Joomla! Discussion Forums

My site was hacked at some time in the last 48 hours. My question here is not how to solve that; it seems that these forums provide quite a bit of guidance for that.

I am wondering why my site got hacked.

1. Ok, the first why is that I evidently had not secured it well. I had seen no need since the site was still in development and not known to the world - or so I thought.

2. A second why however is that a standard Joomla installation with Fantastico clearly is not secure. I am writing this before I am going to research in detail how to make my site secure, but at the moment I am wondering if more can be done by the combination of Joomla, Fantastico and hosting providers to deliver a setup that is secure out of the box. If there are things that need to be done manually, would it not make sense to alert new users to that, or build in wizards to do the job at first start?

3. But the third and most important why is: what do hackers achieve by hacking a site? Is it for the fun of it? Is it to cover their tracks in distributing illegal information?
In the latter case, are there consequences? Would my domain get blacklisted somewhere, for example by safe internet monitors or by Google? Should I now expect my domain to be on the radar of security agencies?

My 1.1 site in development has just been hacked and now that there is a new 1.5RC I am wondering if that is a safer version and whether I should switch?

Oh, that's bad luck. Sorry! The best way to get around that is to develop your site on your local machine first, and then copy it to the live site when ready. That has other benefits as well, such as a handy backup system.



Fantastico provides one-button installation convenience, but it is not possible to combine such ease of use with real security. There are too many server and application-level variables that need to be considered to secure a site. They must be adjusted manually. If a single script could make all these security decisions and adjustments on a server then the server would by definition be very insecure.



Hope for the best. Plan for the worst.

At looking at your other post http://forum.joomla.org/index.php?topic=246668.new#new
it looks like Joomla version is not at stake.

Merging this with above thread,

Thanks to you both for responding during Christmas, and I hope you had a good time!

rliskey, I was affraid for your answer ad 3 and I will look into your suggestion ad 1 to develop on my local machine. At least I have learned something from all this: I had not thought of what you said in your answer ad 2. Still it would be nice to have a wizzard-like thing that takes beginning idiots like myself through the motions of making manual adjustments to settings where sensible.

So Jean Marie it is indeed not the Joomla version which is at stake in terms of blame for what happened. The first why is simply what I listed first: my failure to secure the site - and everything else is a secondary matter of interest.
But that is looking to the past. My question about the old and new Joomla version was looking to the future - and assuming that this time I will make efforts to secure the site.
In theory I can imagine that one should expect one version of Joomla to be safer than the other for several reasons. One reason why the new Release Candidate could be less safe is the experience with computer software showing that older products have the benefit of experience and as time goes by there is less chance that a new security problems is discovered. On the other hand, another reason could be that a newer version could be built in a different and more secure way.
So basically I was wondering out loud if any reason like that applies with regard to the old and new Joomla versions.

quoting the thread http://forum.joomla.org/index.php/topic ... msg1097002 i think it should be made very clear that fantastico leaves the joomla installation directories open for attack.

I think we can safely apply here the theory of "There is always a security issue lying somewhere, even if crackers have not yet discovered it"

This is the reason why even MacOSX has 4 or 5 security updates every year, and PHP new versions are released. {Let's NOT talk about the various Windows OS avatars...}
There has been important security issues solved during 1.0.x evolution and some have been solved after 1.5 beta1 and in last RC4.

Keeping to that thought, and the original intention of the thread to discuss the future, maybe one of the dummy stories that comes up in the initial installation home page might reflect on security and the responsibility of the site owner to take steps to protect the site?
I was thinking through the process, especially with fantastico in mind, and that is about the only means of getting the attention of the site owner. Yes, there should also be a page with information showing up during the install, but a well written newsy item coming up when the site first opens could help many of these 'virgin' sites from being compromised. It doesn't need to be frightening, just factual. Perhaps along the lines of, "Now that you have got this far there are more steps to take" or a How-To of links back to this Forum?

I think this is a great idea and merits some serious thought.  The one thing that has really concerned me since I started using Joomla is the way it is often portrayed as a complete CMS solution that does not require any prior knowledge in html, php or any programming background.  These kinds of portrayals, taken strictly in the spirit for which they were intended are true, but that's all just the tip of the iceberg.  Joomla itself is secure, but the things surrounding it -- the server, the host, the 3rd party extensions are pretty much an open book many times.  Putting some serious security 'teaser' information right up front as suggested above is a way to draw peoples' attention to security before they even start modifying their Joomla install.

You can't MAKE people be security conscious, but by that same token I don't think anybody has ever created a site with the intention of being insecure either..  If some small step like this could be made to broaden peoples' awareness to security issues, then maybe at least a few of the common security emergencies we see in this forum day in and day out can be avoided!

Agreed, my point of view that i tell many of my hostees and potential hostess is that "Joomla when installed from original source at Joomla.org is fine. BUT like most things, read the instructions!"

I gratefully agree with all this input, and to my mind the interests of Joomla coincide with those who want a CMS but have no skills beyond clicking and typing.
- Joomla wants to become more popular and does seem to target the unskilled amongst others, but popular opinion is always volatile and even where there is no justification a reputation can very easily go bad but is difficult to build up. So Joomla has an interest in proactively helping people with things like security, even if it is not responsible for security implications of the variety fo things people do after initial installation.
- Unskilled administrators are not necessarily lazy, but they are not skilled in (x)html, javascript (in extensions), php and mysql, so they may not know how to ask the right quesitons let alone find the answers, and answers often pres-suppose some level of skill in modifying html and php.

