Are my site monitoring efforts nonessential drudgery?

[webvirtuoso]

Hi! I have been manually monitoring file changes and raw apache server logs for a website that was supposedly hacked some time ago. Everyday I check the apache server logs for the following strings: ”update”, “replace”, “insert”, “administrator” and “POST” then I block ips that look like suspicious. So far I've been finding only some “POST” logs and a some “site/administrator” logs and most of them look like SEO bots or something similar.
The 2nd routine is checking all the hourly file changes from server's cron setup that send me an email after every hour with the file changes.

Anyways, I need to know of this is just a waste of time because I guess there are more strings to search for in logs and a more stuff to look out for in file changes, than I can think of as a Joomla security newbie.

This procedure that I go through every 24 hours takes a lot of time since I am manually going through a lot of text and sometimes I am not able to finish auditing a whole 24 hour server logs and file changes especially times when the site has a lot of traffic.

Can you advice me if there's a better way to monitor a joomla website after a hack as I am just a beginner? I have already read the Joomla security checklist and this forum's security threads but there are no resources listed there such as automated php Joomla monitoring scripts or anything of that sort?

[itoctopus]

We do monitor the Apache logs for our major clients and it's not a waste of time. We also check for any file changes in the last 2 days using the following shell command:

Code: Select all

find /home/[user]/public_html  -path '/home/[user]/public_html/cache/*' -prune -o -mtime -2 -ls > changed.txt

The above command excludes the cache directory and saves a list of the changed files in the changed.txt file.

We also run a maldet scan on each website (using the following shell command when in the website's main directory):

Code: Select all

maldet -a .

Now returning back to searching the logs, we don't (and can't) examine every line, but we prune out all the non-questionable lines and IPs. We also check if there are any administrator logins from unknown IPs (also using the logs). This helps tremendously - in fact, we discovered last week that one of our major clients had one of the passwords compromised, 6 hours after the fact, and changed all the passwords on the account, and reverted back what was done on the website.

Security work is not straightforward and you can't use a single tool to do that and it does require manual work, lots of it, but you will need to always prune out non-essential data.


Note: We also allow only for the index.php file to be executed on any website that we manage - this really helps protecting against many attacks.

Hope this helps.

[Slackervaara]

I use the extension Eyesite to detect file changes in Joomla. Works well.
http://www.lesarbresdesign.info/extensions/eyesite

[Bernard T]

Are you able to implement mod_security? With a proper rule set it can tremendously lower the risk of SQL injection and similar attacks that can be detected by WAF.

We do monitor the Apache logs for our major clients and it's not a waste of time. We also check for any file changes in the last 2 days using the following shell command:

Code: Select all

find /home/[user]/public_html  -path '/home/[user]/public_html/cache/*' -prune -o -mtime -2 -ls > changed.txt

The above command excludes the cache directory and saves a list of the changed files in the changed.txt file.

File change monitoring is a good idea, but don't rely solely on "last modified" time. Touch command (PHP, shell) can be used to fixate any time attacker wants.
A better approach is to track calculated hashes for files, at least SHA1.

We also run a maldet scan on each website (using the following shell command when in the website's main directory):

Code: Select all

maldet -a .

Maldet is OK tool, we use it too, but it's very limited in detection coverage since it's designed to check file hashes, some hex fingerprints and statistical check for obfuscated code.
So use it, but don't 100% rely on it as it can have false negatives.

What's nice with Maldet, you can use it as a "inotify" monitor, so it will scan any changed file.
Also, you can integrate it with mod_security, so every uploaded file passes through Maldet check.

[Slackervaara]

Against SQL injection is an entry for .htaccess in the master htaccess for Joomla and I use it for many years now.

## SQLi first line of defense, thanks to Radek Suski (SigSiu.net) @
## http://www.sigsiu.net/presentations/for ... bsite.html
## May cause problems on legitimate requests
RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC]
RewriteRule .* - [F]

https://docs.joomla.org/Htaccess_exampl ... ecurity%29

[webvirtuoso]

Great info friends thanks

[webvirtuoso]

Against SQL injection is an entry for .htaccess in the master htaccess for Joomla and I use it for many years now.

## SQLi first line of defense, thanks to Radek Suski (SigSiu.net) @
## http://www.sigsiu.net/presentations/for ... bsite.html
## May cause problems on legitimate requests
RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC]
RewriteRule .* - [F]

https://docs.joomla.org/Htaccess_exampl ... ecurity%29

Good one dude

[webvirtuoso]

Does anyone know of a script for doing the apache logs monitoring for Joomla? So far I've found only a desktop utility, a great text editor called Geany that can use regexps in the find n replace commands also has a some cool features.

[Bernard T]

Against SQL injection is an entry for .htaccess in the master htaccess for Joomla and I use it for many years now.
## SQLi first line of defense, thanks to Radek Suski (SigSiu.net) @
## http://www.sigsiu.net/presentations/for ... bsite.html
## May cause problems on legitimate requests
RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC]
RewriteRule .* - [F]
https://docs.joomla.org/Htaccess_exampl ... ecurity%29

Good one dude

Just don't get too confident that this is an universal SQL injection protection...
This is a 5 year old, non-optimized condition set which was used for Joomla 1.5 username/password grabbing attacks. Those lines can only detect usage of word "concat" followed by opening bracket, or "union select" or "union all" words, and only if they are present as GET variables. SQL injection attacks don't have to consist of those words at all.
Also, most of the Joomla Forms that get attacked are POST method based, not GET, so this protection most probably won't do much good other than slowing down every of your requests. So. if you don't see such query string patterns in your logs, I'd advise against using it today.

Does anyone know of a script for doing the apache logs monitoring for Joomla? So far I've found only a desktop utility, a great text editor called Geany that can use regexps in the find n replace commands also has a some cool features.

If you have control over your hosting server, use Fail2Ban.
I am developing a brute force protection extensions right now, which will track logs too. But it will take some time until it's tested and ready for production. Beta testers are welcome