JoomDonation Compromised

We are receiving reports from many users of the popular JoomDonation platform that they received a very scary email from someone that supposedly hacked into JoomDonation. The emails went to the registered accounts and contained the full names, so it looks like JoomDonation did in fact get breached.

This is the full email:

How the hell are you? No need to ask, Iโ€™m fine!

Iโ€™m the one who has hacked all of your sites, emails, accounts etc. that has been using JoomDonation.com site/components. Scaring? Hell Yea ๐Ÿ™‚

About 15 months ago, I was able to penetrate into several Joomla sites. One of these luckies was JoomDonation.com After a while I realised that their crappy components were used by other Joomla developers too so I injected my shells into JoomDonation.com components. As per result, Iโ€™ve a list of 300000+ Joomla users+emails and youโ€™re just one of them, lucky thing ๐Ÿ™‚

..

Yea Yea I know you all have scanners, firewalls, admin tools etc installed on your server/site but you what? F*ck em all. Theyโ€™re just noob tools. Think about, Iโ€™ve injected my own shells into 10000+ Joomla sites and none of you or your magic tools have been awared of.

WARNING: You have 5 days to clean up your sites then my bot will start putting your sites down. If your site was not so valuable for me, removing the components would be enough. If so, then I will most probably blackmail you soon ๐Ÿ™‚

Want an advice from a hacker? Donโ€™t use any script from Thailand/Vietnam developers, their code is so crappy ๐Ÿ™‚ Try Indian quality.

This email was sent to all JoomDonation.com users. Weโ€™ll meet again if you have accounts registered to other Joomla developers ๐Ÿ™‚

Our research team is trying to confirm if any of the downloads from JoomDonation contain a backdoor, and we will post more details soon on what we find.

The JoomDonation developer has confirmed their environment has been compromised, but believes the issues to be specific to their server:

Hi All

I believe this is not security issues in our components/extensions. Someone hacked our server (we are using bluehost VPS server for hosting our website) somehow and uses the email systems to send this spam emails to all of you.

They want to destroy our business (and they mentioned India somehow in the email). Just the quick update from us, we will provide more information when we found something!

We are really sorry for this trouble.

The concern here is two fold:

  1. How did the attackers penetrate JoomDonation? If they leveraged a Zero-Day, then it’s likely the attacker can in fact penetrate other environments configured the same way.
  2. How is the attacker contacting JoomDonation users? This leads you to believe that there has been some level of data breach and user PII information has been compromised.

Currently, the attacker appears to be contacting those that have purchased any of the JoomDonation extensions, which include:

  1. Events Booking
  2. OS Property
  3. EShop
  4. Membership Pro
  5. EDocman
  6. CSV Advanced
  7. OS Services Booking
  8. Joom Donation
  9. Documents Seller

In the meantime, we highly recommend disabling this extension from your website. I would also highly recommend putting it behind a Website Firewall (WAF) with all hardening options enabled to minimize the chances of a compromise in case the extension has a 0-day vulnerability or backdoor.

:::::Update: 20141126 :::::

Tuan provides more details on the compromise, he states:

Dear all,

As you know, today, our hosting account was hacked. The hacker got a small part of our users information (only name and email) and emailed to these users that their sites were hacked. Infact, these sites are not hacked at all.
We have been working hard on this issue. Here are something we found and would like to inform you about them:

1. The security issue is not related to our extensions at all. So all the sites which are using our extensions at the moment will still be safe.

2. The issue came from a security hole in the hosting server which we have used. We have been using a VPS server to secure customers data, unfortunately, there was still security hole and the server has no Firewall software, so the hacker could get into the system and stole these information. We are working to move our website to a more secure server with a better hosting provider. However, it will take us one or two days for doing that.

3. The hacker just got a small part of our users information (contain name, email) and publish some of them. Few hours after the information was published (just name and a part of the email – the domain of the email is hidden), it was deleted and could not be viewable from public. So the information would be secure from now as well

4. We can assure that your sites are still safe. However, we advice that you change super admin account (and FTP account) of your site.

5. We will continue analyzing the server logs and will inform more information about this issue ASAP.

We are really sorry about this issue and hope you will stay with us and do more business with us in the future. Our extensions are good and secure, it is just the hosting server insecure and causes us all these trouble.

Sincerely, JoomDonation

19 comments
  1. Disabling the extension and putting it behind a firewall is unlikely to help anything if it does indeed have a backdoor.

    If the extension does have a backdoor, then it could have added files to any folder in your site. Your site must be thoroughly cleaned to ensure no malicious code is left behind.

