Web site defacement problem

jleavy

Hello,
I need some help on this one please. I do some work for a software company in Dublin whom have a web site that seems to be a "free-for-all". It feels like the site is defaced on a weekly basis and I would like to find out why so that we can advise them on steps needed to secure the pages etc.

I done a serch on line for any web site security reports and so far only got one (waiting for reply) but I've decided to put the question out to you guys.

I don't want to give the URL openly online, however I'm looking i guess for any assistance of advise I can get.

I think they are using a free content-management tool (Joomla) to manage the site and the site uses PHP on Fasthost.co.uk

Rgds,
Joe

matrim

Ok, couple of quick points.

Is the ftp access blocked for anoynmous? Are there strong passwords that are changed after defacement?

The same with Joomla, were the default users disabled \ password changed?

Also are they using the latest version of Joomla? I think there are security issues in older versions. Also have they any custom PHP that doesn't check input data to stop SQL injection. I would also do a manual check of the db to check for any new \ unknown user accounts and delete them.

axer

I think the most likely culprit is an out of date version of Joomla being used. Lots of security holes have been closed in later versions of the software. The good news that if that is the problem you could upgrade to the latest verson 1.0.12 which seems to be fairly secure.

jleavy

OK, the version they are using, as far as i can see:
Version 1.8 (from top right of the logon page).

Justy to add also, the other issue is a lot of phishing pages (e.g for banks etc) keep appearing in sub directories of the site... as i say, a "free-for-all".

axer wrote:

I think the most likely culprit is an out of date version of Joomla being used. Lots of security holes have been closed in later versions of the software. The good news that if that is the problem you could upgrade to the latest verson 1.0.12 which seems to be fairly secure.

Rollo Tamasi

Have you reported this to your webhost?
Have you changed the login details for Joomla?
Have you changed the login details for the FTP accounts?
Have you changed the login details for the web server control panel?
Is anoynmous FTP activated? If so, disable it.

ron_darrell

I'd agree with all the points made by the previous posters. You definitely need to check the permissions of who can and cannot access the site and it's directories. Check also the permissions on the directories and only give write access to those folders that require it (e.g. directories containing files that need to be written to e.g. databases, log files etc) Where that is the case remove the execute access from those folders, only keep those files that need to be written to in those folders (i.e. do not keep web or scripting pages in those folders) and check with your host company to see if you can block files of a certain type from being uploaded to those directories (e.g. .htm, .html, .asp, .js, .vbs, .bat etc)

More importantly though you need to see why so many people are using your site for a free-for-all (assuming that it isn't just a case of word has gotten out that this site is as open as a barn door in a storm). Is there anything you can do to make the site less tempting/attractive to potential maggots?

As suggested, contact the hosting company and see if they can suggest anything to help. Make the changes suggested with regards login information and permissions and check the web for tutorials on how to prevent SQL injection (this is where you have provided an interface to an SQL command e.g. a login page or an update page and malicious users then overtake the intended use of the interface and use it to damage your database/site by submitting SQL commands into your interface)

Best of luck
-RD

ChicoMendez

hi
joe- when u say the site is hacked what happens exactly ?

im working on a site also that was being hacked (joomla) very frequently- what was happening in fact what the index.php was being replaced- i changes ftp and admin access and checked directory permissions but same thing...

however just then when i was going through the directory structure i found a strange (and big) file called turkgrup.php

when i accessed this i had teh surprise of seeing it was a script that allowed the accesser to roam around the directory structure at will - along with lots of other little tools.

i have obviously removed it - lets see if that will stop the hackers?!

has anyone come across this sort of thing before ?

tnx

axer

jleavy wrote:

OK, the version they are using, as far as i can see:
Version 1.8 (from top right of the logon page).

Justy to add also, the other issue is a lot of phishing pages (e.g for banks etc) keep appearing in sub directories of the site... as i say, a "free-for-all".

The first thing you need done is to update to the version 1.0.12 of Joomla. The version you are using is over a year and a half old.

It would probably be better if you could do a fresh install rather than an upgrade as there may be compromised files somewhere in the joomla install.

You also need to look at what components (add-ons) are installed in your Joomla website as alot of the time they are the ones that cause the security problems as they tend not to be written very well.

PM me if you want me to take a look for you.

Sposs

Best advise , is to pull the site, wipe the box and restore from back-ups (make sure the backed up files don't contain the corrupted files also) stick a firewall in front of it and lock it down. It's very time consuming and not always effective in trying to clean up a compromised box.

jleavy

Someone asked about this file - turkgrup.php - Turkish Hacking Group


Anyway, on the web site
They found the problem, a "vulnerability in community builder". Fixed.

Joe