SPECIAL OFFER: Only $69 for access to everything in OSTraining for 1 year! You save $75! 
Join today and get access to 1,000's of books and videos. Learn WordPress, Drupal, Magento, Joomla and more! Sign up today!

Latest Joomla vulnerabilities and security issues

5 years 11 months ago #120292 by johnniek2
Hello everybody,
since the recent user agent vulnerability announcement:
joomla news
I have updated mostly all my Joomla! installation to 3.4.6.
I am using RS firewall latest build as well, but still, after a while I have started getting alerts
(I have put to trigger at medium high and critical) like these:
Website: http://www.domain/
Page: http://www.domain/
Referer: No referer
Description: Dangerous user agent detected.
Alert level: medium
Date of event: 2015-12-17 13:00:18
IP address: 62.109.19.34
User ID: 0
Username:
This email was sent because the RSFirewall! component is monitoring your Joomla! website. Notifications can be changed in the Firewall Configuration area, under the Logging Utility tab.

or like these mostly if not user agent:
Website: http://www.domain/
Page: http://www.domain/
Referer: No referer
Description: Session injection attempted and blocked.
Alert level: medium
Date of event: 2015-12-17 19:40:56
IP address: 208.43.103.162
User ID: 0
Username:
This email was sent because the RSFirewall! component is monitoring your Joomla! website. Notifications can be changed in the Firewall Configuration area, under the Logging Utility tab.

I have asked RS Firewall support if I just have to ignore them? or set alert to high and critical?
because I have tested the site and set all security settings to match a 100% score of rs firewall protection.
tmp folder outside basedirective etc etc. everything reccommended...

all components are up to date, so I was wondering why those attacks are beeing continued? it doenst seem they will stop?

Support told me:

If the notifications are sent by the component, then the attempt was already blocked, you should not have to do anything. Since you are repeatedly being attacked it would be best to perform a security audit of your site (through a 3rd company that offers such services) in order to detect and correct your site vulnerabilities, this way you will be better protected against attacks against your site.


so I should hire someone for all my sites??? Just to mention that I use 3 different hosting providers with over dozen of websites and mostly all that are beeing affected have lastest updates of joomla and security components?

Can you give me some reccommendations? what to do how to stop these attacks? it looks the site is protected, but why are the keeping coming?

Please Log in to join the conversation.

5 years 11 months ago - 5 years 11 months ago #120298 by Valentin
Hi Johnnie,

Agree with the RS Firewall support. Try myjoomla.com/ or other audit provider to check your site.

Kind regards,
Valentín

Follow us on Twitter - twitter.com/OSTraining
Like us on Facebook - facebook.com/ostraining

Please Log in to join the conversation.

5 years 11 months ago #120302 by johnniek2
will give it a try thx

Please Log in to join the conversation.

5 years 11 months ago #120304 by Valentin
You're welcome, Johnnie!

Kind regards,
Valentín

Follow us on Twitter - twitter.com/OSTraining
Like us on Facebook - facebook.com/ostraining

Please Log in to join the conversation.

5 years 11 months ago #120306 by johnniek2
Huuh just tried the trial, and they want me to do the opposite what RS firewall setting requires you to do :-)
little bit contradictory?
I have tried sucuri and it gives me this alert:
malware
still nobody can locate that malware? not the hosting not RS firewall not myjoomla...

do you have any idea?

Please Log in to join the conversation.

5 years 11 months ago #120308 by johnniek2
I think I found the problem but still need some help:

I have noticed in Search engines that this url is beeing indexed:
http://www.angelina.hr/yacht-charter.htm
which was created during transition of the website to another hosting probably.
it gives this error:
Fatal error: Uncaught exception 'RuntimeException' with message 'Unable to load renderer class' in /home/lanex01/public_html/libraries/joomla/document/document.php:1018 Stack trace: #0 /home/lanex01/public_html/templates/rt_alerion/features/dropdownmenu.php(44): JDocument->loadRenderer('module') #1 /home/lanex01/public_html/libraries/gantry/core/renderers/gantrymodulesrenderer.class.php(65): GantryFeatureDropdownMenu->render('header-b') #2 /home/lanex01/public_html/libraries/gantry/core/gantry.class.php(867): GantryModulesRenderer::display('header', 'standard', 'standard', '12', NULL) #3 /home/lanex01/public_html/templates/rt_alerion/error.php(44): Gantry->displayModules('header', 'standard', 'standard') #4 /home/lanex01/public_html/libraries/joomla/document/error/error.php(142): require_once('/home/lanex01/p...') #5 /home/lanex01/public_html/libraries/joomla/document/error/error.php(113): JDocumentError->_loadTemplate('/home/lanex01/p...', 'error.php') #6 /home/lanex01/public_html/libraries/legacy/error/error.php(798): J in /home/lanex01/public_html/libraries/joomla/document/document.php on line 1018
and I want to get rid of this page (it triggers security alerts as well), the correct page is .html
so the correct one would be: http://www.angelina.hr/yacht-charter.html
I dont want to redirect only I want to delete that url from joomla or databse?
is that possible?

Please Log in to join the conversation.

