Enforce Password Complexity in Joomla

Well you can learn something new everyday.  I was looking at a proposal that I thought Joomla would be a good fit for. The proposal asked about enforcing password complexity. I wasn’t sure that Joomla 3.6 did this natively, but it does. I found the following article that quickly demonstrates how to set it up.

http://officialjoomlabook.com/elin-waring-official-joomla-book-blog/joomla-3-1-4-password-strength-options

Here is how it looks in Joomla 3.6.

joomla_password_complexity

I hope this helps someone else out there…

 

Joomla 3.5 site attack – PayPal.zip, pl, php, vu.txt files found in Images directory.

I had to upload a file to a customers Godaddy hosted account and discovered a bunch of unusual files.

Below is an example of  a directory in the images folder. On the right there was a folder called “login”. In that folder was a complete site for accepting credit cards. I have spent any time figuring out exactly is going on.

joomla_3_5_attack

The files were also right in the root directory of the site.

When I navigate to the login folder within WAMP it is a fake PayPal login page.

joomla_attack_paypal

In site the “vu.txt” file was the following.

178.153.89.221  –  2016-4-01 @ 23:20:04
178.153.89.221  –  2016-4-01 @ 23:25:50

I hope this helps someone else out there….

 

False Positive – Vipre threat ID 5230363

We have a fair amount of clients running Vipre anti-virus and we received a bunch of warnings this morning that over 6 of our clients were infected with a “Trojan Downloader”. Vipre found it and quarantined it, but we wanted to make sure.

It shows up as “Trojan-Downloader.JS.Nemucod.dc (v)”. We contacted Vipre and they confirmed it was a false positive. They said a new definition will be out later today (3.22.2016).

vipre_threat_5230363

Microsoft says their software can handle this attack. Here is their write-up on this issue.

https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=TrojanDownloader:JS/Nemucod.J

I hope this helps someone else out there….

 

Locky Virus – Blew Past Vipre – Malwarebytes Ransomware Detected it.

One of our clients got hit with the locky tojan virus. It came in an email with a .zip file attached. A couple of employees opened the zip and within an hour their systems were unresponsive. Below is what the email looked like.

locky_virus_screenshotsuspicious_email_2

^ – This was a .zip                                                      ^- This was a .rtf

There is Vipre premium antivirus on all the machines, but it didn’t detect anything. We submitted the .zip file to Vipre to improve their definitions. Vipre’s Website to submit virus’s

http://www.vipreantivirus.com/support/submissions/missed-threat.aspx

The virus encrypted the files and left a ransom text file with instructions on who to pay to unlock the files. The following page has good info on what to look for.

http://howtoremove.guide/locky-virus-file-encryption-removal/

We found Malwarebytes Ransomware was able to detect it, but not stop it. Here are some things we learned.

  1. When a user opened the .zip file and the virus started, any file or directory that user had permission to got it’s contents encrypted.
  2. They had an intranet and the root directory’s permissions were set to “Everyone” so the applications worked, and that root directory got all of its contents infected/encryped.
  3. One Drive for Business – The files infected the shared local folder, jumped to the cloud storage and encrypted those file. Plus went to the person’s home machine that also synced with that one drive and infected their home machine.
  4. Malwarebytes Ransomware detected but did not stop it.

What saved them was a few things

  1. In Active Directory put user’s into groups and give those groups permissions to the directory.
  2. Back ups that ran twice a day. When the virus hit a 12:05pm we were able to recover the files from 7:00am.

I hope this helps someone else out there…

 

ICEcoder – Reset password – Could be the reason for attack and blacklisting.

We had a static HTML site get attacked and blacklisted. I never thought a static HTML site could get attacked.

Capture_blurred

Upon further investigation I found a file called “kmhtwefn.php”.  A google search returned nothing … something must be wrong.

There was also a file called “ingenuity-insulator.php”. I googled it and came back with nothing related to this file. Again this made me question things.

I opened a “.htaccess” file and found the following:

htaccess_attack

Bingo!

It appears all leads from the major search engines lead to the ingenuity-insulator.php file. This is why the site go listed as hacked.

How did it get hacked?

Turns out this site had ICEcoder in it. I needed to reset the password and the following article helped me figure it out.

https://groups.google.com/forum/#!topic/icecoder/0KPKZZLcB58

Due to the lack of time I reached out to Sucuri to help get this site cleaned up and remove the blacklisting.

Sucuri’s Website

I hope this helps someone else out there…

 

Vipre Warning – [#183197] [POSSIBLE FP FILE]Exploit.SWF.Agent.bb (v)

Tech Chris called Vipre Business technical support today. They confirmed this was a false positive.  The resolution for this is to update the virus definitions.

To update virus definitions:

  1. Log into server
  2. Open Vipre Business Premium
  3. Click on protected computers tab
  4. On the left, you will see site navigator
  5. Under windows policies, select the policy that has the protected computers (will be either “desktops” or “default for workstations” for workstations, and either “laptops” or “default for laptops” for laptops)
  6. Right click policy name > agent updates > check for threats definitions updates
  7. This will update the agents to the latest threat definitions

Thanks our buddy Chris.

Hope this helps someone else out there.

 

Hively Customer Feedback – tried it, liked it.

I recently used Securi to clean a wordpress site. If you have never used I would highly recommend them. They were fast and through.

When the job was complete they had a “how did we do” box at the bottom of the screen. This link took me to a quick survey made by Hively and integrated into Sucuri’s site.

I really like the way it worked. I don’t know a ton about the service but the experience was very pleasant. I am suggesting to check them out.

http://teamhively.com/

I hope this helps….

Acrobat won’t open “Attempt to access invalid address”

We had a user that suddenly couldn’t open any local or networked PDF files. I uninstalled, ran CCleaner, Adobe’s after acrobat cleaner, restarted the machine, and finally re-installed Acrobat. Same error came up.

This issue was solved by uninstalling EMET 5.1. Not really what I wanted to do but the user had to get work done.

Going to follow up with Adobe for a better solution.

The following link pointed me in the EMET direction.

https://forums.adobe.com/message/6830531

Hope this helps someone else out there….

What is SEO poisoning?

I found the following article that introduced me to the term “SEO poisoning.”

http://www.scmagazine.com/attackers-use-seo-spam-to-improve-the-rankings-of-their-websites-on-google-and-other-search-engines/article/375339/

I was considering this Cross-Site Scripting, but the code wasn’t malicious is was just leading back to another site selling their services. The term SEO poisoning makes more sense. The goal of this poisoning is to increase the rankings of the company performing the action by embedding links into a legitimate site and linking back to their site. Link backs are part of the matrix Google uses to rank your site.

The links are often displayed off screen so webmasters are usually unaware of the poisoning even happening. Fortunately some of the writers of the plugins are aware of this technique are incorporating tools into their plugins.