A presentation by Tenko Nikolov (@tnikolov) on Joomla World Conference 2013 about the most common ways to get your Joomla site hacked.

1. “8 simple ways to hack your Joomla!”
Tenko Nikolov
@tnikolov
JWC’13

2. a few words about me
Partner & CEO, SiteGround
Founder, 1H - www.1h.com
17+ years of IT Experience
Graduated Law School...
Passionate photographer
Performance addict
Security freak

3. SiteGround is the home
of 100,000 Joomla! sites

4. we face hundreds if not thousands of security attacks
per day

5. “Why would somebody hack me?”

6. Hackers don’t really care about your site. All
they care is to send some spam.

7. “Security is a not a product, but a process.”
If anybody tells you your site is unhackable, that guy is a liar!

8. 1. Outdated Joomla! Core

9. Quick demo..
..of Joomla! file upload security bug

10. more info on the hack
•
All versions before 3.1.5 and
2.5.14 are vulnerable
•
Can be executed by any user,
no admin rights needed
•
The attacker can obtain full
access to Joomla! and its
surrounding userspace

11. More info on the hack
Joomla!
http://goo.gl/8YwZIk!
!
Sucuri!
http://goo.gl/WjLKGm!
!
SiteGround!
http://goo.gl/NWkZTz

12. Always update!
There is no excuse for not updating!

13. Use software to get notified and update
Joomla! Core

14. Admin Tools
https://www.akeebabackup.com/products/admin-tools.html
!
!
Watchful.li
https://watchful.li/features/

15. SiteGround does automatic Joomla! Updates
too ;)
Remember to create a backup before updating.

16. Read security bulletins
!
Joomla! Security News:
http://feeds.joomla.org/JoomlaSecurityNews
!
Sucuri:
http://blog.sucuri.net/?s=joomla

17. 2. Extensions

18. •
Here’s a Scenario:
•
Your site is up to date
•
Your extensions are up to date
•
But you still get hacked…
•
Wonder why?

19. Extension vulnerabilities
•
Sometimes when vulnerability in an extension is
found, it takes the extension developers too
much time to fix it.
•
Therefore it’s always good to use a WAF!
•
WAF = Web Application Firewall

20. Popular WAFs

21. “ModSecurity supplies an array of request filtering and other
security features to the Apache HTTP Server, IIS and NGINX.
ModSecurity is a web application layer firewall. ModSecurity is
free software released under the Apache license 2.0.”
-Wikipedia

22. SiteGround adds more than 200 mod_sec rules
every week.

23. example mod_sec rule
!!!!!!!!!!!#!30.Sep.2013!
!!!!!!!!!!!#!joomla!com_seminar!Cross!site!scripting!Vulnerability!
!!!!!!!!!!!#!http://cxsecurity.com/issue/WLBD2013090184!
!!!!!!!!!!!SecFilterSelective!REQUEST_FILENAME!"index.php"!"chain,id:00680"!
!!!!!!!!!!!SecFilterSelective!ARG_option!"com_seminar"!chain!
!!!!!!!!!!!SecFilterSelective!ARG_search!"onmouseover"

24. CloudFlare and Incapsula are advanced
mod_security alike FREE services which add
a CDN functionality.

27. More Security Bulletins
Joomla! Extensions Security News:
http://feeds.joomla.org/JoomlaSecurityVulnerableExtensions

28. 3. Themes

29. “Templates are software, not just a bunch of graphics. Template
developers do release security upgrades all the time. Make sure
you install them. I've seen many sites getting hacked because of
a dated template with a SQL injection or XSS vulnerability.”
-Nicholas Dionysopoulos

30. Example
RocketTheme SQL injection in their modules!
!
http://www.rockettheme.com/blog/extensions/1300-important-securityvulnerability-fixed
!

31. WAF is good for themes too.

32. 4. Weak passwords

33. Let me tell you a story…

34. On April 9th we got hit by a huge brute force
attack towards many Joomla!s

35. bots used more than a thousand different IPs
per server to scan for passes…
… and we blocked more than 92,000 IPs in total across our network in just

36. In 12 hours we blocked more than 15 million
login requests
But still, we thought many passwords were guessed

37. We then tried to brute force our clients
ourselves.
And we were shocked how many passwords we found.

38. Over 40% of our customers used Really Weak
passwords.
Like REEEEEALLLY WEAK!

39. Let me show you how easy it is to crack a
dumb password, say: “admin123”
Username is admin

40. So in less than 10 seconds I’ve got your
password

41. Tip: Change your password to full sentence it’s easy to remember and hard to guess like:
!
“I love to watch the sunset.”

42. Tip 2: Change your username!
admin2 is not acceptable too ;) Try with yourname_adm1n

43. Tip 3: Implement captcha on your login page

44. 5. Outdated Server Software

45. Old PHP 5.3 running as CGI remote execution
exploit
http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/

46. Quick demo how it works:
http://testdomainname.com/j25/index.php?-s

47. MySQL p a s s w o r d - l e s s a u t h s e c u r i t y
vulnerability. All 64bit MySQL versions up to
5.1.61, 5.2.11, 5.3.5, 5.5.22 are vulnerable
http://blog.sucuri.net/2012/06/security-vulnerability-in-mysql.html

48. Make sure your server side software is current
at all times.

49. 6. Incorrectly configured server software

50. Apache Symlinks bug
http://seclists.org/fulldisclosure/2013/Aug/81

51. 7. Joomla! Permissions

52. Correct Joomla! Permissions set
•
Folders:
755
•
Files:
644
•
configuration.php
444

53. Incorrect Joomla! Permissions set
•
All:
777
•
Anything more than
755

54. It’s a must to have account isolation, when
hosted on shared.

55. 8. Malware

56. Viruses and Trojans steal your login details.
They want to spam, remember?

57. Stay up to date on anti-virus software.
Or use Linux.. Or a Mac ;)

58. So let’s recap…
•
Update your Joomla!
•
Update your extensions. Read security bulletins ones in a while.
•
Update your themes. Don’t forget that!
•
Use strong passwords and non default admin usernames.
•
Make sure your server side software is current (PHP, Apache)
•
Make sure your server side software is correctly setup
•
Use correct file permissions for Joomla!
•
Watch up for that sneaky malware

59. Questions?

60. In case you wondered - here’s my test
environment
•
CentOS 6 64bit VM with 2.6.32 kernel
•
Apache/2.2.25 (latest)
•
PHP 5.3.10 (latest is 5.3.27)
•
Joomla! 2.5.13

61. Thank you!

62. Tenko Nikolov
@tnikolov tenko@siteground.com