5 years 11 months ago #120309 by Valentin
The audit pretend to find any suspicious activity in your site. What about Watchful.li ?

When I use that link I get:

Access denied. Contact support@sucuri.net if you think it was a mistake.

Do you get a different result?

Kind regards,
Valentín

Follow us on Twitter - twitter.com/OSTraining
Like us on Facebook - facebook.com/ostraining

Please Log in to join the conversation.

5 years 11 months ago #120310 by johnniek2
this is what I get, what about my second post about url removal? I think thats the problem?

This message has an attachment image.
Please log in or register to see it.

Please Log in to join the conversation.

5 years 11 months ago #120311 by Valentin
Via FTP look for the file 404javascript.js and deleted.

Kind regards,
Valentín

Follow us on Twitter - twitter.com/OSTraining
Like us on Facebook - facebook.com/ostraining

Please Log in to join the conversation.

5 years 11 months ago #120313 by johnniek2
as said, there is not such file searched me and the hosting :-)

waht about url removal?
I found when I disabled SEO friendly urls the malware alert was gone?
see image...

when I turned back it came back

This message has an attachment image.
Please log in or register to see it.

Please Log in to join the conversation.

5 years 11 months ago #120322 by Valentin
Interesting. That tells me the issue can be inside .htaccess file due SEF urls require it.

Open your .htaccess with a code editor and look for any suspicious code.
Also check tmp/ folder and delete any suspicious file.

Kind regards,
Valentín

Follow us on Twitter - twitter.com/OSTraining
Like us on Facebook - facebook.com/ostraining

Please Log in to join the conversation.

5 years 11 months ago #120325 by johnniek2
it is completely free of suspicious code I have even uploaded another one and renamed...
tmp is emtpty as well

Please Log in to join the conversation.

5 years 11 months ago #120326 by Valentin
Upload an empty file named 404javascript.js
Clear Joomla and browser cache

Kind regards,
Valentín

Follow us on Twitter - twitter.com/OSTraining
Like us on Facebook - facebook.com/ostraining

Please Log in to join the conversation.

5 years 11 months ago #120328 by johnniek2
after that it states:
No Malware Detected by External Scan
it didnt prompt me to overwrite the file?
what you think happened?

the htm url is still there now it states:
"Error displaying the error page: Unable to load renderer class: View not found [name, type, prefix]: itemlist, htm, k2View"
before that error message I have cleaned all urls from the redirect component and disabled the redirect plugin?

Please Log in to join the conversation.

5 years 11 months ago - 5 years 11 months ago #120329 by Valentin

after that it states:
No Malware Detected by External Scan
it didnt prompt me to overwrite the file?
what you think happened?

That was the idea. Something odd is happening here, a security audit hopefully will clarify what's really going on about the malware detection.

the htm url is still there now it states:
"Error displaying the error page: Unable to load renderer class: View not found [name, type, prefix]: itemlist, htm, k2View"
before that error message I have cleaned all urls from the redirect component and disabled the redirect plugin?

It seems a different issue. May you explain step by step how to reach this issue?

Kind regards,
Valentín

Follow us on Twitter - twitter.com/OSTraining
Like us on Facebook - facebook.com/ostraining

Please Log in to join the conversation.

5 years 11 months ago #120333 by johnniek2
well the first I dont know what to say...

the second I tought is related... I saw my site indexed an:
Fatal error: Uncaught exception 'RuntimeException' with ...
www.angelina.hr/yacht-charter.htm
Fatal error: Uncaught exception 'RuntimeException' with message 'Unable to load renderer class' in ...

when I checked the link it is htm instead of html
so when you type it in the adress buttin you will get that link?

Please Log in to join the conversation.

5 years 11 months ago - 5 years 11 months ago #120368 by Valentin
Hi Johnnie,

When I visit your site, and click on "Yacht Charter" in the menu, the links goes to www.angelina.hr/yacht-charter.html (with .html) - no problem here, however it's true that typing the link with .htm displays the error you pointed before.

The error details points to Gantry. Apply any missing update if required.

Note: if I switch to Protostar with .htm link ( www.angelina.hr/yacht-charter.htm?template=protostar ) the error is gone and displays a regular 404 page. That confirm the issue really comes from Gantry and your template.

Kind regards,
Valentín

Follow us on Twitter - twitter.com/OSTraining
Like us on Facebook - facebook.com/ostraining

Please Log in to join the conversation.

5 years 11 months ago #120410 by johnniek2
thats what I tought from the beginning, but they convinced me its hacked and joomla core files :-)
THX

Please Log in to join the conversation.

5 years 11 months ago #120419 by Valentin
I see. When the core is hacked, reinstalling completely Joomla core through Extensions > Manage > Upload package may helps to reset the files. However if new files were added, it would require a deeper security check.

Let us know if you need something else

Kind regards,
Valentín

Follow us on Twitter - twitter.com/OSTraining
Like us on Facebook - facebook.com/ostraining

Please Log in to join the conversation.

Join today and get access to 1,000's of books and videos. Learn WordPress, Drupal, Magento, Joomla and more! Sign up today!