The Joomla! Forum ™



Forum rules


Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.



Post new topic Reply to topic  [ 18 posts ] 
Author Message
 Post subject: If I patch my Joomla...
PostPosted: Thu Jan 29, 2009 4:13 am 
User avatar
Joomla! Apprentice
Joomla! Apprentice

Joined: Fri Nov 10, 2006 2:52 am
Posts: 20
Location: Colombia
Hi.
I know the key is in keeping my Joomla updated. But now I have a serious problem. I have a lot of exploits on my site like this:
84.158.161.7 - - [27/Jan/2009:08:53:37 -0500] "GET /media/secure/www.halifax-online.co.uk/_mem_/formslogin.asp HTTP/1.1" 404 524 "-" "Mozilla/666.6 libwww-perl/5.814"

I am patching my sites but I want to know if this will remove the exploits. If not, how can I remove them?

Thank you!

_________________
God Bless whom created the forum!


Top
 Profile  
 
PostPosted: Thu Jan 29, 2009 8:21 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Fri Jan 09, 2009 9:21 am
Posts: 8
Note, these are attempted exploits on your site, (the 404 status shows they were not successful) :)

Make sure you have gone through the Security Checklist (http://docs.joomla.org/Joomla!_Administrators_Security_Checklist

The default htaccess included with Joomla has some rules to block this otherwise search this forum for 'libwww-perl' and you'll get a pile of information.

Regards
Patrick


Top
 Profile  
 
PostPosted: Thu Jan 29, 2009 11:05 pm 
User avatar
Joomla! Apprentice
Joomla! Apprentice

Joined: Fri Nov 10, 2006 2:52 am
Posts: 20
Location: Colombia
PatSch001 wrote:
...The default htaccess included with Joomla has some rules to block this otherwise search this forum for 'libwww-perl' and you'll get a pile of information.

Regards
Patrick


Thank you for your information Patrick.

We have solved the problem looking for the ip address associated with the exploit. Finally we find their position and proceed to remove them.
Here is one of them:
/var/www/vhosts/mycustomerdomain.com/statistics/logs/access_log:(the-fuc#%_ip-address)128.232.110.18 - - [28/Jan/2009:06:06:38 -0500] "GET /components/secure/www.halifax-online.co.uk/_mem_/formslogin.asp/ HTTP/1.1" 200 27058 "-" "Mozilla/4.0 (compatible MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"

We remove all the files in the /tmp folder too and disable the Perl Service. We don't use them.

The warning of suspend my service because "being dangerous for other hosts", form the hosting provider, has been removed.

Lesson:
1. Keep our Joomla installations updated... http://www.joomla.org/download.html
2. Keep the extensions updated too.
3. Check frequently the access_log.processed file of my sites for suspicious access.
4. Backup my sites frequently.
Code:
zgrep "?*=http://" /var/www/vhosts/*/statistics/logs/access_log*| awk '/Jan/ && /libww/ && $9 !~/^4/'

_________________
God Bless whom created the forum!


Last edited by juanpablo321 on Fri Jan 30, 2009 1:40 pm, edited 1 time in total.

Top
 Profile  
 
PostPosted: Fri Jan 30, 2009 1:01 am 
User avatar
Joomla! Master
Joomla! Master

Joined: Fri Aug 12, 2005 12:38 am
Posts: 13388
Location: Sydney - Australia
What version of Joomla are you running?

_________________
Brad Baker - Follow me on Google+
http://www.rochen.com - Joomla! Hosting, the correct way.
http://www.joomlatutorials.com <-- Joomla Help & Tutorials
^Now with Joomla 2.5 and Joomla 3.0 Tutorials


Top
 Profile  
 
PostPosted: Fri Jan 30, 2009 1:31 am 
User avatar
Joomla! Master
Joomla! Master
Online

