CiviCRM Community Forums (archive)

*

News:

Have a question about CiviCRM?
Get it answered quickly at the new
CiviCRM Stack Exchange Q+A site
This forum was archived on 25 November 2017. Learn more.
How to get involved.
What to do if you think you've found a bug.



  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Support »
  • Using CiviCRM »
  • Using Core CiviCRM Functions (Moderator: Yashodha Chaku) »
  • Seem to have gotten hacked via Civi OpenFlashChart!!
Pages: [1]

Author Topic: Seem to have gotten hacked via Civi OpenFlashChart!!  (Read 973 times)

chaseweb

  • I post occasionally
  • **
  • Posts: 48
  • Karma: 0
  • CiviCRM version: 4.3.1
  • CMS version: Joomla 2.5.11
  • MySQL version: 5.1.65-cll
  • PHP version: 5.3.17
Seem to have gotten hacked via Civi OpenFlashChart!!
April 29, 2013, 08:37:32 am
Hi,

I am posting to see if anyone knows or has any info about this?  My admin backend site was not accessible this morning and after getting my site audited reviewed, etc. this were the findings (see below):

Is there anything I should do to prevent this in the future - I was running the latest Civi for Joomla when this happened.

QUOTE from Auditor/Security Expert:
(Im just running a mop up audit on the site, but here are my main findings:)


I have now completed the automated and manual parts of the audit of your site with the following results. I have audited the complete folders and files in your webspace, however we have only checked the verson of the Joomla install that powers the domain. It is clear your site was hacked, I have reverted/deleted the files that were found still to be hacked.

You were hacked through com_civicrm OpenFlashChart which has allowed hackers to upload files to
/administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/tmp-upload-images/

and then to use those files to spread more into your website
/administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/tmp-upload-images/yarragim.php
/administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/tmp-upload-images/x.php
/administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/tmp-upload-images/upx.php
/administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/tmp-upload-images/ttt.php
/administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/tmp-upload-images/sh.php
/administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/tmp-upload-images/r57.php
/administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/tmp-upload-images/proshell.php
/administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/tmp-upload-images/php.ini
/administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/tmp-upload-images/ismu.php
/administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/tmp-upload-images/ini.php
/administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/tmp-upload-images/images
/administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/tmp-upload-images/error_log
/administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/tmp-upload-images/codee.php
/administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/tmp-upload-images/bozload.php
/administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/tmp-upload-images/images/load.php
/administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/tmp-upload-images/images/index.html
/administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/tmp-upload-images/images/bozload.txt.6
/administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/tmp-upload-images/images/bozload.txt.5
/administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/tmp-upload-images/images/bozload.txt.4
/administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/tmp-upload-images/images/bozload.txt.3
/administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/tmp-upload-images/images/bozload.txt.2
/administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/tmp-upload-images/images/bozload.txt.1
/administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/tmp-upload-images/images/bozload.txt

I have removed the whole OpenFlashChart folder to give you time to upgrade com_civicrm to patch this, I assume the latest version of CivicCrm fixes this although I cannot see definitive changes in the change log for this.

Donald Lobo

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 15963
  • Karma: 470
    • CiviCRM site
  • CiviCRM version: 4.2+
  • CMS version: Drupal 7, Joomla 2.5+
  • MySQL version: 5.5.x
  • PHP version: 5.4.x
Re: Seem to have gotten hacked via Civi OpenFlashChart!!
April 29, 2013, 08:49:53 am

check:

http://civicrm.org/blogs/totten/advisory-openflashchart-attacks

lobo
A new CiviCRM Q&A resource needs YOUR help to get started. Visit our StackExchange proposed site, sign up and vote on 5 questions

chaseweb

  • I post occasionally
  • **
  • Posts: 48
  • Karma: 0
  • CiviCRM version: 4.3.1
  • CMS version: Joomla 2.5.11
  • MySQL version: 5.1.65-cll
  • PHP version: 5.3.17
Re: Seem to have gotten hacked via Civi OpenFlashChart!!
April 29, 2013, 09:02:13 am
Thanks Lobo....
Pages: [1]
  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Support »
  • Using CiviCRM »
  • Using Core CiviCRM Functions (Moderator: Yashodha Chaku) »
  • Seem to have gotten hacked via Civi OpenFlashChart!!

This forum was archived on 2017-11-26.