On 23.03.2013 I visited The Netherlands to give the keynote speak about Joomla! web security. I talked about the most common 8 ways a Joomla! website can get hacked. So you should check the presentation if you are a Joomla! hacker that knows less than 8 ways :) It will be useful for you. However, if you are a Joomla user that doesn’t know anything about how to hack a Joomla!, or even worse, how to protect your Joomla! from being hacked, you should definitely check the slides! Because there is a way to protect yourself from each of the common Joomla hacks that I revealed them in the presentation. I went through the following scenarios and what should be done to prevent each of them: - Hacked through outdated Joomla!/extensions/themes. - Hacked through a vulnerable extensions/themes, that is not outdated - Hacked with the help of stolen/weak login details - Hacked through outdated/vulnerable server software - Apache, PHP, MySQL. - Hacked through incorrectly configured web server - A completely healthy site hacked through another vulnerable Joomla that is hosted on the same server - Hacked because of incorrect Joomla permissions - Hacked through malware on local PC which allows attackers to access a healthy site

1. Daniel Kanchev
@dvkanchev
8 Most Popular Joomla! Hacks
&
How To Avoid Them

2. Daniel Kanchev
7+ Years of Joomla! experience
5 Years with SiteGround
Security Freak
Performance Guru @SG
VIP Customer Management
Server Migration Specialist
Love FOSS
Addicted to extreme sports
Before we begin …
@dvkanchev

3. of over 130,000 Joomla! sites
SiteGround is the home

4. We face hundreds if not thousands
security attacks per day …

5. Why should YOU care?

6. “Why would somebody hack me?”

7. Hackers don’t really care about your site. All they care is
to send some spam.

8. If anybody tells you your site is unhackable, that guy is a liar!
“Security is a not a product, but a
process”

9. 1. Outdated Joomla! Core

10. …of Joomla! file upload security bug
Quick demo…

11. More info on the hack
• All versions before 3.1.5 and 2.5.14
are vulnerable
• Can be executed by anybody, no
admin rights needed
• The attacker can obtain full access to
Joomla! and its surrounding
userspace

12. More info on the hack
Joomla!!
http://goo.gl/8YwZIk!
!
Sucuri!
http://goo.gl/WjLKGm!
!
SiteGround!
http://goo.gl/NWkZTz

13. UPDATE! UPDATE! UPDATE!

14. Use software to get notified and
update Joomla! Core

15. Admin Tools
https://www.akeebabackup.com/products/admin-
tools.html
!
!
!
Watchful.li
https://watchful.li/features/

16. SiteGround offers Joomla! Auto
Update

17. Read security bulletins
!
Joomla! Security News:!
http://feeds.joomla.org/JoomlaSecurityNews
!
Sucuri:!
http://blog.sucuri.net/?s=joomla

18. 2. Extensions

19. • Your site is up to date
• Your extensions are up to date
• But you still get hacked…
• Wonder why?
Here’s a Scenario:

20. Extension vulnerabilities
• Sometimes when vulnerability in an extension is
found, it takes the extension developers too
much time to fix it.
• Therefore it’s always good to use a WAF!
• WAF = Web Application Firewall

21. Popular WAFs

22. SiteGround adds more than 200 mod_sec
rules every week.

23. Example mod_sec rule
# 30.Sep.2013
# joomla com_seminar Cross site scripting Vulnerability
# http://cxsecurity.com/issue/WLB-2013090184
SecFilterSelective REQUEST_FILENAME "index.php" "chain,id:00680"
SecFilterSelective ARG_option "com_seminar" chain
SecFilterSelective ARG_search "onmouseover"

24. CloudFlare and Incapsula are advanced
mod_security alike FREE services
which add a CDN functionality.

26. More Security Bulletins
Joomla! Extensions Security News:!
!
http://feeds.joomla.org/JoomlaSecurityVulnerableExtensions

27. 3. Themes

28. -Nicholas Dionysopoulos
“Templates are software, not just a bunch of graphics.
Template developers do release security upgrades all the
time. Make sure you install them. I've seen many sites getting
hacked because of a dated template with a SQL injection or
XSS vulnerability.”

29. Example
RocketTheme SQL injection in their modules!
!
http://www.rockettheme.com/blog/extensions/1300-important-security-
vulnerability-fixed
!

30. WAF is good for themes too!

31. 4. Weak passwords

33. Let me tell you a story…

34. On April 9th we got hit by a huge brute
force attack towards many Joomla!s

35. … and we blocked more than 92,000 IPs in total across our
network in just
Bots used more than a thousand
different IPs per server to scan for
passes…

36. In 12 hours we blocked more than 15
million login requests
But still, we thought many passwords were guessed

37. And we were shocked how many passwords we found.
We then tried to brute force our clients
ourselves.

38. Over 40% of our customers used
Really Weak passwords.

39. Username is admin
Let me show you how easy it is to
guess a dumb password, say:
“pass123”

40. So in less than 10 seconds I’ve got
your password

41. Tip: Change your password to a full
sentence (from a favourite book) - it’s easy
to remember and hard to guess like:
!
“I love to watch the sunset.”

42. admin2 is not acceptable too ;) Try with:
!
yourname_@dm1n
Tip 2: Change your
username!

43. Tip 3: Additionally secure your
administrator login page
• Allow access only from certain IP addresses
• Add Captcha
• Password protect the administrator folder
• Use secret URL parameters

44. 5. Outdated Server Software

45. http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
Old PHP 5.3 running as CGI
remote execution exploit

46. Quick demo…

47. Make sure your server side software is
current at all times.

48. 6. Incorrectly configured server
software

49. http://seclists.org/fulldisclosure/2013/Aug/81
Apache Symlinks bug
public_html/fred.txt —> /home/otheracct/public_html/configuration.php
Add to httpd.conf or .htaccess file: SymLinksIfOwnerMatch
The Problem:
The Solution:

50. 7. Joomla! Permissions

51. Correct Joomla! Permissions set
• Folders: 755
• Files: 644
• configuration.php: 444

52. Incorrect Joomla! Permissions set
• All: 777
• Anything more than: 755

53. It’s a must to have account
isolation, when hosted on shared.

54. 8. Malware

55. Viruses and Trojans steal your
login details.

56. Stay up to date on anti-virus
software.

57. So let’s recap…
• Update your Joomla!
• Update your extensions. Read security bulletins ones in a while.
• Update your themes. Don’t forget that!
• Use strong passwords and non default admin usernames.
• Make sure your server side software is current (PHP, Apache, MySQL)
• Make sure your server side software is correctly setup
• Use correct file permissions for Joomla!
• Watch up for that sneaky malware

58. Questions?

59. THANK YOU!