Elg 1.8 infected with Black Hole exploit

All the .php an .js files were inyected with the exploit code. My hosting says that this is because the Elgg version (1.8.10), i´ve restaured a backup but I need support about prevent this problem.

Thanks. 

  • Hi,

    You should always use the latest version of elgg 1.8, this will prevent any security issues. The latest is 1.8.15

    Rodolfo Hernandez

    Arvixe Elgg Community Liaison

  • one issue i notice here is that where the latest updates include fixes for security, these are often explicitly stated in the release notes for the new release. this means that hackers only need locate the fixes that went into elgg for these issues, then hunt elgg installations that have versions prior to the version that includes the fix and they then know how to hack that site - just from exploring the fixes!

    not so smart decision making there! lol

  • It is unlikely that the site is infected remotely by a hacker, at least I cannot find any reference on how to do this, unless you give write access to your php and js files. Is it possible that someone installed the blackhole kit on your server, maybe you with an infected system ? Do you run Windows or Linux ?

     

     

     

  • The attack seems to be done throught ftp and with the ftp domain user. I dont know how the hacker obtained the credentials, or there is a security problem in elgg, hosting, my pc(windows)... I'm lost and worried because the problem happens again.

  • Start shutting down ftp, or limit it using your firewall to your IP range only. It is not needed for ELGG

  • If they got access via ftp this has nothing to do with Elgg as such. If they can access your server directly there's no way Elgg or any other installed software could prevent them from changing files. So, there's no point here in saying there's security hole in Elgg.

    You should re-install everything from scratch. If they got even root access you should ask your hoster to set up a whole new system for you as you never know if they might have installed a backdoor to still have access even after you changed the ftp user password.

    They might have simply guessed your password or might have gained access via a brute force attack on your server. The only advice is to use a long password with many special characters and numbers that is not based on any dictionary words. It can also help to increase the waiting time between failed login attempts to slow down a brute force attack as good as possible.

    @ura: do you really think anyone who wants to do something bad would be depending on security fixes being listed in the changelog? If they want to find any fixed security holes to use they simply need to do a diff on the code after a new version has been released. They need to do that anyway even when the changelog mentions that some security fixes are included to analyse the code. Including the info about security fixes is a good service. It tells the users of Elgg: hey, update is really necessary!

  • all that is needed is to say 'security release - recommended upgrade'..
    rather than explicitly list the types of exploits discovered and who fixed them - which provides an easy way to locate the changes in github.

  • @Javier Also, do you have another cms installed on your server?

    Rodolfo Hernandez

    Arvixe/Elgg Community Liaison

  • Thanks to all, I´m going to work with your suggestions

    @rjcalifornia I´ve joomla 2.5.9 

  • So the attack vector here is still unknown, but chances are it's not an Elgg-specific vulnerability.  If you or your server admins do find the attack vector and it does turn out to be elgg please notify the core team at security@elgg.org

     

    In the meantime, no need to create a panic, and nothing to panic about.

    RJ's suggestion to upgrade is still highly recommended though.  I'm not a joomla user, I don't know what version they're on offhand but same thing applies there - security issues are being fixed all the time so if that is out of date you may want to upgrade to the latest stable release.