NYCPHP Meetup

[Atir Javid]

Hello Barrie,

May I inquire as to how you verified the attack?  I know that FTP
bruteforcing is extremely difficult, and that is very improbable.
What you may have faced was a dictionary attack, which may have worked
with some luck if you had a weak password.  A password including a mix
of

1) UPPERCASE
2) lowercase
3) punctuation/!#$.,
4) numbers

and have a good strong/long password you would never fall victim to dictionary.

As for bruteforce, an ftpd simply denies access after 3 or 5
(configurable, usually defaults to 3) failed login attempts for some
time.  Some hosts go as far as restricting ftp access until you call
them and verify the problem.  Also, brute forcing over a TCP pipe a
slow protocol such as FTP is virtually impossible.  At this rate it
would take YEARS to bruteforce the password if not DECADES.

@ Other users
Also make sure to go into joomla user configuration and change the
username of 'admin' to something else.
To protect your joomla administation section  If you have a static ip,
you can add

order allow,deny
deny from all
allow from your.static.ip.here

to a file called .htaccess in your administration folder.  If for some
reason your ip changes and you get locked out, simply login via FTP
and update the .htaccess file.  There are some other advanced methods
for protecting your administration folder.

Also, FTP was a protocol developed 30+ years ago.  It is not secure,
clear text authentication, etc.  FTP must go.  If you can help it, do
not use ftp, instead SFTP, or SSH.  Just.. anything but FTP.  Sadly,
thats all that is easy to use, highly available across all hosts, and
not everyone on shared hosting provides SSH access.  If you can do
without it, do without it. http://wooledge.org/mywiki/FtpMustDie

I have seen more sites hacked due to unpatched php or bad php
code(mostly from 3rd party addons) more than I have with FTP though.

Still with good security practices you can reduce the risk considerably.

Peace.




2009/3/26 Barrie North <barrie at compassdesigns.net>:
> We got hacked last month by a brute force attack on our FTP password. Once
> they had that, they got into the Joomla files.
>
> Any site can be hacked. The other half of the equation is vigilance and
> backups :)
>
> Barrie North
> ~Fully Managed Joomla Sites~
> www.simplweb.com/joomla
> ~Join the Community at compassdesigns.net~
> www.compassdesigns.net/join-the-community.html
>
>
> On Wed, Mar 25, 2009 at 11:23 PM, Mark Simko <masimko at verizon.net> wrote:
>>
>> Several of my clients' 1.0.15 sites have been hacked this week!  Is
>> there a problem with 1.0?
>>
>> I don't see an announcement on joomla.org
>>
>> I just saw that my site was hacked the other day. Fortunately they
>> bunged it up a bit, so the code didn't run, but instead gave an error
>> message.
>>
>> What they had done is append javascript to the index.php file. It was
>> disguised as ascii codes, and there were several var defined and
>> substituted in, but the result was that it attempted to open a hidden
>> iframe directed to siplank.com. When I tried to open siplank.com in a
>> web browser (yes, I did that! I do lots of crazy things out of
>> curiosity) Firefox stopped it with a warning about the site being known
>> for malware.
>>
>> I'm running 1.5.9 on a shared host. I will be calling my host and asking
>> them what they can find out from their logs as to what happened.
>>
>> _______________________________________________
>> New York PHP SIG: Joomla! Mailing List
>> http://lists.nyphp.org/mailman/listinfo/joomla
>>
>> NYPHPCon 2006 Presentations Online
>> http://www.nyphpcon.com
>>
>> Show Your Participation in New York PHP
>> http://www.nyphp.org/show_participation.php
>
>
> _______________________________________________
> New York PHP SIG: Joomla! Mailing List
> http://lists.nyphp.org/mailman/listinfo/joomla
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
>