It happened sometime around mid June on a Dreamhost user account, older than three years and bloated with quite some antiquated long forgotten web applications. All of a sudden, every site under the above mentioned unix user was displaying this:

undefined_hacker

on top left of a blank page. D'oh...

We're now gonna skip remembering the hassle of urgent chores moving live sites to newly created, separated unix users, naturally after restoring them from the backups. Because, like any respectable host, Dreamhost is providing anice automated backup utility. This sometimes, beyond the limitless wisdom of the no-guarantee statement, will tell you to "come back later" in a sorry message, but that's more of a seldom occurrence.

Few feature considerations on this mild hacking attack:

1. Writing in each index.php or index.html file situated in the /home/username/domain.com directory.
2. Not acting down to the next level of sub-directories, this made our restoring life easier, considering the rich directory tree inside the Joomla structure.
3. Not inserting any malicious external code. Just erasing the contents of index.* files and replacing it with the line "undefined_hacker".

What we may dare conclude from here? That it was only a proof of concept for a yet-to-come attack script. And that it's not necessarily Joomla! related, the exploit, I mean.



Comes yesterday with a distress signal from one of our other clients, still sitting on Rochen (another exceptional hoster out there). The victim site this time was giving syntax error messages. Thanks goodness there was only one site under this FTP user!

A frugal analysis of the event tells us that every index.* (including those belonging to the sub-directories down the dir tree) file has been written in, the code cut in the middle and, from there on, replaced with a ghost iframe calling some server in a far away undisclosed country, some cgi script residing on that far away server, that is.

Aha! This time the "proof-of-concept" errr... concept advanced to a malicious performance: alien code insertion with a purpose of stealing user data, probably, via the cgi script by remote.

It appears that the June event on Dreamhost evolved this end July into something evil on Rochen. Yet not that effective, for time being at least. Why so? Because the genuine PHP files were code-crippled in the middle, so they won't parse to HTML throughout the browsers, hence no bad iframe could be loaded in the browser, preventing the attacker from collecting, infecting, spoofing, XSS-ing, cracking, etc. any potential visitor landing on the compromised page.

Still the danger remains at large. There's an exploit capable to write in all index.* files, even down the directory tree, throughout an entire unix user account.

Measures to consider in order to defend your Joomla! website:

1. Dump the FTP! Stop using FTP connections and go SFTP and/or SSH. Where S comes from SECURE, aka encrypted. Yes, you're right, NO encryption is unbreakable. But ANY encryption gives an attacker script LESS chances to break in than a non-encrypted connection, like FTP is. So make sure to dump FTP altogether. It may be sooner than later when this exploit could make it up to some sort of epidemy, and they'll call it the FTP-flu. Believe me, bird-swine-flu would be regarded as a walk in the park by then.
2. Mercilessly delete old versions of scripts and various apps just sitting down there on the server. Not a disc space issue ever since all hosts got virtualizing out to [over]sell from as little as hundreds of GB to as much as infinite disc space. But an issue having those unused forgotten apps act like gates for security exploits roaming the net.
3. And yes! Make certain your live sites run the latest and greatest versions of everything. Be it Joomla core or extensions, third party, make then sure, before installing them, to have read and googled for knowledge about possible exploits related to them.
4. Good to adhere to a password updating policy on a monthly basis. And try letting the host hashing robot generate scrambled passwords as he knows. You're better off than with Jim18LucY -type ones...

Happy Joomla-ing!
Oh, and don't forget to report, in a way or another, about similar hacking attacks against your sites.