Joomla and FBI - a philosophical post
You' ll probably say that Joomla can't have any connection to FBI? We also thought so and decided to share the experience which looks funny now, but it wasn't so funny once the story began...
We won't share any names for sure and just hope that this story will show you the importance of website updates, importance of working with skilled people and ability to admit own mistakes. A couple of days have already passed but this accident is still being remembered by our team as one of the worst experience which usually makes us thinking about leaving business.
A customer contacted us and claimed that one of our extensions is compromised because once it was installed on his corporate website it was hacked.
We requested any additional details for sure and asked to help the hosting company because access logs can identify the issue thanks to only small time has passed.
But customer denied and said that "hosting company has no desire to communicate directly with you" and "we intend to dispute the credit card payment for this software", we are using "extensions that have been running reliably for years".
OK, great! No facts, no information, no proofs, no desire to find the reason - just nothing! But the money is as always at the first place :)
We decided to take a look at the customer website without any login details, just explore what's possible. It's a NPO from Florida (no names), so we didn't expect any super site, but at least it should be carefully built.
The first thing we wanted to test at the website - the Joomla version. Trying to load the malicious URL which was fixed recently with Joomla 3.4.5 brought us the "success" looking as database tables prefix - the website definitely had the earlier version, and the known security hole worked fine.
So, assuming that our extension is sold for years to hundreds of customers and there were no known issues with security, but Joomla < 3.4.5 issue is well-known all loved by all hackers - what's the real reason of the website compromised?
FYI: just in few hours after Joomla 3.4.5 release the hosting and security companies started to see the high activity of bots which were already using the vulnerability became known for the patch in Joomla release.
We immediately informed this information about outdated Joomla version to our customer, underlined that website is open for attacks right now and any hacker can easily hack it: create new super users, upload WordPress and start selling Viagra/Cialis (that's what happened with customer's website).
The mistake from our support was that ironical phrase was added: "Next I can proceed further and hack your site right now. Should I?" An irony is any irony, but unfortunately not in this situation!
Once the details were informed in support desk we decided to call customer directly because the situation is critical and we should react fast.
Do you know what we were told? "I don't believe in coincidences, I don't know anything about Joomla 3.4.5 or my website is already updated (smth like that), and I will call FBI is our website is hacked again because you said that you can hack it".
FBI, Carl, FBI! He will call FBI because I found the security issue on his website, was not so lazy to call him directly as he is lazy to click 'Update' button in backend.
Sure we have issued a refund because we don't need such money from such people.
And wrote a letter to CEO of NPO with all details. CEO replied and said that she believes in her stuff more. Once checked later we saw that website was updated to Joomla 3.4.5 in few hours after our call, so all our facts were actually lost.
CEO's position about trusting our stuff more than other people is for sure good and appreciated. But not if your IT guy (so-called Chief Information Officer) either doesn't have an experience in websites or can't admit own fault of keeping the website' software not updated. Sure better say that it's f...g Joomla extension from AlterBrains which broke the website.
We asked the well-known person in Joomla community about what to do in such situation, he said that "the world is full of idiots - we can't fix that". Actually thanks to these words we look at this accident as "funny case" now, thanks man!
So, what's the conclusion and why did we write this article? What do we want to say? Here it is:
- Trust your team, but always hear to others.
- Be professional once you get a job and always learn or listen to people who know more.
- Admit your mistakes: you can try to cheat others, but not yourself.
- Understand humor and irony because the most foolish things in this world are done with the most serious faces.
PS. Upgrade to Joomla 3.4.5 asap!