-
Website
http://brian.teeman.net/ -
Original page
http://brian.teeman.net/tips-and-tricks/help-my-joomla-web-site-has-been-hacked.html -
Subscribe
All Comments -
Community
-
-
Top Commenters
-
Popular Threads
All Comments
"Just because you keep your server secure and your software up to date you may have been exploited yesterday, ready to be hacked tomorrow."
I remember this happened to me when I was on shared hosting and got a lot of outdated extensions when I was using J1.0!
I decided to move to a managed VPS and upgrade J! to 1.5. Started from scratch (except for the database) and It kept the crackers away till now!
We recently started the Security group on the "Unofficial Joomla Developers" site, and one of the prime areas I want to take positive steps in is end-user awareness of vulnerabilities and issues just like this. We also just released the first version of our Joomla Version Verification Tool, which tells you if any of your core files have been modified (using the MD5 hashing routine you mention). We want to extend the tool to all extensions and also search for new files, like you mention, and would love more community involvement.
http://www.alltogetherasawhole.org/group/security
Joomla has a bad wrap in the CMS world compared to Drupal and WordPress (IMO), but it's mostly do to end-user error and lack of automated security tools, not inherent flaws in the core itself. Hopefully we can fix that going forward.
These new viruses and trojans steal FTP login credentials then just have their automated programs use valid FTP credentials to hack as many websites as possible. They do it all the time.
After reading your post, I will have to start considering what plugins people have installed on their websites.
Thank you for the insight, your thought processes and your investigative work.
And one thing I cannot understand yet is: There are so many "so called" webmasters out there that do not know of the backgrounds just for two cents. They should not wonder!
As of my function as Security Consultant, in 89% of the cases I am involved at that stage after the horse has already bolted. And when the three letters FTP come to my ears, my first note is, not to worry about software and security holes as long as the website resides an a FTP account, but immediately to change the service provider.
The File Transfer Protocol now has an age that I can bet, most of your readers are younger Brian. Any web hosting provider that doesn't at least offer FTPS is not worth to host a client's site. I'm pretty sure, on their servers I can find at least one more security related issue.
Nicely done Brian!
I ow you a beer! ;)
gr. Bas
http://www.ravenswoodit.co.uk/index.php?option=...
Maybe it's time to start using it again!
How about running a tool like Solidcore on the server?
After watching your video "Hidden Secrets of Joomla", I did read all your blogs and made notes of your advises. I did change passwords, changed administrators and installed the extension Eyesite.
Also this item learns more how important it is to do the utmost to protect your websites.
The use of a diff tool is new for me. I see a lot of them on the internet. Can you suggest one?
Thanks again for all the serious stuff you share with us.
"Remember just because you keep your server secure and your software up to date there is still the possibility that you were exploited yesterday, ready to be hacked tomorrow."
I agree with this point. The fact is Joomla is open to everyone, and there are many different developers with different programming skills / security knowledge. Then the extensions are of different standards. In order to make sure that, even if the website has some vulnerabilities, we need to have a central security management tool here.
Currently most Joomla security extension will start their injection analysis on the event of "OnAfterRender" or "OnAfterInitialise". Here comes one problem. If some extensions have the vulnerabilities and it also starts running on the event of "OnAfterRender" or "OnAfterInitialise", then the security software runs after this extension, isn't this a big security hole?
The solution is to implement a central security tool before the Joomla script is running. Currently only the one provided by Open Source Excellence can do this job. It runs the scanner before all Joomla scripts (or more accurately, any PHP scripts) start running. Then even if there are any vulnerabilities, it will block it.
The difference is when the anti-hacker things start to run, before or after Joomla initialize, however, this is an important issue. Am I right?
For example in the case I refer to above you could install a scanner, such as the one you refer to, and it would not protect you as the site has already been hacked and the c99 placed on the server.
The script would only prevent, possibly, a new exploit it would not protect you fro the exploit that has already happened.
Thanks for sharing this. It is very helpful. I come from a telecomm background including IT security. Though I would eventually have gotten around to what you found (though I'm sure not as quickly as you did), this is one of those things I plan to store in my things to know for future reference and will bookmark it.
I like the idea of running a script file with the md5sum of each file, saving the list, then comparing it with a new list.
Also, excellent feedback from everyone!
Thanks,
Bill
All sorts of problems tracking that one down.
If shell access is available, there is a small but reasonably useful script available through the forums that can be configured under a CRONTAB task to check for some of these "underlying" issues. Search the Joomla! Forums for SploitChecker, it's not fool-prrof, but certainly saved by "rear-end" a few in these and similar scenario's.
Take easy mate,
Russ
http://forum.joomla.org/viewtopic.php?p=468037#...