    1. Not accurate, our Firewall was built for situations like these and places emphasis on things like Backdoors that attempt to evade established access controls.

      In short, the backdoor would be nullified regardless of it’s location, making it inaccessible remotely.

      Thanks

      1. thats an amazing firewall doing the job of a virus/anit-maleware and UAC software… i call BS ๐Ÿ™‚

      2. and just so i havent left a random comment dissing you. consider an example where you webserver has access to execute a particular PHP file which has the backdoor. the backdoor simple acts as a database access layer (ur firewall certainly wont stop this) or it could attempt to write or read files on the disk. your firewall, just could not do this.. unless you provide the whitepaper to prove its technique, its made up facts.

        1. I don’t really understand what you’re suggesting. Can you explain?

          Any requests to use the malicious backdoor would be blocked by the Firewall. Are you suggesting it can’t protect against SQLi? Maybe I am missing something. ๐Ÿ™‚

          1. but it wouldnt though.

            if wordpress asked joomdonation for an update of the plugin, it will receive the update no worries. the file would look like it came from the right authority. then when the file is run, it ran as the webserver, therfore it has as much access as the webserver does. allowing all sorts of access.

  2. Emails were sent from joomdonation Mandrill (Mailchimp) account. Is it possible that is the actual breach is on their email list rather than their website? I know they are conceding that their site was compromised but is that an assumption based on access to the mailing list?

  3. Hi All
    When I got the message I wrote an urgent support request to Nicholas at Joomla Admin Tools
    In his reply he sent me this thread
    http://forum.joomla.org/viewtopic.php?f=714&t=866985#p3243888
    Nicholas said that the email was a ‘bluff’.
    However Joom Donation took their site down immediately (it is now back up) so something definitely happened at their end!
    For our own large website we just made sure all the security we had in place is tight.
    We don’t have credit card information stored on Joom Donation – so it might be just a matter of changing passwords again – like happens every time Apple gets hacked!

    Andrew

  4. Hi All,

    Preventing alledged issues like with joomdonation is better then cleaning up after the fact, however, I’m curious. How many or what tools should one have in place to make the availability of forensic evidence guaranteed big enough for some traces of penatration.

    Kind regards,

    Gerard.

    1. The first thing you need is proper logging and log management. We recommend OSSEC to extract all logs to a external server for analysis.

      After that, you need to be monitoring these logs, along with the state of the server to try to identify indicators that the server might be hacked. Some ideas here:

      http://dcid.me/notes/2014-oct-09

      Even our Website firewal (WAF), does that automatically. We audit all requests and store the logs so they can be inspected in case of a possible compromise:

      http://sucuri.net/website-firewall/

      thanks,

      1. Dear Daniel,

        Thanx a lot for you feedback. I recently migrated from Chef to Saltstack and therewith running an automated deploy for Ossec. Now that I have a better view of the data your notes will come in handy. Appreciated!

        I looked at your WAF earlier and read that you guys also can withstand DDOS. Isn’t the network (layer) the only place to do something about this? … Lowering (well throttling) the load on you app or server via a firewall only moves to problem to the next component, the firewall. And as far as the throttling allows it, the bandwidth is still fully absorbed and therewith your service still unavailable. Is it true that your WAF can protect me against this? … If so, curious how ๐Ÿ™‚

        Thanx again for you input!

        Kind regards,

        Gerard.

  5. ” … We have been using a VPS server to secure customers data, unfortunately, there was still security hole and the server has no Firewall software … ” <– WHY?!

    Having any kind of server online without a firewall is foolhardy; a VPS handling customer data?! That beggars belief!

    I honestly wouldn't trust any company who would be so ignorant – or worse, wilfully careless – about how customer data is stored and handled. I'd have expected that from a bunch of noob amateurs, but these people are supposed professionals, making real money from providing software solutions! Alarm bells much?!

    The mind boggles. Running a VPS without a firewall — unbelievable. At least make these crooked hacker scumbags WORK for a living.

    1. lol i got as far as the firewall statement and lack of good english and just gave up reading any more!

  6. I can list a dozen reasons not to host with BlueHost… but seeing JoomDonation pass the buck and blame BlueHost for this is beyond asinine. Most VPS offerings are UNMANAGED, which means it’s on the user to install and monitor their own firewall and security measures. JoomDonation should have asked what sort of security – if any – was included in their plan. My guess is they chose the $14.99/month special. You get what you pay for.

    Without knowing the specifics of the plan JoomDonation signed up for, it can’t be assumed that BlueHost dropped the ball. I think the responsibility for this lies squarely on JoomDonation’s shoulders.

Comments are closed.

You May Also Like