Skip to main content

Salted password hack

Hinweis auf eine TYPO3 Kompromittierung, die BE/FE Passwörter ausspioniert

Evidence found that compromised TYPO3 installations send user data via email

We have found a manipulated version of the TYPO3 core extension saltedpasswords in several compromised installations. The altered extension sends out plain text emails containing user login data. Every time a back end or front end user creates, alters or uses their login information, an email is sent. Several web-hosting providers have already updated their monitoring solutions based on this information, and we would like to let the community know about this, as well.

The method of entry, the acquisition of back end administrator passwords and the insertion of malware have all been seen before. However, this particular use of a manipulated version of saltedpasswords is – as far as we know – new.

In a compromised installation, the extension saltedpasswords is installed in typo3conf/ext.

Here is what we know about the attack:
        • time of the attack: 2014/15
        • IP-addresses used by the attackers: 178.122.0.0 – 178.122.255.255
        • purpose of the attack: presumably the acquisition of sensitive user data from database and installation
        • installation of additional back doors and/or malware
        • affected version: TYPO3 4.5 and later
        • email addresses used to receive login information: dezmo0d.89(at)mail.ru and/or winux777(at)gmail.com
This is what you should do if your TYPO3 has been compromised:
        • Remove or clean up all affected files
        • Find point of entry and close the security gap
        • alter all login information (MySQL, installtool, encryption key)
        • block all back end users and change their passwords
        • ask all front end users to urgently change their passwords
        • inform all users that their login data has been compromised and may be used elsewhere, too
        • reconsider all other security measures

Further information on how to repair a hacked site: https://docs.typo3.org/typo3cms/SecurityGuide/HackedSite/Index.html