Joined: Mon Mar 20, 2006 1:56 am
Posts: 12440
Location: The Girly Side of Joomla in Sussex
apart from running the joomla forum assistant

and this was blatantly stolen from a google search
http://www.askapache.com/htaccess/block ... ccess.html

add to your htaccess file , make sure your folders have the correct permissions

Quote:
ErrorDocument 403 /403.html

RewriteEngine On
RewriteBase /

# IF THE UA STARTS WITH THESE
RewriteCond %{HTTP_USER_AGENT} ^(aesop_com_spiderman|alexibot|backweb|bandit|batchftp|bigfoot) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(black.?hole|blackwidow|blowfish|botalot|buddy|builtbottough|bullseye) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(cheesebot|cherrypicker|chinaclaw|collector|copier|copyrightcheck) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(cosmos|crescent|curl|custo|da|diibot|disco|dittospyder|dragonfly) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(drip|easydl|ebingbong|ecatch|eirgrabber|emailcollector|emailsiphon) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(emailwolf|erocrawler|exabot|eyenetie|filehound|flashget|flunky) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(frontpage|getright|getweb|go.?zilla|go-ahead-got-it|gotit|grabnet) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(grafula|harvest|hloader|hmview|httplib|httrack|humanlinks|ilsebot) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(infonavirobot|infotekies|intelliseek|interget|iria|jennybot|jetcar) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(joc|justview|jyxobot|kenjin|keyword|larbin|leechftp|lexibot|lftp|libweb) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(likse|linkscan|linkwalker|lnspiderguy|lwp|magnet|mag-net|markwatch) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(mata.?hari|memo|microsoft.?url|midown.?tool|miixpc|mirror|missigua) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(mister.?pix|moget|mozilla.?newt|nameprotect|navroad|backdoorbot|nearsite) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(net.?vampire|netants|netcraft|netmechanic|netspider|nextgensearchbot) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(attach|nicerspro|nimblecrawler|npbot|octopus|offline.?explorer) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(offline.?navigator|openfind|outfoxbot|pagegrabber|papa|pavuk) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(pcbrowser|php.?version.?tracker|pockey|propowerbot|prowebwalker) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(psbot|pump|queryn|recorder|realdownload|reaper|reget|true_robot) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(repomonkey|rma|internetseer|sitesnagger|siphon|slysearch|smartdownload) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(snake|snapbot|snoopy|sogou|spacebison|spankbot|spanner|sqworm|superbot) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(superhttp|surfbot|asterias|suzuran|szukacz|takeout|teleport) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(telesoft|the.?intraformant|thenomad|tighttwatbot|titan|urldispatcher) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(turingos|turnitinbot|urly.?warning|vacuum|vci|voideye|whacker) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(libwww-perl|widow|wisenutbot|wwwoffle|xaldon|xenu|zeus|zyborg|anonymouse) [NC,OR]

# STARTS WITH WEB
RewriteCond %{HTTP_USER_AGENT} ^web(zip|emaile|enhancer|fetch|go.?is|auto|bandit|clip|copier|master|reaper|sauger|site.?quester|whack) [NC,OR]

# ANYWHERE IN UA -- GREEDY REGEX
RewriteCond %{HTTP_USER_AGENT} ^.*(craftbot|download|extract|stripper|sucker|ninja|clshttp|webspider|leacher|collector|grabber|webpictures).*$ [NC]

# ISSUE 403 / SERVE ERRORDOCUMENT
RewriteRule . - [F,L]


and perhaps inform the sourcing IP that put the POST command

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}


Top
 Profile  
 
PostPosted: Fri Jan 30, 2009 1:36 pm 
User avatar
Joomla! Apprentice
Joomla! Apprentice

Joined: Fri Nov 10, 2006 2:52 am
Posts: 20
Location: Colombia
brad wrote:
What version of Joomla are you running?

I have a (dv) server and I have hosted around 80 sites there, the most with Joomla.
The sites where attack was using different Joomla versions; all of them with some thing in common: Out of date. I know what are you thinking. I'll keep them updated now.
Thanks for your usable posts.

