Log in | Register
  1. Forum
  3. Discontinued Products
  5. JFBConnect v8.x Support (Joomla 3 Only) (CLOSED)
  7. Any known vulnerabilities?

Topic-icon Any known vulnerabilities?

Active Subscriptions:

None
8 years 3 months ago #56665 by microtribe
I just installed JFBConnect on j3.4.8 and used it in a k2 item and the following hacked code was injected into the one page I had a JFBConnect tag on - injected into my Rockettheme roknavmenu. Are you aware of this vulnerability? Does it have to do with my particular combination of extensions - K2 and Rockettheme with JFBConnect?
<p id="qbhura"><a class="orphan item bullet" href="/">I am receiving CBT experience with my 3and people, office workers and daughter.. Rash was observed in ‘Causes’ posted are personal more than one occasion.. Results show my right are indicated for the 6weeks i now walk in the guidelines are. A registrar who talked modifications due to adverse median baseline CD4+cell count replaced and a new in order to eliminate batch to batch variation. These events usually, but ABILIFY MAINTENA is required not </a><a href="http://insight-vision-care.com/eye-care/treat-73/" title="Xalatan">Xalatan</a> be painful, but of oral corticosteroid therapy.. Altered glucose metabolism or ambitious or encouraging, they eye, teeth, kidney, and a boost which hasn't the incidence and severity of fluid retention [see Dosage and Administration (2.</p>
<script language="JavaScript">mxurlhs=document.getElementById(zqoppsx); mxurlhs.style.display=rbayb;</script>

This is the JFBConnect tag I was using:
{SCOpenGraph image=http://www.astroraven.com/images/concussion250.jpg}

Thanks.

PS This code only shows up in Firefox with the noscript extension installed and running. I can't figure out how to clean up this hack - if anyone has any ideas let me know. I removed the JFBConnect tag and cleared the cache, but the hack is still showing on that page. I'm taking it down or I'd include the link. There was no injected code in the item itself. If I created a new item but gave it the same link as the old item, the hacked code showed up. But if I gave the original item a new ID and published it, there was no hacked code. So somehow, the hacked code is specific to the original item number and link.
The topic has been locked.
Support Specialist
8 years 3 months ago #56671 by alzander
Replied by alzander on topic Any known vulnerabilities?
JFBConnect has never had a known, published security vulnerability. We are always looking on ways to improve and secure our code, but there haven't been any issues we've uncovered within the last year (and likely even longer) that we've needed to address.

I don't think the issue you're running into is with JFBConnect at all. If the tag is only showing up with the no-script extension, that means the hacked code is specifically looking for search engines which don't run Javascript normally. That's a standard way to evade detection as only the search engine will see the malicious code whereas everyone else with a real browser sees the normal page.

Unfortunately, I don't have many good answers on where to go next. If your site already has malicious code, just updating extensions won't fix things.. even if you happen to close the original hole that was used to access your file-system. You'll need to narrow down when the hack occurred, restore a backup to before that point, then update everything to close the hole. The other option is to re-build your site from the ground up from a clear filesystem, though you can usually keep the database from the live site so contents aren't lost.

I'd highly recommend contacting your hosting provider as most can run security scans to detect holes, out of date/insecure products and find where some malicious code may be hiding.

I hope that helps,
Alex
The topic has been locked.
Active Subscriptions:

None
8 years 3 months ago #56679 by microtribe
Thanks. I did find a similar hack on an older page in the blog. Originally I thought it was only on the page that had the JFBConnect short code on, so I thought that was suspect. But it seems you're correct that there is something else going on. Thanks for the fast reply.
The topic has been locked.
Support Specialist
8 years 3 months ago #56684 by alzander
Replied by alzander on topic Any known vulnerabilities?
No problem. I'm glad it's not our extension, but also wish I could give you a magic bullet to solve it. Hackers suck.

Good luck,
Alex
The topic has been locked.
  1. Forum
  3. Discontinued Products
  5. JFBConnect v8.x Support (Joomla 3 Only) (CLOSED)
  7. Any known vulnerabilities?
From the Blog
Facebook | Twitter | LinkedIn | Blog RSS