Joomla Website Security

  1. Check your template’s index.php file, I’m going to guess that code was inserted there. Check what time it was modified, then go through your access logs for that time and see what requests were made. Hacking requests generally stand out.
  2. set the default permissions the files (644) and directories (755).
  3. If you want to set permissions for files and directories your host should use from root and your username the following commands:

 

find -type d -exec chmod 755 {} \;
find -type f -exec chmod 644 {} \;

 

There is a feature in Site –> Global Configuration –> Server to set all folder and file permissions at once.

 

 

 

Online Scanner:

Free and effective malware cleanup directly from your browser

http://www.bitdefender.com/scanner/online/free.html

 

This type of infection is much more common with the password however. For that reason, you should follow these steps:

1. Scan your local computer, the clients computer, and any computer from which you have accessed the account using an up to date virus scanner such as http://malwarebytes.org CRITICAL!

2. Update the cPanel/FTP password with a password that is not easily guessable. Use 12-digits and something like example (!) &G5s#!K-|%H1

3. Submit your site for a rescan using your Google Webmaster account. If you do not already have an account please follow the instructions on this page to obtain one: http://www.google.com/support/webmaster … swer=45432

4. Read the information provided below about this type of viral infection and how to further prevent it.

What are malicious iframes and what causes them?

Over the years hackers found it hard to trick people into visiting suspicious sites so they’re now targeting legit sites and using them to infect unknowing customers. In most cases an FTP account’s password is obtained through key logging malware, then legit website files are modified to distribute the malware and gather more passwords. If your PC has been infected with one of these trojans, your bank account, email accounts, and FTP accounts may no longer be secure.

What to do if you find malicious iframes on your PC?

1. Use the following online vulnerability scanner and ensure your software is up-to-date: http://secunia.com/vulnerability_scanni … ?task=load
2. Download antivirus and fully scan your PC for malcious files. Here are some free online scanners:
http://housecall.trendmicro.com/
http://www.bitdefender.com/scan8/ie.html
http://www.kaspersky.com/virusscanner
http://support.f-secure.com/enu/home/ols.shtml
3. Update all passwords that may have been obtained. Do not use old passwords, generate new ones (see above)
4. Upload older versions of the files or contact support for assistance removing the malicious iframes.

Prevention measurements

– Ensure you use the latest browser version
– Disable javascript if possible
– Use Firefox with addon “noscript” (!)
– Download and install some free antivirus software, make sure it stays updated
– Use http://www.avg.com.au/index.cfm?section … onlinescan to test suspicious links you are given in emails or find online.

Others

BACKUP & DOWNLOAD (!) your site and database! Use either your cPanel features or use Joomlapack (http://www.joomlapack.net)….whatever you use: BACKUP!

Hope this helps!

 

 

 

How can I check my Joomla! installation’s overall security and health?

1. Use the free Joomla extension, Joomla! Tools Suite (JTS), which is a Joomla! environment audit, maintenance and diagnostic application written in PHP. The JTS suite of tools can diagnose, report and advise on common installation, health and security issues, including performing several common performance and recovery actions.

Project Home: http://joomlacode.org/gf/project/jts/

 

 

CHANGE JOOMLA USER NAME AND PASSWORD

 

The Owner of the file wI know this isn’t as helpful as you would have liked and it certainly is not a definitive answer, but in general, after the installation, any insecure “7” settings can be reset back to something more secure. For example:

Files = 644
Directories = 755

ould have full Read, Write and Execute permissions, the group would also have full Read, Write and Execute permissions, and the rest of the world can also Read, Write and Execute the file. The standard, default permissions that get assigned to files and directories by the server are normally;

Files = 644
Directories = 755

 

These permissions would allow, for files;

644 = rw- r-- r--
Owner has Read and Write
Group has Read only
Other has Read only

and for directories,

755 = rwx r-x r-x
Owner has Read, Write and Execute
Group has Read and Execute only
Other has Read and Execute only

If you have SSH shell access the following commands can be run from the command line to reset all files and directories back to the server defaults of 755 and 644. Change directories to the top directory (” / “) of your Joomla! installation, then run:

find . -type f -exec chmod 644 {} \;
find . -type d -exec chmod 755 {} \;

 

Depending on the security configuration of your Web server the recommended default permissions of 755 for directories and 644 for files should be reasonably secure.

 

How do I move confidential files outside of public_html?

One challenge in Joomla! is ensuring that certain PHP files in public_html containing executable code or confidential data are protected from direct Internet access.

There are various ways to protect such files, but most are not optimal. Many users and developer groups, such as Gallery2 and Apache.org strongly recommend against keeping vulnerable files and confidential data inside public_html.

The following method seems to be the simplest and most elegant way to protect read-only files that, for whatever reason, must be stored in public_html. In this example, we protect configuration.php, perhaps the most confidential file of any Joomla! site.

Using this method, even if the Web server somehow delivers the contents of PHP files, for example due to a misconfiguration, nobody can see the contents of the real configuration file.

Directions

1. Move configuration.php to a safe directory outside of public_html and rename it whatever you want. We use the name joomla.conf in this example.

2. Create a new configuration.php file containing only the following code (See Important Notes below.):

<?php
require( dirname( __FILE__ ) . '/../joomla.conf' );

3. Make sure the new configuration.php file is not writable, so that it can not be overwritten by the Joomla! Web admin interface.

4. If you need to change configuration settings, do so manually in the relocated joomla.conf.

Important Notes!

