Joomla! Discussion Forums

had my sites defaced today via dropping a 404.php file into my /tmp folder of a site. granted this was running on a older version of joomla. 1.5.0 or 1.5.1 ... i actually thank Red-D3v1L for reminding me of security. could have been worse.
can anyone explain how this was done and is it capable of happening on 1.5.14 or .15?

regards

In case you haven't updated and need help, I wrote a quick page to help:
http://www.cmsmarket.com/resources/dev-corner/101-how-to-update-joomla

If this was a know exploit in the version of Joomla! you are using, it should be fixed by upgrading. It's possible that it was an exploit with the version of apache you are running or a 3rd party Joomla! component you have installed or a number of other things.

There are also some extensions out there that may help you avoid this kind of thing happening in the future:
http://extensions.joomla.org/extensions/access-a-security/site-security

Eyesite seems like a really cool one that I eventually need to look into:
http://extensions.joomla.org/extensions/access-a-security/site-security/9149


If you find anything you like, post back here because I'd love to know as well.

Thanks wlrdq for posting such useful links. I had the same problem and looking for solution. You really did great job for people like me.

You should be very concerned. How did they manage to write that file, THAT's what you need to find out. Was it in your site's tmp/ or the server's root /tmp/ ?

Any directory that because of server setup that needs 777 permissions to enable Joomla to function properly* can be hacked very easily by basic site hacking scripts. Also any file that has permissions of 777 so you can edit it* on improperly configured servers will be subject to hacking by basic hacking scripts.

* Joomla only needs a max of 755/644 to function properly on a properly configured server

This is one way (there are many others) they can install php scripts in /tmp, /images, and so on directories so they can execute them. You can place an .htaccess file in these directories that can prevent execution of php code (at least by script-kiddies) from these "unprotected" directories.

I looked at Eyesite awhile back and in my opinion Eyesite basically just makes a list of the file dates and if any dates change then it flags the file as being altered. There are ways of not changing the date/time stamp of a file as well as If Eyesite is run on an infected site it does no good.

There are many exploits out there and the versions of Joomla you had I think (without looking it up again) had some sql injection holes. Regardless, there are many ways someone can get into your site. Including getting the credentials necessary from your computer without your knowledge.

Upgrading your site if not thoroughly cleaned of any compromises (the code hides in amazing places once you are hacked) just means your site is not showing signs of the hack, but could still be infected by a backdoor. This is a mistake many posters here make. The time to upgrade is Before your hacked, not after.

I suggest that you read the Security Checklist http://docs.joomla.org/Category:Security_Checklist

Check your extensions against http://docs.joomla.org/Vulnerable_Extensions_List_oct and remove any that match the version numbers or are of an earlier version.

There are a huge number of forum topics in the security forum dealing iframe and other common attacks, including attacks from ones own computer. These also contain some good security information, including a few that describe a basic attack. I suggest you search and check them out.