8 Most Common Joomla! Hacks and How to Avoid Them
2 likes3,255 views
The document outlines eight common Joomla! security vulnerabilities and offers preventive measures to avoid being hacked. Key recommendations include regularly updating Joomla! and its extensions, using strong passwords, and correctly configuring server permissions. The author emphasizes that security is an ongoing process, not a one-time fix.
8 Most Common Joomla! Hacks and How to Avoid Them
- 1. Daniel Kanchev @dvkanchev 8 Most Popular Joomla! Hacks & How To Avoid Them
- 2. Daniel Kanchev 7+ Years of Joomla! experience 5 Years with SiteGround Security Freak Performance Guru @SG VIP Customer Management Server Migration Specialist Love FOSS Addicted to extreme sports Before we begin … @dvkanchev
- 3. of over 130,000 Joomla! sites SiteGround is the home
- 4. We face hundreds if not thousands security attacks per day …
- 5. Why should YOU care?
- 6. “Why would somebody hack me?”
- 7. Hackers don’t really care about your site. All they care is to send some spam.
- 8. If anybody tells you your site is unhackable, that guy is a liar! “Security is a not a product, but a process”
- 9. 1. Outdated Joomla! Core
- 10. …of Joomla! file upload security bug Quick demo…
- 11. More info on the hack • All versions before 3.1.5 and 2.5.14 are vulnerable • Can be executed by anybody, no admin rights needed • The attacker can obtain full access to Joomla! and its surrounding userspace
- 12. More info on the hack Joomla!! http://goo.gl/8YwZIk! ! Sucuri! http://goo.gl/WjLKGm! ! SiteGround! http://goo.gl/NWkZTz
- 14. Use software to get notified and update Joomla! Core
- 16. SiteGround offers Joomla! Auto Update
- 17. Read security bulletins ! Joomla! Security News:! http://feeds.joomla.org/JoomlaSecurityNews ! Sucuri:! http://blog.sucuri.net/?s=joomla
- 18. 2. Extensions
- 19. • Your site is up to date • Your extensions are up to date • But you still get hacked… • Wonder why? Here’s a Scenario:
- 20. Extension vulnerabilities • Sometimes when vulnerability in an extension is found, it takes the extension developers too much time to fix it. • Therefore it’s always good to use a WAF! • WAF = Web Application Firewall
- 21. Popular WAFs
- 22. SiteGround adds more than 200 mod_sec rules every week.
- 23. Example mod_sec rule # 30.Sep.2013 # joomla com_seminar Cross site scripting Vulnerability # http://cxsecurity.com/issue/WLB-2013090184 SecFilterSelective REQUEST_FILENAME "index.php" "chain,id:00680" SecFilterSelective ARG_option "com_seminar" chain SecFilterSelective ARG_search "onmouseover"
- 24. CloudFlare and Incapsula are advanced mod_security alike FREE services which add a CDN functionality.
- 26. More Security Bulletins Joomla! Extensions Security News:! ! http://feeds.joomla.org/JoomlaSecurityVulnerableExtensions
- 27. 3. Themes
- 28. -Nicholas Dionysopoulos “Templates are software, not just a bunch of graphics. Template developers do release security upgrades all the time. Make sure you install them. I've seen many sites getting hacked because of a dated template with a SQL injection or XSS vulnerability.”
- 29. Example RocketTheme SQL injection in their modules! ! http://www.rockettheme.com/blog/extensions/1300-important-security- vulnerability-fixed !
- 30. WAF is good for themes too!
- 33. Let me tell you a story…
- 34. On April 9th we got hit by a huge brute force attack towards many Joomla!s
- 35. … and we blocked more than 92,000 IPs in total across our network in just Bots used more than a thousand different IPs per server to scan for passes…
- 36. In 12 hours we blocked more than 15 million login requests But still, we thought many passwords were guessed
- 37. And we were shocked how many passwords we found. We then tried to brute force our clients ourselves.
- 38. Over 40% of our customers used Really Weak passwords.
- 39. Username is admin Let me show you how easy it is to guess a dumb password, say: “pass123”
- 40. So in less than 10 seconds I’ve got your password
- 41. Tip: Change your password to a full sentence (from a favourite book) - it’s easy to remember and hard to guess like: ! “I love to watch the sunset.”
- 42. admin2 is not acceptable too ;) Try with: ! yourname_@dm1n Tip 2: Change your username!
- 43. Tip 3: Additionally secure your administrator login page • Allow access only from certain IP addresses • Add Captcha • Password protect the administrator folder • Use secret URL parameters
- 44. 5. Outdated Server Software
- 45. http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/ Old PHP 5.3 running as CGI remote execution exploit
- 46. Quick demo…
- 47. Make sure your server side software is current at all times.
- 48. 6. Incorrectly configured server software
- 49. http://seclists.org/fulldisclosure/2013/Aug/81 Apache Symlinks bug public_html/fred.txt —> /home/otheracct/public_html/configuration.php Add to httpd.conf or .htaccess file: SymLinksIfOwnerMatch The Problem: The Solution:
- 51. Correct Joomla! Permissions set • Folders: 755 • Files: 644 • configuration.php: 444
- 52. Incorrect Joomla! Permissions set • All: 777 • Anything more than: 755
- 53. It’s a must to have account isolation, when hosted on shared.
- 54. 8. Malware
- 55. Viruses and Trojans steal your login details.
- 56. Stay up to date on anti-virus software.
- 57. So let’s recap… • Update your Joomla! • Update your extensions. Read security bulletins ones in a while. • Update your themes. Don’t forget that! • Use strong passwords and non default admin usernames. • Make sure your server side software is current (PHP, Apache, MySQL) • Make sure your server side software is correctly setup • Use correct file permissions for Joomla! • Watch up for that sneaky malware
- 58. Questions?
- 59. THANK YOU!