Tenko Nikolov @tnikolov JWC’13

“8 simple ways to hack your Joomla!”

a few words about me

Partner & CEO, SiteGround

Founder, 1H - www.1h.com

17+ years of IT Experience

Graduated Law School...

Passionate photographer

Performance addict

Security freak

of 100,000 Joomla! sitesSiteGround is the home

we face hundreds if not thousands of security attacks per day

“Why would somebody hack me?”

Hackers don’t really care about your site. All they care is to send some spam.

If anybody tells you your site is unhackable, that guy is a liar!

“Security is a not a product, but a process.”

1. Outdated Joomla! Core

..of Joomla! file upload security bug

Quick demo..

more info on the hack

• All versions before 3.1.5 and 2.5.14 are vulnerable

• Can be executed by any user, no admin rights needed

• The attacker can obtain full access to Joomla! and its surrounding userspace

More info on the hack

Joomla!http://goo.gl/8YwZIk!

!Sucuri!

http://goo.gl/WjLKGm!!

SiteGround!http://goo.gl/NWkZTz

Always update!

There is no excuse for not updating!

Use software to get notified and update Joomla! Core

Admin Tools https://www.akeebabackup.com/products/admin-tools.html

!!

Watchful.li https://watchful.li/features/

Remember to create a backup before updating.

SiteGround does automatic Joomla! Updates too ;)

Read security bulletins

!Joomla! Security News:

http://feeds.joomla.org/JoomlaSecurityNews !

Sucuri: http://blog.sucuri.net/?s=joomla

2. Extensions

• Here’s a Scenario:

• Your site is up to date

• Your extensions are up to date

• But you still get hacked…

• Wonder why?

Extension vulnerabilities

• Sometimes when vulnerability in an extension is found, it takes the extension developers too much time to fix it.

• Therefore it’s always good to use a WAF!

• WAF = Web Application Firewall

Popular WAFs

-Wikipedia

“ModSecurity supplies an array of request filtering and other security features to the Apache HTTP Server, IIS and NGINX. ModSecurity is a web application layer firewall. ModSecurity is free software released under the Apache license 2.0.”

SiteGround adds more than 200 mod_sec rules every week.

example mod_sec rule

!!!!!!!!!!!#!30.Sep.2013!!!!!!!!!!!!#!joomla!com_seminar!Cross!site!scripting!Vulnerability!!!!!!!!!!!!#!http://cxsecurity.com/issue/WLBD2013090184!!!!!!!!!!!!SecFilterSelective!REQUEST_FILENAME!"index\.php"!"chain,id:00680"!!!!!!!!!!!!SecFilterSelective!ARG_option!"com_seminar"!chain!!!!!!!!!!!!SecFilterSelective!ARG_search!"onmouseover"

CloudFlare and Incapsula are advanced mod_security alike FREE services which add

a CDN functionality.

More Security Bulletins

Joomla! Extensions Security News: http://feeds.joomla.org/JoomlaSecurityVulnerableExtensions

3. Themes

-Nicholas Dionysopoulos

“Templates are software, not just a bunch of graphics. Template developers do release security upgrades all the time. Make sure you install them. I've seen many sites getting hacked because of a dated template with a SQL injection or XSS vulnerability.”

Example

RocketTheme SQL injection in their modules!!

http://www.rockettheme.com/blog/extensions/1300-important-security-vulnerability-fixed

!

WAF is good for themes too.

4. Weak passwords

Let me tell you a story…

On April 9th we got hit by a huge brute force attack towards many Joomla!s

… and we blocked more than 92,000 IPs in total across our network in just

bots used more than a thousand different IPs per server to scan for passes…

In 12 hours we blocked more than 15 million login requests

But still, we thought many passwords were guessed

And we were shocked how many passwords we found.

We then tried to brute force our clients ourselves.

Like REEEEEALLLY WEAK!

Over 40% of our customers used Really Weak passwords.

Username is admin

Let me show you how easy it is to crack a dumb password, say: “admin123”

So in less than 10 seconds I’ve got your password

Tip: Change your password to full sentence - it’s easy to remember and hard to guess like:

!

“I love to watch the sunset.”

admin2 is not acceptable too ;) Try with yourname_adm1n

Tip 2: Change your username!

Tip 3: Implement captcha on your login page

5. Outdated Server Software

http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/

Old PHP 5.3 running as CGI remote execution exploit

http://testdomainname.com/j25/index.php?-s

Quick demo how it works:

http://blog.sucuri.net/2012/06/security-vulnerability-in-mysql.html

MySQL p a s s w o r d - l e s s a u t h s e c u r i t y vulnerability. All 64bit MySQL versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22 are vulnerable

Make sure your server side software is current at all times.

6. Incorrectly configured server software

http://seclists.org/fulldisclosure/2013/Aug/81

Apache Symlinks bug

7. Joomla! Permissions

Correct Joomla! Permissions set

• Folders: 755

• Files: 644

• configuration.php 444

Incorrect Joomla! Permissions set

• All: 777

• Anything more than 755

It’s a must to have account isolation, when hosted on shared.

8. Malware

They want to spam, remember?

Viruses and Trojans steal your login details.

Or use Linux.. Or a Mac ;)

Stay up to date on anti-virus software.

So let’s recap…• Update your Joomla!

• Update your extensions. Read security bulletins ones in a while.

• Update your themes. Don’t forget that!

• Use strong passwords and non default admin usernames.

• Make sure your server side software is current (PHP, Apache)

• Make sure your server side software is correctly setup

• Use correct file permissions for Joomla!

• Watch up for that sneaky malware

Questions?

In case you wondered - here’s my test environment

• CentOS 6 64bit VM with 2.6.32 kernel

• Apache/2.2.25 (latest)

• PHP 5.3.10 (latest is 5.3.27)

• Joomla! 2.5.13

Thank you!

@tnikolov tenko@siteground.com

Tenko Nikolov