_________________
God Bless whom created the forum!


Top
 Profile  
 
PostPosted: Fri Jan 30, 2009 2:00 pm 
User avatar
Joomla! Apprentice
Joomla! Apprentice

Joined: Fri Nov 10, 2006 2:52 am
Posts: 20
Location: Colombia
mandville wrote:
apart from running the joomla forum assistant

and this was blatantly stolen from a google search
http://www.askapache.com/htaccess/block ... ccess.html

add to your htaccess file , make sure your folders have the correct permissions

Quote:
ErrorDocument 403 /403.html....

---
...and perhaps inform the sourcing IP that put the POST command


Do I have to add this code in my .htaccess file? Is it safe? Could I add it in all my sites although they use different Joomla Versions?
:pop

_________________
God Bless whom created the forum!


Top
 Profile  
 
PostPosted: Fri Jan 30, 2009 6:32 pm 
User avatar
Joomla! Master
Joomla! Master
Online

Joined: Mon Mar 20, 2006 1:56 am
Posts: 12440
Location: The Girly Side of Joomla in Sussex
Yes, it is safe (depends on your server configuration to its effectiveness though!)

here is a sample to show how its used on several j1.5.9 installs i have
Quote:
#####################################################
# READ THIS COMPLETELY IF YOU CHOOSE TO USE THIS FILE
#
# The line just below this section: 'Options +FollowSymLinks' may cause problems
# with some server configurations. It is required for use of mod_rewrite, but may already
# be set by your server administrator in a way that dissallows changing it in
# your .htaccess file. If using it causes your server to error out, comment it out (add # to
# beginning of line), reload your site in your browser and test your sef url's. If they work,
# it has been set by your server administrator and you do not need it set here.
#
#####################################################

## Can be commented out if causes errors, see notes above.
Options +FollowSymLinks

#
# mod_rewrite in use

RewriteEngine On

########## Begin - Rewrite rules to block out some common exploits
## If you experience problems on your site block out the operations listed below
## This attempts to block the most common type of exploit `attempts` to Joomla!
#
# Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
#
########## End - Rewrite rules to block out some common exploits

# Uncomment following line if your webserver's URL
# is not directly related to physical file paths.
# Update Your Joomla! Directory (just / for root)

# RewriteBase /


########## Begin - Joomla! core SEF Section
#
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !^/index.php
RewriteCond %{REQUEST_URI} (/|\.php|\.html|\.htm|\.feed|\.pdf|\.raw|/[^.]*)$ [NC]
RewriteRule (.*) index.php
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
#
########## End - Joomla! core SEF Section

RewriteEngine On

SetEnvIfNoCase User-Agent "^EmailSiphon" bad_bot
SetEnvIfNoCase User-Agent "^EmailWolf" bad_bot
SetEnvIfNoCase User-Agent "^ExtractorPro" bad_bot
SetEnvIfNoCase User-Agent "^CherryPicker" bad_bot
SetEnvIfNoCase User-Agent "^NICErsPRO" bad_bot
SetEnvIfNoCase User-Agent "^Teleport" bad_bot
SetEnvIfNoCase User-Agent "^EmailCollector" bad_bot
SetEnvIfNoCase User-Agent "^LinkWalker" bad_bot
SetEnvIfNoCase User-Agent "^Zeus" bad_bot
SetEnvIfNoCase User-Agent "^Libwww-perl" bad_bot
SetEnvIfNoCase User-Agent "^DataCha0s/2.0" bad_bot
SetEnvIfNoCase User-Agent "^Wget/1.1" bad_bot
SetEnvIfNoCase User-Agent "^StackRambler/2.0" bad_bot
SetEnvIfNoCase User-Agent "^Mozilla/4.0" bad_bot

<Limit GET POST>
Order Allow,Deny
Allow from all
Deny from env=bad_bot
</Limit>



_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}


Top
 Profile  
 
PostPosted: Mon Feb 02, 2009 6:58 am 
User avatar
Joomla! Apprentice
Joomla! Apprentice

Joined: Fri Nov 10, 2006 2:52 am
Posts: 20
Location: Colombia
Thank you mandville

_________________
God Bless whom created the forum!


Top
 Profile  
 
PostPosted: Fri May 28, 2010 3:35 am 
Joomla! Intern
Joomla! Intern

Joined: Fri Mar 09, 2007 3:29 pm
Posts: 63
In joomla 1.5.17 there's also the following in the .htaccess file:

## Deny access to extension xml files (uncomment out to activate)
#<Files ~ "\.xml$">
#Order allow,deny
#Deny from all
#Satisfy all
#</Files>
## End of deny access to extension xml files

Can i use these with the above example from mandville?


