I am noticing more and more bad information when it comes to security and Joomla. A lot of which seems to come from inexperience, the rest appears to be due to confusion. Firstly, to address a comment made by Tonie:
Tonie wrote:
A small tip for the cache directory. I have deleted the cache directory and index.html from my install. I created the directory again with JoomlaXplorer (if you have shell access that is even easier). This will give your Apache user ownership of that directory. Copy the index.html file to it, and change the rights to 755. This will make sure that all Joomla components can read/write in this directory, without the 777 rights needed for your cache directory.
You are not achieving any security advantage with this procedure, all you are doing is basically changing the ownership of the directory from your login to the Apache process, most likely the 'nobody' user. If the attack is coming from a issue with Joomla or PHPBB or any other script on your website (which almost all of the attacks launched against Joomla seem to come from), it is running as 'nobody' and therefore has the same permissions as Apache. The only thing that this would prevent is from another user on the web server from writing to this directory which in my opinion is a moot point. You are achieving no practical security benefit from this configuration.
Additionally, this always seems to need clarification. For the most secure out of the box configuration, files and directories should be owned by a user that is NOT the same as the apache process user (usually the 'nobody' user). Files should have permissions 644 and directories should have permissions 755.
Security is like an onion, it works best with many layers of protection. And as I often regret having to say, it is very difficult to achieve a good level of security in a shared hosting environment. The tools just are not there.
@pmarfell
pmarfell wrote:
Does the tampering always show in modified dates? If it does then the process I have tried will catch things reasonably quickly. I connect via FTP and "dir -R c:\dirlist.txt". Some time later I do the same again but with a different file name and then put the files on a Linux box and "diff file1 file2" to see any differences.
What I would like to do is get the listing into a database. Do the comparison, Send an email if there are differences. Accept the differences. Run it again the next day. All by Cron.
A good attacker can modify a file without changing the modified timestamps. However, given the nature of probably all Joomla attacks, this is not something to worry about. Based on the comments of what you would like to do with this approach of comparing timestamps, you should look at an application called Tripwire. There is an enterprise addition (read expensive) and an opensource free version available at
http://sourceforge.net/projects/tripwire/ You can configure it to monitor many aspects of file or directory stats such as ownership, permissions, timestamp, checksum, etc. It is very comprehensive and would make a great tool for monitoring Joomla directory structures. You can also tell it to ignore the modification of certain stats, which is very useful for something like a log file where it will monitor to make sure the permissions and ownership haven't changed but it will ignore changes in the size of the file. These principles can probably be applied very successfully to monitoring Joomla directory structures if you have the access to the server to install and configure it, which going back to the problem with shared hosting, many people unfortunately do not. However, you indicated having access to cron, so perhaps you have this type of access.