The document discusses the 8 most popular Joomla! hacks and how to avoid them. It summarizes that having an outdated Joomla! core, extensions, or themes are vulnerabilities that can be exploited. It also notes that using weak passwords, outdated server software, incorrectly configured server software, incorrect Joomla! file permissions, and malware can allow hackers access. The document provides tips to avoid these vulnerabilities such as always updating software, using strong unique passwords, properly configuring servers, setting correct file permissions, and using antivirus software.
10. More info on the hack
•
All versions before 3.1.5 and 2.5.14
are vulnerable
•
Can be executed by anybody, no
admin rights needed
•
The attacker can obtain full access to
Joomla! and its surrounding
userspace
11. More info on the hack
Joomla!!
http://goo.gl/8YwZIk!
!
Sucuri!
http://goo.gl/WjLKGm!
!
SiteGround!
http://goo.gl/NWkZTz
18. Here’s a Scenario:
•
Your site is up to date
•
Your extensions are up to date
•
But you still get hacked…
•
Wonder why?
19. Extension vulnerabilities
•
Sometimes when vulnerability in an extension is
found, it takes the extension developers too
much time to fix it.
•
Therefore it’s always good to use a WAF!
•
WAF = Web Application Firewall
27. “Templates are software, not just a bunch of graphics.
Template developers do release security upgrades all the
time. Make sure you install them. I've seen many sites getting
hacked because of a dated template with a SQL injection or
XSS vulnerability.”
-Nicholas Dionysopoulos
28. Example
RocketTheme SQL injection in their modules!
!
http://www.rockettheme.com/blog/extensions/1300-important-securityvulnerability-fixed
!
32. On April 9th we got hit by a huge brute
force attack towards many Joomla!s
33. Bots used more than a thousand
different IPs per server to scan for
passes…
… and we blocked more than 92,000 IPs in total across our
network in just
34. In 12 hours we blocked more than 15
million login requests
But still, we thought many passwords were guessed
35. We then tried to brute force our clients
ourselves.
And we were shocked how many passwords we found.
36. Over 40% of our customers used
Really Weak passwords.
37. Let me show you how easy it is to
guess a dumb password, say:
“pass123”
Username is admin
38. So in less than 10 seconds I’ve got
your password
39. Tip: Change your password to a full
sentence - it’s easy to remember and hard
to guess like:
!
“I love to watch the sunset.”
40. Tip 2: Change your
username!
admin2 is not acceptable too ;) Try with:
!
yourname_@dm1n
41. Tip 3: Additionally secure your
administrator login page
•
Allow access only from certain IP addresses
•
Add Captcha
•
Password protect the administrator folder
•
Use secret URL parameters
55. So let’s recap…
•
Update your Joomla!
•
Update your extensions. Read security bulletins ones in a while.
•
Update your themes. Don’t forget that!
•
Use strong passwords and non default admin usernames.
•
Make sure your server side software is current (PHP, Apache, MySQL)
•
Make sure your server side software is correctly setup
•
Use correct file permissions for Joomla!
•
Watch up for that sneaky malware