To show a 'user beware' message after installation (or even before download!) would make muich sense but it would also scare some people away when there is no need for fear, only for caution. My preference would be to guide people along the path of caution rather then to make them fearful of starting that path.

My thought is that there could be a menu item security in the backend powered by a component which runs a security check (I think there is an extension already which does that) and suggests improvements, where necessary asking for user input (I think this would be new). Users could be alerted to this by a first start message as suggested above, and possibly again upon installing a third party extension. The component could do things like suggesting to change installation usernames and passwords which can immediately be filled in, suggesting improvements to the ht-access file, and other things which a component could do in terms of access rights. Absent sufficient access rights such a component could ask for permission and an email address to send an email to the hosting provider for example to request changes to certain php settings, or provide the administrator with links to relevant DIY help files.

If at all possible this administrator security component would know at least the most popular and most unsafe extensions. Alternatively (or in addition) Joomla could set up a security certification for extensions based on simple but effective rules which do not aim for full security yet have a preventive effect on the more obvious security risks. For example extensions could be checked for not needing the absolute path that I have read should be switched off in the htaccess file.

Making Joomla idiot-proof would be a bridge too far and probably would clash with what sort of development the other target group, professional webmasters, are looking for. Still, it can only be positive for Joomla if a strong heling hand is extended to those who need it. Just to be clear: I do not mean to imply that I myself should have been warned and helped more; what I mean is that people like me could possibly be warned and helped better.

On a related note, the suggested 'user beware' message could also stress the importance of (automatic) backup solutions - both of files and of the database.

I think that is a great idea to welcome the new Joomla user and have some default news articles that can explain what the recommended server settings, directory settings, and file settings  should be. What to do if not set ideal, with links where to go for more detailed information (security faq's ). Maybe even a short newsflash on how to activate and what to add to the .htaccess file or how to make and what to add to php.ini files if running php as cgi. 

When I first installed Joomla, I just kinda let it install from Fantastico, then went right in to figuring out how to add articles, templates, and components. Security never crossed my mind. I just assumed that if I installed the latest version, that my site was secure and safe. In fact I ran my first site for well over a year, with register_globals on, global emulation on, no htaccess and many directories and files set to 777. Why I never had a problem I don't know. It was only after frequenting this board that I learned what a security night mare my site was and took steps to fix it.

I think that many people who install something on a website do not think one bit about security. They assume (like I first did) that their host and whatever software will keep them from harm. When that doesn't happen they run to a board, yell help, and are surprised that their site wasn't secure after all.  While Joomla is secure, and many websites can be made secure, you have to teach a new person what security means, how to balance security and site usability and what to look for. A good first step is to place some of this information in directly in front of them in the form of Joomla news articles, newsflashes, links to more detailed information on something that they are learning to use. I got pretty good remembering the text of the memory/strike newsflash. Useful information can pick the interest of a new person also if seen enough times.

Today I tried Joomla! Tools Suite, a brilliant component that is about 75% on the way of what I proposed above, and as it is I already think it should be part of the standard Joomla installation package. See http://extensions.joomla.org/component/option,com_mtree/task,viewlink/link_id,1734/Itemid,35/. This would be perfect with some trigger to draw new users' attention to it and if besides alerts it also had form boxes, edit fields and buttons to do what is recommended.

ok,
i was looking to put these suggestions into a proper 'wishlist' forum but couldnt find one.
MODS - please look into this.
thanks

One problem I see with trying to give people easy ability to change directory/file permissions form Joomla is I believe only the owner can make these changes. If apache is the owner then no problem, but if the user used ftp to upload the files, or used cpanel to upload the files (and I think) or used fantastico to install, then apache (and thus Joomla) does not own the files and changes can't be made as the webserver does not own the files. Only the owner can make changes. Many webservers are still set up to run php as an apache module which is what causes this problem.

If the server is running php as cgi then Joomla normally can make the changes necessary as the webserver runs as the account owner when necessary.

I  also think if the user is given an option to make changes and errors pop up about not being able to make the changes with no direction on how to remedy the situation, or worse there is no error at all and the changes are not made, then a new user will become more confused and frustrated.  Just look at all the posts about permission problems and being unable to install a component due to ownership of files posted on this forum as an example. So while the idea fo setting directories and files with a Joomla component certainly has merit, very careful handling of errors and the careful direction about what is wrong/how to fix it if it is determined that the changes can not be made because of the server settings, or an error occurs will be necessary.

Agree Phil, which is why I was thinking only of a simple factual dummy message on the lines of, "Welcome to your new Joomla site, where to go from here". That site would pull them to a page or a thread on here that would give them ideas on security and ways to do some setting up. I don't see that it would be doable/feasible to build too much more into the core of a default installation, but instead of talking flimflam like the dummy articles do at present, there could be a sensible article that starts the new Joomla owner on the road to learning what it means to own and care for a fresh Joomla installation.

Ilox,

I agree with what you propose as probably the best way to welcome new users and introduce them to what else should be done to have a safe, secure site that is usable.

Thanks for that link to the forum. I did post into it but my post was deleted/erased/moved.

no readded as http://forum.joomla.org/index.php/topic,247700.0.html

As an add-on to the idea, which I can only agree with considering what was said about permissions etc., my fairly commercial mind would not hesitate making developers/providers bid for the pleasure of advertising their security products/secure hosting in the Joomla installation process. Provided their security products are sound, this would help Joomla users with security and Joomla with funding - and in principle does not seem to run counter to the open source principles.