Jamit Software Forum

Hello Everyone,

I need you're help. :-[

My Job Board Website is hacked and will be redirecting ( sometimes, not always ) to a Russian Search Machine: http://ya.ru/
The hacker from Russia ( Kiev ) login through the Employers account. After that the Site was taken over.

( On Google they say that it's a JavaScript redirect?? ) 

Does someone have the same experience?
Does it mains that there is a leak in our software?
What can we do about this? How can I fix this?

I hope to hear from you.

Thanks!

Greetings,
John de Vries

Thats not good - I am not sure how this happened but have a look at your index.php file - usually javascript redirects are based on a javascript code in the index file. if you remove that, the redirect will be removed. But that doesnt prevent it from happening again.

Also check with your hosting provider to see if the server was hacked instead of the script. What version of jamit are you using?

Anyone else know where the security hole is?

Best of luck to you!

Fuji

Hi Fujipadam,

Thanks for the replay, for you're help and for you're advise!

I follow you're advise and I look at the index.php file but I can't find any Javascript code to remove.
What I saw in the bron code of the website some strange large code after </body></html> ( a large code ( with numbers and letters and so on) that doens't belong there ) I don't no how to remove that!

An other thing what concerning me, is that they ( hackers ) could have installed backdoors etc. to allow them through again! ( when I fix it, I run a risk, that in a blink of an eye the problems starts over again. )
 
I look also at my login at my hosting provider. It seems normal.

For you're information:

- I use v3.5.6 ( I test at this moment the v3.6.4 in a separate file )
- I test the v3.6.4 because the template of Vince is not ready for the v3.6.4. Vince works on it. So I have to wait for it )
- I blocked every IP adres from Russia. ( I don't no how they get acces to my website?? )

I send Adam also a email about this issue, so that he can look also at this problem.
I guess there is a leak in the software.

We don't has to forget: what happens to me, can happens to everyone one of us.
So we must help each other to "kill" this problem for once and for all.

Anyone else with ideas to fix this problem?

Thanks!

Greetings,

John de Vries

Hi John export your database from php admin and then do a fresh install of Jamit then reinstall  your database it should only take 30mins and see if that sorts the problem also run traffic cop because it will block the yandex.ru search engine robots ( 95.108.217.252  yandex.ru) from crawling your site there no need to let these in unless you have a Russian market, get back to us with the results

Best regards lee

Hi Guys,

Everybody thanks for there help and for there advice, for so far!

An half our ago I'll put a ( clean ) copy of the index.php back to the server. And guess what?: the treat is gone. :)
There is no redirecting more to ya.ru!  :)

But it still concerning me, is that they ( hackers ) could have installed backdoors etc. to allow them through our WebSites again.
On a way I described it above.( through the Employers pannel --->they get in to the site, and it starts over again )
Traffic Cop etc. can't stop this. ( I blocked all the IP adresses from Russia )
Perhaps, they use a other computer for it. A computer outside Russia.

There must be a solution for this.

John de Vries

Hi Guys,

This is what Adam says about the treat:

If your index.php files was modified, then it means that the hacker either has your FTP details or has privileged access to the machine which your site is hosted on. Please also check your computer for malware (eg key logger or Trojan) and make sure to always access your site only from a trusted network and a secure connection
 
Usually these hacks are not made by humans - they are 'worms' which are made to spread automatically. What happens is you first visit an infected website, then the infected website exploits your software, eg, a security flaw in your web browser, flash, acrobat, etc. Once installed on your system, the worm can capture your ftp details and then upload itself to your site. Once on your site, it can spread to other users by exploiting the same flaw.
All known security vulnerabilities in Jamit have been patched. Please also try the Security Tools plugin http://market.jamit.com/ the latest version updates the scan engine. I use the Security Tools plugin on my sites and scan daily.

After reading Adam his replay;
I'll restore all the PhP files, changes my FTP inlog code, scan my computer ( again ), and I shell use the Security Tool ( again ).

I hope it will help.

Thanks Guys for helping me!

Cheers,

John de Vries


 

Hope this works out for you! Cheers!

3 good free security programs to use together, using all 3 wont conflict with each other either

http://www.trades4all.com/forum/phpBB3/viewtopic.php?f=35&t=30

Sorry for late reply, I was not in the forum.

Your site is infected, it is done via open writable files check your File and directory permissions, and also Each and every index.html/.php files and remove any of the code that is infected, remember if you open the file directly if might infect ur system as well hence make sure u delete these files and replace them with original un-infected files and also tighten your File and Directory permissions.

Hi Guys,

Thanks for al you're replays! Thanks Guys!

I follow Adam what he says about the treat.

So what did I do?

1. Changes my FTP codes.
2. I restore all of my php files from a backup. ( the redirect to a Russian Search Machine: http://ya.ru/ is gone )
3. I scan my complete Computer ( Kaspersky anti virus 2010 )
4. I used the Security Tool  in the admin menu ( see nothing stranges )
5. I checkt all the Blocked IP Adresess from Russia, Ukrain etc.

