a line-by-line comparison of the database with a backup and no line was added, no line was deleted, no new table, etc.
• I have GoogleWebmasterTools and it says the site is free from malware.
• I checked log file for email traffic and no email was sent from site.
• I asked provider to check logs for injections and was told that they but could not found anything for the common type of MYSQL injections which can cause admin username changeinjections like
base64_decode
preg_replace
gzinflate
viagra
str_rot13
charcodeat
0xdc8d
:::::::::::::::::::::::::::::::::::::::

I have a backup that I can use to restore the site and be 100% sure that nothing has been added.

BUT the vulnerability that the guy used to get in will still be there, so I must find out first what went wrong.

Joomla is uptodate. Besides AdminTools I use only 3 extensions and none is listed as vulnerable by Joomla:
Xmap 2.0
Qlue 404 1.6.2
ITP GoogleSearch 2.1

Any insights?

Thanks
 
Monday, 08 April 2013 05:48 CDT
nicholas
I am a little reluctant to believe that a hacker had access to your site's database and all he did was change your username... and stop there! Did you by any chance use the administrator ID change feature? This would explain why you have two accounts, especially the usernames look very much alike. However, this feature will not rename your username to admin.

Another possibility is that you, another administrator, or your host restored a backup of your site which had the administrator username set to admin.

I hope that helps!


Nicholas K. Dionysopoulos

Lead Developer and Director



🇬🇷Greek: native

🇬🇧English: excellent

🇫🇷French: basic



Please keep in mind my timezone and cultural differences when reading my replies. Thank you!



Monday, 08 April 2013 07:33 CDT
amorim
Hi Nicholas,

I did use the ID change feature, that's why I have two accounts. The ID 42 remains on the database but I changed the name to something like xxxxccxcccxcxc that can't be guessed and downgraded it to "registered user". My new ID has a completly different name than "admin".

I am the only site admin, noone else has access. I don't have any registered user or manager.

I don't keep any backup files online so it's not possible that my provider restored anything on my site.

On top of this, I made this admin change already on my Mamp server. The site uploaded to the live server had no user named "admin", so even if there is some hidden backup/restore feature it would never be able to go back that far, I suppose.

This change wasn't made by me nor by my provider.

 
Monday, 08 April 2013 08:33 CDT
nicholas
The only reason I'm reluctant to believe that this is the work of a hacker, is that a hectare would never stop at changing your username. When someone has access to your database it is rather trivial to create a new super administrator account with an inconspicuous username, email address and password only known to the hacker. Such user accounts are very hard to discover, unless you stumble upon them by accident. When I say that creating such an account is trivial I really mean it. I have a small script (about 50 lines long) which can create such an account and weights I am using when I have to provide support to a site its rightful owner can no longer login.

I am more inclined to believe that what you describe is the work of another extension running on your site instead of a hacker. For good measure, I would strongly recommend to have a security audit of your site. Nowadays, this is easier than it sounds. You can very easily perform a site update using the myJoomla.com service. The first site audit you perform with them is free.

If the audits reports no suspicious files I would recommend examining all of your extensions and see which of them could have made this change. I can only tell you that my extensions cannot perform such a change. The closest thing to that is the administrator ID change. As you said, this is not the case.

I hope that this will allow you to find out what happened on your site.


Nicholas K. Dionysopoulos

Lead Developer and Director



🇬🇷Greek: native

🇬🇧English: excellent

🇫🇷French: basic



Please keep in mind my timezone and cultural differences when reading my replies. Thank you!



Monday, 08 April 2013 09:03 CDT
amorim
Hi Nicholas,

Thanks for the information. I did have two security audits done on the site. Problem is, they flag only Joomla code as "suspicious" and never any of the extensions. I get results like:

Manage.myjoomla.com:
components/com_content/controllers/article.php
components/com_content/models/form.php
libraries/joomla/document/html/html.php
libraries/simplepie/simplepie.php
media/editors/codemirror/js/tokenizephp.js
plugins/system/highlight/highlight.php


JAMSS - Joomla! Anti-Malware Scan Script - v.1.0.3
libraries/phpmailer/phpmailer.php
libraries/joomla/user/user.php
libraries/fof/encrypt/aes.php
etc.
(This one even flags some of the Admintools code, but never code of the other extensions)

On the server side, I get 3 warnings:
PHP Display Errors Configuration Should Be Off
PHP Magic Quotes Should Be Off
Use Of PHP Disabled Functions Should Be Minimised

Could this be a problem?


It seems that my provider has a daily backup of the database. If they check the table _users will it have kept the date when the change was made? Having the date I could go further in my search.

"examining all of your extensions and see which of them could have made this change."
You mean the extension could have code to change the _user table – either intentionally or not? Or that they could be used by third parties to make this change? Is there a site to have this kind of code audited?



 
Monday, 08 April 2013 09:21 CDT
nicholas
Beware of automated scanners, for false positives are more than likely ;) The only way to be sure is to check each flagged file against a clean copy, preferably just-extracted from the official package of the software in question.

If they check the table _users will it have kept the date when the change was made?

No. Database are not like files; they don't store the last modification date.

You mean the extension could have code to change the _user table – either intentionally or not?

Yes, exactly that. To the best of my knowledge there is no auto way to do that.


Nicholas K. Dionysopoulos

Lead Developer and Director



🇬🇷Greek: native

🇬🇧English: excellent

🇫🇷French: basic



Please keep in mind my timezone and cultural differences when reading my replies. Thank you!