Top
 Profile  
 
PostPosted: Sat May 29, 2010 12:37 am 
User avatar
Joomla! Master
Joomla! Master
Online

Joined: Mon Mar 20, 2006 1:56 am
Posts: 12440
Location: The Girly Side of Joomla in Sussex
i would use the newest version of the htaccess file with any modifications you wish for your server settings but mainly the bad_bot list

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}


Top
 Profile  
 
PostPosted: Tue Jun 08, 2010 10:15 am 
User avatar
Joomla! Master
Joomla! Master
Online

Joined: Mon Mar 20, 2006 1:56 am
Posts: 12440
Location: The Girly Side of Joomla in Sussex
caution - found that the line
Code:
SetEnvIfNoCase User-Agent "^Mozilla/4.0" bad_bot

MAY block most versions of IE!

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}


Top
 Profile  
 
PostPosted: Tue Jun 08, 2010 3:48 pm 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Tue Sep 06, 2005 11:18 am
Posts: 1365
Location: Germany
mandville wrote:
caution - found that the line
Code:
SetEnvIfNoCase User-Agent "^Mozilla/4.0" bad_bot

MAY block most versions of IE!


yeah heaven :D :p

_________________
http://www.schrammen.net


Top
 Profile  
 
PostPosted: Mon Feb 21, 2011 5:23 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Thu Jun 03, 2010 5:00 pm
Posts: 6
Thanks for this 1. :D


Top
 Profile  
 
PostPosted: Tue Feb 22, 2011 2:52 am 
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Fri Feb 11, 2011 4:59 am
Posts: 123
Location: Melbourne Australia
Hi all,

I have a joomla site about a year or so old, but have just created one from the latest version from crazy domains in Aust. The reason that I chose joomla again was that the templates are a great idea, mostly its free and I thought it was fairly safe.

Security is never really mentioined a great deal when you first select joomla. Are the attacks targetted, is it a pretty easy app to penetrate and what damage can be done? Originally I thought that my virus protection would stop issues for me, but of course thats for programs on my PC not the host where my site is held.

Like many people who use joomla I am not a coder and hacking code is always fraught with risk when you are completely reliant on forum advice. Does anyone really know how vulnerable joomla is, are there any quick fixes (for a novice) and do you suggest an easy to use back up program incase things go wrong - plus WILL the backup restore the whole site including links and articles or what? -

_________________
I am a dog walker and have two dog information sites: http://www.dogwalkersmelbourne.com.au & http://www.healthydogtreats.com.au Thank you.


Top
 Profile  
 
PostPosted: Tue Feb 22, 2011 2:07 pm 
User avatar
Joomla! Hero
Joomla! Hero

Joined: Sat Oct 21, 2006 10:20 pm
Posts: 2727
Location: Wisconsin USA
@bruce99
While nothing exposed to the web is 100% safe, you don't have to hack anything to be safe with Joomla. The current version of Joomla 1.5.22 is secure with no known security issues. Joomla is no more vulnerable to attack than any other CMS program. In fact it may be more secuer as a main focus of the developers is security while maintaining ease of use. Not an easy task I might say.

I would not attempt applying the code from the above posts. This is especially true since your not comfortable with attempting any of it. In fact I would not recomend applying any code, core hack, or modification your not comfortable with. This is especially true with code examples found in the forums.

