The document discusses the 8 most popular Joomla! hacks and how to avoid them. It summarizes that having an outdated Joomla! core, extensions, or themes are vulnerabilities that can be exploited. It also notes that using weak passwords, outdated server software, incorrectly configured server software, incorrect Joomla! file permissions, and malware can allow hackers access. The document provides tips to avoid these vulnerabilities such as always updating software, using strong unique passwords, properly configuring servers, setting correct file permissions, and using antivirus software.

1. 8 Most Popular Joomla! Hacks
&
How To Avoid Them
Daniel Kanchev
@dvkanchev

2. Daniel Kanchev
@dvkanchev
Before we begin …
7+ Years of Joomla! experience
5 Years with SiteGround
Love FOSS
Addicted to extreme sports

3. SiteGround is the home
of 100,000 Joomla! sites

4. We face hundreds if not thousands
security attacks per day …

5. “Why would somebody hack me?”

6. Hackers don’t really care about your site. All they care is
to send some spam.

7. “Security is a not a product, but a
process”
If anybody tells you your site is unhackable, that guy is a liar!

8. 1. Outdated Joomla! Core

9. Quick demo…
…of Joomla! file upload security bug

10. More info on the hack
•
All versions before 3.1.5 and 2.5.14
are vulnerable
•
Can be executed by anybody, no
admin rights needed
•
The attacker can obtain full access to
Joomla! and its surrounding
userspace

11. More info on the hack
Joomla!!
http://goo.gl/8YwZIk!
!
Sucuri!
http://goo.gl/WjLKGm!
!
SiteGround!
http://goo.gl/NWkZTz

12. UPDATE! UPDATE! UPDATE!

13. Use software to get notified and
update Joomla! Core

14. Admin Tools
https://www.akeebabackup.com/products/admintools.html
!
!
!
Watchful.li
https://watchful.li/features/

15. SiteGround offers Joomla! Auto
Update

16. Read security bulletins
!
Joomla! Security News:!
http://feeds.joomla.org/JoomlaSecurityNews
!
Sucuri:!
http://blog.sucuri.net/?s=joomla

17. 2. Extensions

18. Here’s a Scenario:
•
Your site is up to date
•
Your extensions are up to date
•
But you still get hacked…
•
Wonder why?

19. Extension vulnerabilities
•
Sometimes when vulnerability in an extension is
found, it takes the extension developers too
much time to fix it.
•
Therefore it’s always good to use a WAF!
•
WAF = Web Application Firewall

20. Popular WAFs

21. SiteGround adds more than 200 mod_sec
rules every week.

22. Example mod_sec rule
# 30.Sep.2013
# joomla com_seminar Cross site scripting Vulnerability
# http://cxsecurity.com/issue/WLB-2013090184
SecFilterSelective REQUEST_FILENAME "index.php" "chain,id:00680"
SecFilterSelective ARG_option "com_seminar" chain
SecFilterSelective ARG_search "onmouseover"

23. CloudFlare and Incapsula are advanced
mod_security alike FREE services
which add a CDN functionality.

25. More Security Bulletins
Joomla! Extensions Security News:!
!
http://feeds.joomla.org/JoomlaSecurityVulnerableExtensions

26. 3. Themes

27. “Templates are software, not just a bunch of graphics.
Template developers do release security upgrades all the
time. Make sure you install them. I've seen many sites getting
hacked because of a dated template with a SQL injection or
XSS vulnerability.”
-Nicholas Dionysopoulos

28. Example
RocketTheme SQL injection in their modules!
!
http://www.rockettheme.com/blog/extensions/1300-important-securityvulnerability-fixed
!

29. WAF is good for themes too!

30. 4. Weak passwords

31. Let me tell you a story…

32. On April 9th we got hit by a huge brute
force attack towards many Joomla!s

33. Bots used more than a thousand
different IPs per server to scan for
passes…
… and we blocked more than 92,000 IPs in total across our
network in just

34. In 12 hours we blocked more than 15
million login requests
But still, we thought many passwords were guessed

35. We then tried to brute force our clients
ourselves.
And we were shocked how many passwords we found.

36. Over 40% of our customers used
Really Weak passwords.

37. Let me show you how easy it is to
guess a dumb password, say:
“pass123”
Username is admin

38. So in less than 10 seconds I’ve got
your password

39. Tip: Change your password to a full
sentence - it’s easy to remember and hard
to guess like:
!
“I love to watch the sunset.”

40. Tip 2: Change your
username!
admin2 is not acceptable too ;) Try with:
!
yourname_@dm1n

41. Tip 3: Additionally secure your
administrator login page
•
Allow access only from certain IP addresses
•
Add Captcha
•
Password protect the administrator folder
•
Use secret URL parameters

42. 5. Outdated Server Software

43. Old PHP 5.3 running as CGI
remote execution exploit
http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/

44. Quick demo…

45. Make sure your server side software is
current at all times.

46. 6. Incorrectly configured server
software

47. Apache Symlinks bug
http://seclists.org/fulldisclosure/2013/Aug/81
The Problem:
public_html/fred.txt —> /home/otheracct/public_html/configuration.php
The Solution:
Add to httpd.conf or .htaccess file: SymLinksIfOwnerMatch

48. 7. Joomla! Permissions

49. Correct Joomla! Permissions set
•
Folders: 755
•
Files: 644
•
configuration.php: 444

50. Incorrect Joomla! Permissions set
•
All: 777
•
Anything more than: 755

51. It’s a must to have account
isolation, when hosted on shared.

52. 8. Malware

53. Viruses and Trojans steal your
login details.

54. Stay up to date on anti-virus
software.

55. So let’s recap…
•
Update your Joomla!
•
Update your extensions. Read security bulletins ones in a while.
•
Update your themes. Don’t forget that!
•
Use strong passwords and non default admin usernames.
•
Make sure your server side software is current (PHP, Apache, MySQL)
•
Make sure your server side software is correctly setup
•
Use correct file permissions for Joomla!
•
Watch up for that sneaky malware

56. Questions?

57. Thank you!
!
70% OFF HOSTING DISCOUNT
!
http://www.siteground.com/webinar