Monday, 08 April 2013 10:01 CDT
amorim
Well, as I said, no extension was flagged, only Joomla code. By the way, I had Joomla reinstalled and JAMSS had the same files flagged again and no extension. I must assume that original Joomla code is safe, so will consider them as false positives.

If you mean it's the extensions, I assume that I can scan them using "_user", like? The command to change the table must include the word "_user" – or is it encripted? Or does it get the command from other site? But I would be able to find this "call-home" code, right?

 
Monday, 08 April 2013 10:39 CDT
nicholas
I would search all files (not just .php files) for the following:
#__users
In case you're wondering, #__ is always replaced by Joomla!'s database driver with the current database's prefix. If someone has written anything which modified the users' table that string should be there. You'll definitely get a few false (or, should I say, false in the requested context) positives like Joomla!'s core code, Admin Tools, even a plugin of ours called oneclickaction.php. Please note that just because you find this string it doesn't mean that the extension is at fault. You'll have to review its code to be sure.


Nicholas K. Dionysopoulos

Lead Developer and Director



🇬🇷Greek: native

🇬🇧English: excellent

🇫🇷French: basic



Please keep in mind my timezone and cultural differences when reading my replies. Thank you!



Tuesday, 09 April 2013 05:12 CDT
amorim
Hi Nicholas,

I could find this only twice:

#1 Extension Qlue (error pages)

protected function getListQuery() {

// Get instance of JDatabase
$db =& JFactory::getDBO();

// Get a clean query object
$query = $db->getQuery(true);

// Create the query
$query->select('a.*, u.name AS editor');
$query->from('#__qlue404 AS a');
$query->leftjoin('#__users AS u ON u.id = a.checked_out');

// Return our query object
return $query;
}


#2 Extension awologin (login with email instead of username) (not used on this site but I use this elsewhere)

// Get a database object
$db = JFactory::getDbo();
$sql = $db->getQuery(true);

$sql->select('id, password');
$sql->from('#__users');
$sql->where('email='.$db->Quote($credentials['username']));
$db->setQuery($sql);
$result = $db->loadObject();

if ($result) {
$parts = explode(':', $result->password);
$crypt = $parts[0];
$salt = @$parts[1];
$testcrypt = JUserHelper::getCryptedPassword($credentials['password'], $salt);

if ($crypt == $testcrypt) {
$user = JUser::getInstance($result->id);
$response->username = $user->username;
$response->email = $user->email;
$response->fullname = $user->name;
$response->language = JFactory::getApplication()->isAdmin() ? $user->getParam('admin_language') : $user->getParam('language');
$response->status = JAUTHENTICATE_STATUS_SUCCESS;
$response->error_message = '';
} else {
$response->status = JAUTHENTICATE_STATUS_FAILURE;
$response->error_message = JText::_('JGLOBAL_AUTH_INVALID_PASS');
}
} else {
$response->status = JAUTHENTICATE_STATUS_FAILURE;
$response->error_message = JText::_('JGLOBAL_AUTH_NO_USER');
}
}
}

I'm not a code expert but this seems clean to me. All other tags were either Joomla code (which I assume is clean) and your code (same here).

While I am still looking for the backdoor, I have to start planning the rebuild. I don't want to use the backup pre-hack, I will use a clean Joomla installation and add the content.

>>> My question, is it safe to import a few tables from the last (supposedly clean) MySQL database (categories, content, menus etc)? Could there be hidden code inside the database or is code only in the installation?

Thanks
 
Tuesday, 09 April 2013 05:17 CDT
nicholas
All of that is clean code. They are simply reading data from the database. None of these is responsible for the issue you're reporting. I would suggest doing a security audit as I told you in my first reply. This seems to be the only way to find out if there is malicious code hidden somewhere in your site. Please note that malicious code is rarely provided unencrypted. Usually it is obfuscated. Only proper auditing tool, like myJoomla, will be able to detect it. Besides that, and what I have already told you as plausible sources of this issue, I honestly have no other ideas.


Nicholas K. Dionysopoulos

Lead Developer and Director



🇬🇷Greek: native

🇬🇧English: excellent

🇫🇷French: basic



Please keep in mind my timezone and cultural differences when reading my replies. Thank you!



Tuesday, 09 April 2013 05:30 CDT
amorim
I understand the peculiarity of my situation and have resignated to a clean start. So again my last question before I go:

Is it safe to import a few tables containing the content of the site from the last (supposedly clean) MySQL database (categories, content, menus etc)? Could there be malicious hidden code inside the database or is code hidden only in the installation?

Thanks
 
Tuesday, 09 April 2013 08:08 CDT
nicholas
I have not seen a hack which only affects the database. What I've seen always alters the files on the site. That said, it's conceivable that a database-only hack is possible, but not likely.


Nicholas K. Dionysopoulos

Lead Developer and Director



🇬🇷Greek: native

🇬🇧English: excellent

🇫🇷French: basic



Please keep in mind my timezone and cultural differences when reading my replies. Thank you!



Tuesday, 09 April 2013 08:33 CDT
amorim
Thank you.
 
This ticket is closed, therefore read-only. You can no longer reply to it. If you need to provide more information, please open a new ticket and mention this ticket's number.

Support Information

Working hours: Typically we work Monday to Friday, 9am to 7pm Cyprus timezone (EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets, but we cannot respond to them, outside of our working hours.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!