So I thought that it was over.

But guess what ???!
The hacker ( worm ) is back! >:(
15 minutes ago he strikes again. 

Look at the picture I make of it : http://www.banenpakhuis.nl/worm.jpg
( and look at the IP Adres )
Guys, the worm ( hacker of what ever it is ) use the Employers Panel to strike again.

No virus defender can't stop this. This is something else.

I report this also to Adam.

We have to wait for a solution.

Greetings,

John de Vries

Hi John ,
Sorry to hear that your site is infected ,surely its v. painful for you

I advice you to do the following steps :

1- Backup your DB on your local computer
2-Reset your hosting account (ask your hosting company to do that )
3- install fresh JJB (use 3.5.7 version )

Regards,
Amjad

I had something similar happen to me that affected/infected all my websites. Here is a tip that will help you. When you change your passwords to your websites including FTP etc. Always do it from a different computer. Then, clean up your computer and make sure it is clean before you login to your websites from your usual computer.

Thats good advice steve, if possible format your pc and reload your operating system from scratch then you know your pc is clean because it still sounds as if you still have a virus somewhere

Good luck John

Hi Guys,
Lee, Steve and Amjad, thanks for you're replays on this issue!

I follow you're instructions. My computer is clean ( Kaspersky makes a deep scan, find nothing ), I changes the FTP inlog codes.  My Hosting Company gives me, through a protected connection, new FTP codes. I has activate them through that protected connection.

It’s logic to think that it is a normal computer virus. But, I think that we must look in a other direction.

The hacker ( worm ) registers itself through the Employer Panel.
After the registration, the Hacker ( worm ) is a legal “Employer”, with a legal Member ID and a legal Password
( sending automatic by e-mail from my e-mail account : affirmative email )

Once inside, he’s change his conformation from a “legal Employer” to a something that puts shit on my server.
( the question is: How does he do that?? That’s something for Adam I guess )

You can’t stop this through a Virus scan or something like that. Because he register itself as a legal Employer.
( at the moment from register,  he is not a treat. But after the register, he became a treat. )

The only thing to stop this is to locate the IP address. I locate that, It’s in the Ukraine. 
I blocked IP addresses from different Country's. For example: The IP's from Russia, Ukraine etc.
I blocked them through the htaccess. ( file )

I figure out that there was a hole in the list of the blocked IP addresses.
Is there a hole in the list, then the IP addresses no longer blocked again.
And ( I guess ) that’s the way he ( the hacker, worm ) could register himself.
So, the htaccess ( file ) does not work  save enough.

So, I would like to use the Traffic Filter Plugin.

Question:
Can someone send me a photo of the configure Traffic Filter Plugin, so that I can see ( as a start up to configure the plugin )
what the best way is to configure this plugin. ( blocking IP address, redirect url’s etc. etc. )

Will someone help me with this, so that I can blocked those guys from Russia, Ukraine etc.
Thanks! I would appreciate that very much!

Jamit – on!

Greetings,
John de Vries

John - its disturbing that after all this cleaning, you are still facing the threat. I agree IP address blocking might be a short term solutiion but how long will that last? He can use a proxy the next time and make it look like he is coming from another country. Based on your experience it does look like a legitimate script vulnerability especially since he is logging in as an employer.(if all he had was the passwords, he doesnt need to create an account).

Is adam looking into this? What is his opinion after repeated attacks?

Fuji

Hi Guys,

Fujiadam, thanks for the replay!

I agree what you are saying. But, I must do something to stop this... So, the IP blocking is for me the only option at this moment.
We've got a plugin: the Traffic Filter plugin. I ask for a photo, so that I can see how I can configure the plugin.
Please send me such a photo of a configure Traffic Filter Plugin.
I look at it, then I can configure the Traffic Filter Plugin. After that I trow the picture away!

If somebody will help with this, please send me a photo.
You can upload the photo to you're server with a link, so that I can see it.  :) Thanks!

I have contact with Adam about this issue. Adam is still working on it to figure out what is happening.
I help him to give him relevant information.

When I've got news, you hear from me guys!

Greetings,

John de Vries

After investigating one these reports, I find that the FTP details to the hosting account were compromised and that FTP was used to upload the malicious files.

Please keep your FTP details secure, here is how:

- Use SFTP instead of FTP. FTP passwords are sent by plaintext and are easy to capture by an adversary
- Make sure that your password is hard to guess.
- Change your password often!
- It may be better to memorize the password rather than writing it down or having it remembered by a program

more background information:
http://blog.unmaskparasites.com/2009/09/23/10-ftp-clients-malware-steals-credentials-from/
http://www.spamhaus.org/news.lasso?article=634
http://www.darkreading.com/security/perimeter/showArticle.jhtml?articleID=211201270
http://blog.trendmicro.com/stolen-ftp-credentials-key-to-gumblar-attack/

+ add this wikipedia article http://en.wikipedia.org/wiki/Gumblar

Usefull information. :)

Thanks Adam!

