2. Γειά σας, είμαι
ο Νίκος
Διονυσόπουλος
γνωστός ως ο
προγραμματιστής των
Akeeba Backup, Admin
Tools και πολλών άλλων
επεκτάσεων για το Joomla!
http://akeeba.info/me
31. Ο Τυφλός Ελέφαντας
nicholas@teapot:~/blindelephant$ ./BlindElephant.py mysite.com joomla
Loaded /home/nicholas/projects/3rdparty/blindelephant/trunk/src/build/lib.linux-x86_64-2.6/blindelephant/
dbs/joomla.pkl with 33 versions, 3696 differentiating paths, and 122 version groups.
Starting BlindElephant fingerprint for version of joomla at http://joomla.ubuntu.web
Hit http://joomla.ubuntu.web/media/system/js/validate.js
Possible versions based on result: 1.5.17, 1.5.18
Hit http://joomla.ubuntu.web/includes/js/joomla.javascript.js
Possible versions based on result: 1.5.17, 1.5.18
Hit http://joomla.ubuntu.web/media/system/js/caption.js
Possible versions based on result: 1.5.17, 1.5.18
Hit http://joomla.ubuntu.web/media/system/js/openid.js
Possible versions based on result: 1.5.17, 1.5.18
Hit http://joomla.ubuntu.web/templates/rhuk_milkyway/css/template.css
Possible versions based on result: 1.5.17, 1.5.18
Fingerprinting resulted in:
1.5.17
1.5.18
Best Guess: 1.5.18
http://akeeba.info/ninja
How the big boys deal with security\nSome tips are over the top\nYou can never be too paranoid w/ security\n\nNext: Visual fingerprinting\n
Appending parameters can reveal too much\nUsed to identify your site as a Joomla! site = potential target\nSecurity through obscurity; not THE solution, but it helps\n\nNext: solution\n
These rules in my Master .htaccess\n\nNext: PHP has a big mouth\n
Appending parameters can reveal too much\nUsed to identify your PHP version\nCan deliver non-Joomla! specific exploits\n\nNext: demonstration\n
This is what it looks like\nEach version has a different image!\n\nNext: solution\n
These rules are in my master .htaccess\n\nNext: Blind Elephant\n
No, you’re not going to the circus; or a safari.\nA blind elephant is after you and will stomp you.\nSee for yourself! (next slide)\n\nNext: BlindElephant run\n
Typical blind elephant run\nIt’s not the only fingerprinting script\nThey’re moderately to very accurate\n\nNext: solution\n
These rules are in my master .htaccess\n\nNext: More threats\n
XSS, RFI, LFI, SQLi, CSRF, Brute force, Phishing/Spamming\n\nNext: more protection\n
My master .htaccess is free, reqs expert knowledge, no support\nATPro is easier for site builders, has docs, support\n\nNext: security is a process\n
It’s not fire and forget. You have to work on it continuously as your site evolves.\n\nNext: questions\n
Ask your questions!\n\nNext: the end\n
Thank you for listening\nVisit the URL for the slides in PDF format (next slide)\n\n
Thank you for listening\nVisit the URL for the slides in PDF format\n\nTHE END\n