There are some modifications you can do to increase security that can be found in the official documentation. These modifications have been tested on many servers and generally work as advertized. Again, if your not comfortable performing modifications at this point, then don't do them. Joomla is secure enough in the default install to not need any modification (except for enabling the htaccess file - see below)

Some tips

do use a modern quality hosting service. Preferbly one that uses mod_security, php 5, suexec. You mostly get what you pay for. (what do you expect for free or nearly free? Fort Knox from someone who cares about security?) Be aware of some really popular heavily advertised hosting services also. They seem to have a larger than average share of issues with their servers being hacked.

Don't use an offer by the hosting company (your domains control panel one click install). Many of these services are not on the latest version, are slow to offer security updates, and can make it rather hard sometimes to know just where Joomla was installed. The install scripts used by these services may also force insecure file/directory permissions which you won't know about until it's to late.

do always keep files at 644 (or tighter) permissions and directories at 755 (or tighter) permissions. 644/755 are normal server defaults and are reasonably safe.

Do install the latest Joomla version. By controlling your own installation directly, you can easily apply updates or security patched to the Joomla core files.

do enable the htaccess.txt file by renaming the file to .htaccess You can do this using an ftp program. this file contains some code to stop some exploits and should always be enabled.

do keep all 3rd party extensions updated. This is most important as most issues with hacked websites arise from the use of outdated or insecure 3rd party extensions.

do use good strong passwords. 12 characters long for a super admin is normally long enough.

do consider changing the super admin password on a regular basis.

do use a password manager such as KeePass for all your passwords.

do create a new super admin account and change using the new super admin account after successful admin login then delete the old one

do keep your computers anti-virus updated and also run additional checks such as malwarebytes on a regular basis. Reason for this is that even good trusted sites may become infected with malware that will silently download malware to your computer for the only purpose of finding and stealing passwords. ftp programs are frequently targeted. once the user name and password are stolen it is easy to log in to your site and cause problems.

Make backups of both the database and the files found in your public_html directory on a regular basis. database is where your date is stored and the public_html directory is where the files and templates that use this data to assemble the pages resides.

do read and learn more about security from our extensive doc files. Even if you ultimately decide not to use Joomla, most of the information applies to your domain in general.

http://docs.joomla.org/Category:Security_Checklist

http://docs.joomla.org/Security_Checklist_7

http://docs.joomla.org/Vulnerable_Extensions_List

If you do these things, there is no need to hack, program, sort through htaccess rules.

Articles, links, categories, sections etc are all stored in the database. photos, images, files for download are normally stored in public_html in the appropriate directory

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator


Top
 Profile  
 
PostPosted: Tue Feb 22, 2011 11:34 pm 
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Fri Feb 11, 2011 4:59 am
Posts: 123
Location: Melbourne Australia
Hi Phil D,

An excellent answer. I did use the one click install, but my host seems good. I have the latest version joomla. I already re named the htaccess for enabling seo in the urls.

I guess most development will now be pushed to joomla 1.6, but I went with 1.5 for an established stability and number of extensions available.

Do you have a recommendation for a good back up in the extensions library? As long as it does the job simply and their is some documentation I will be there.

I really appreciate the active experienced users answering questions in this forum ... as while working on my site without tech skills has been daunting, I have mostly resolved the major issues. Mostly its about how to display the data such as trying to get a good article display page, like latest news ... but sometimes you have to let the little questions go just to get sites up. Will keep plugging away. Thanks again! B

_________________
I am a dog walker and have two dog information sites: http://www.dogwalkersmelbourne.com.au & http://www.healthydogtreats.com.au Thank you.


Top
 Profile  
 
PostPosted: Tue Feb 22, 2011 11:51 pm 
User avatar
Joomla! Master
Joomla! Master
Online

Joined: Mon Mar 20, 2006 1:56 am
Posts: 12440
Location: The Girly Side of Joomla in Sussex
i suggest that you check the permissions on the files and folders, using akeeba admin tools is a good easy way of doing it
http://extensions.joomla.org/extensions ... tion/14087

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 18 posts ] 



Who is online

Users browsing this forum: No registered users and 17 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group