John de Vries

1.   traffic filter plugin will never protect you and nobody from hackers and actually you can not block entering to your site from any place of the World. If somebody like to enter your site, hi will do it without any problem in seconds. I’m from Ukraine and I can show you how to do it. So, do not complicate too much with traffic plugin…
2.   for works with your web sites use ONLY separate, other computer – computer not used for other purposes, internet surfing, forums, blogs, ICQ, Skype… etc. It’s VERY IMPORTANT! If you do not understand why- I can explain you (and others) in may be special separate topic…. The only thing - my English not so good…
3.   Kyiv capital of Ukraine – not Russian. Ya.ru (yandex.ru) – Russian search engine.
4.   Redirection to ya.ru – probably only joke and not special hacker’s target.
5.   Do not trust to much to Kaspersky! You should check your PC with other software, and important to check your system for Trojans! It’s many, and also free soft, like comodo, avast, avira…. You can install, test your PC and than uninstall this soft. Until your PC not really protected – your sites not in safe – as your passwords from sites, ftp… stored at your PC.
6.   And again – USE SPESIAL, SEPARATE PC, for works with your sites!
Hope, some of my suggestions will help you to avoid problems with hacking in future…
Dipolo from Ukraine (Russia, if you like :)
Best regards!

Hi Dipolo,

Thanks for this usefull information.
I appreciate that. Thank you!  :)

I know where Ukraine lies and that you're country is a different country then Russia.
I life in The Hague ( Holland ) and there are here a lot Expats also from the Ukraine. 

I agree, Dipolo, that you must check you're systems also for Trojan Horses etc.
For that I use Registry Mechanic , Spy Bots ( Search and Destroy ) and last but not least: Adware Spyware.

But, the real Hacker, you can't stop them. But I ask myself: What is so funny to hack somebody's WebSite?
I don't understand that. I think: Put you're energy in something else. I know from a guy here in Holland, that he hacked a important WebSite in the USA.
That guy he's at this moment in a prison in the USA for many years.

I don't know Dipolo ( think about the marketing aspect ) if it is usefull to use seperate computers.
Hackers, if they want, find you always.

But thanks for you're information!  It keeps my sharp.

Cheers,

John de Vries
 

This is not completely accurate. The TRAFFIC FILTER plugin does quite a bit of protection and most importantly it records malicious and suspicious visits. If the DENY RULES are properly and sufficiently configured, your site will appear non-existent (or broken) to all undesirable visitors (while fully functional to desirable visitors). The hackers may stop paying attention to your site.

The benefit of the logged events and the new INSTANT NOTIFICATION is that you can take immediate further action to protect your site, such as entering a blocking rule (rewrite rule) into your .htaccess file.

Hello Peter,

Thanks for this information.

So when you configure everything on a right way ( Traffic Cop, htaccess etc.) then the wrong stuff ( worms etc. ) will stay out.
Thats great. I  thought that they ( worms etc. ) could come into you're site trough a another way ( by using a other computer ), and that you can't stop them.

Each day my site becomes visited of that stupid worms. I hate them.

I will use the Traffic Cop soon.

Thanks Peter!

Greetings,

John de Vries

John,

Traffic Cop is only one of the several tools and ways to keep your site safe.

Starting with your PC, you need to keep it free of viruses. Use a good anti-virus, such as Kaspersky or F-secure. F-Secure is probably the best. You can use the FREE online scanner from this link:
http://www.f-secure.com/en_EMEA/security/tools/online-scanner/ (http://www.f-secure.com/en_EMEA/security/tools/online-scanner/)
Scan your PC for viruses regularly.

You also need to "behave safely", which means that you:

• shouln't share USB sticks with anybody
• be wary of anything you download from a torrent
• never open an email attachment that you have not asked for, even if it is from your friends

As Adam has suggested, use SFTP instead of FTP for uploading files to your server.

Use Adam's security scanner "SECURITY TOOLS" often. This is an excellent plugin which scans all of your files on the server for potential threats. The scanner will find some false positives, but that's OK.

And ultimately, you need to set permissions on all your files and directories (on server) as suggested by Adam and/or by his SECURITY TOOLS plugin.

Now we talk about TRAFFIC COP. Well, Traffic Cop has some limitations. It can only protect PHP files. However, it can block some attacks and record them into the log, even send you instant alert by email. Once you have this information, you can take further actions to protect your server, such as entering rewrite rules into your .htaccess file (if you have Apache server). Traffic Cop is "your eyes" on the server. It allows you to see what is going on. Sorry, but you cannot rely on Google Analytics when it comes to security.

I need to write some more explanation about how to use Traffic Cop. I will do that soon.

If you follow the above suggestions, you should be safe.

Best wishes,
Peter

P.S.
If your server is Apache, you should add this to your .htaccess file: