Thursday, November 15, 2018

Migrating Joomla 1.5 site with jEvents to 2.5 and an upgraded jEvents

I started with a Joomla 1.5.23 site and upgraded it with a joomla 1.5.x – 1.5.26 package from the Joomla website. I went to jEvents to get an updated version. I decided to google jEvents joomla 1.5 upgrade and found this link from jEvents.

http://www.jevents.net/downloads/category/70-j15-j25-migration

Starts with a jUpgrade or simular migration to 2.5. Start by going into plug-ins and enable Moo Tools Upgrade. Then install and run jUpgrade. I have had a lot of difficulty getting jUpgrade to run smoothly in WAMP. I have finally figured out a good install method after a couple of Win 7 reloads and multiple attempts to get WAMP set up with CURL correctly. Here is link to how I did it.

http://blog.grimeymedia.com/migrating-joomla-1-5-to-2-5/

Follow this lesson and got it all up and running in 45 minutes. Basically did jUpgrade, ran their migration php script, and then installed jEvents 3.0 and all the old info was in the new database.

“#!/bin/sh id cat zot echo ok” in a test_me file in a Joomla 1.5 site.

I found a file called “zot”. Inside was text “abcdefghi”. There was also a file called “test_me”. Inside this file was “#!/bin/sh
id
cat zot
echo ok”

This is a linux bash script used to cat or create a file called zot. Must be connected to an attack.

There was another file called “open_test” with another linux bash script.

#!/bin/sh
set -x
DIR=”/home/my_website/public_html”
cd $DIR
SUSTR=”
if [[ “$UID” -eq “0” || `id -un` != ‘audio’ ]];
then
SUSTR=”sudo -u audio ”
fi
$SUSTR $DIR/test_me

“iolanipalace.org” and “Pay Day Loans” text showed up in my Joomla 1.5 template

I am starting another Joomla 1.5.23 upgrade to 2.5 for security reasons. Before I started I noticed “payday loans” hyperlink going to “iolanipalace.org”.

payday_loan

This was not a module area it was in the index.php file in the template. I went to to the template to see added text. I highlighted the text in blue.

payday_loan_code

I googled “iolanipalace.org” and came up with a link I didn’ want to click on.

516Cash: UK Payday Loans


www.516cash.com/

UK Payday Loans from 516cash. Up to £1000 in 15 minutes! Instant Approval! No Transfer Fees, Apply Now!


Seems like a scam lead through Cross-Site Scripting. I am hoping the damage isn’t severe.

Upgrade your Joomla 1.5 sites before it is too late.