In the above code example, do not include blank lines or any characters (including blank spaces) before the php start tag. If you do, you will very likely see the following error.

Warning: Cannot modify header information - headers already sent by (output started at
/home/xxxxx/public_html/configuration.php:2) in /home/xxxxx/public_html/index.php on line 250

Note that leaving out the PHP end tag ( ?> ) in the above code example is intentional. This ensure that any blank lines at the end of the file will NOT be interpreted as HTML, which would cause an error. Leaving the PHP end tag out is an accepted method for avoiding such conflicts. This works because the PHP interpreter automatically halts PHP interpretation at the end of every file. The only time you actually need the PHP end tag is if HTML code follows the PHP code in the same file.

See also How to adjust Joomla 1.5 defines

 

How do I block direct access to critical files using .htaccess?

  1. Make a backup copy of your .htaccess file. Use your backup file to recover if the following fails. Be sure to delete the backup file once you are finished.
  2. Add the following to your .htaccess file. This example will protect both the configurtation.php and .htaccess files.
<Files .htaccess>
order allow,deny
deny from all
</Files>
<FilesMatch "configuration.php">
Order allow,deny
Deny from all
</FilesMatch>

 

How do I recursively adjust file and directory permissions?

Using Joomla! Administration

In the Back-end, go to Site –> Global Configuration –> Server.

Using the UNIX shell

Note: The find command automatically assumes that it should start from the current directory. To be safe, go to your public_html directory and specify a path as the first argument. Some shells, such as bash on Apple OS X, must have a path specified in the find command.

find . -type f -exec chmod 644 {} \;
find . -type d -exec chmod 755 {} \;
chmod 707 images
chmod 707 images/stories
chown apache:apache cache

Notes:

  1. Test all third party extensions after changing permissions.
  2. You may need to reset write permissions to install more extensions.

 

Site Recovery

Make websites offline

Clean your Local PC from Updated Antivirus/Anti –maleware/Spyware

Change all relevant passwords: Assume your passwords have been harvested and immediately change all critical passwords, including shell access, FTP access, Joomla! Administrator accounts, Host Password and the database account.

Check raw logs: Identify when and how the attackers gained access to your site by carefully reviewing your raw server logs. Make careful note of the date/time and names of attacked files. Note that these logs may have been deleted or altered, so a lack of evidence does not prove a lack of activity.

 

List recently modified files: Before making any changes to your site, generate a list of recently modified files. Here’s a php script that will list the files for you. Remove this script as soon as you have your list and don’t publish a link to it!

 

Note suspicious newly-created files: Use this list to identify new files that don’t belong. Pay particular attention to their creation and modification dates, and correlate them to the dates of attacks shown in your log files.

 

Note suspicious recently-modified files: Check the modified files list for any files that were recently changed. Pay particular attention to the modification, and correlate them to the dates of attacks shown in your log files.

 

Check for bogus CRON Jobs: Hacked cron jobs can be setup to reinfect your site over and over again.

 

Coordinate with your host: If you have identified how you were cracked, report the method to your host. If you are on a shared server, you may habe been attacked through another vulnerable site on your server. Report this to your host. A reputable host will appreciate your efforts in this area.

 

Delete the entire public_html directory: This is the best way to guarantee that every potential vulnerability in that site is removed.

Delete related database records: This step may only be possible if you have good backups. Simple script kiddies, who are only trying to mark your index page, may not attack your database, but professionals are usually very interested in confidential data, such as passwords. They may pose as script kiddies to avoid suspicion while repeatedly harvesting confidential information from your database.

 

Reinstall everything: Use pre-crack backups. If you don’t have good backups, go on to step 10.

 

Reset critical passwords again: You must reset your passwards again now that your server is finally cleaned of any possible, hidden trojan horses.

 

Review security processes: Follow standard security precautions for important settings in php.ini, globals.php, configuration.php, .htaccess, etc.

 

Review backup processes: If you don’t already have one, add a dependable backup process to your site administration practices

 

Stay watchful: Attackers often return repeatedly. Closely monitor your raw logs for suspicious activity.

 

 

Create Strong .htaccess

 

Restore Backup files

 

If backup is not there, Follow following things…

  1. Download Infected SITE into local
  2. Replace All Joomla Core Files/Component/Modules/Plugins files from Fresh Installation.
  3. Find the Infected Code Syntax and search using Windows Grip and check whether you have any files still infected or remaning.
  4. Test it properly in local and upload to SITES.

 

TIPS:

  1. Weekly Backup – This can happened using FTP or JoomlaPack component.
  2. Change FTP/Host/DB password  twice in month
  3. Update Security patches
  4. Check Extension and their feedback before installation.

Find exploit attempts using the *NIX shell FAQ

Potential Exploit Checking Script….

 

Links:

http://docs.joomla.org/Security_and_Performance_FAQs#Help.21_My_site.27s_been_compromised._Now_what.3F

 

How can I check my Joomla! installation’s overall security and health?

Use the free Joomla extension, Joomla! Tools Suite (JTS), which is a Joomla! environment audit, maintenance and diagnostic application written in PHP. The JTS suite of tools can diagnose, report and advise on common installation, health and security issues, including performing several common performance and recovery actions.

 

Project Home: http://joomlacode.org/gf/project/jts/

How do I move confidential files outside of public_html?

One challenge in Joomla! is ensuring that certain PHP files in public_html containing executable code or confidential data are protected from direct Internet access.

There are various ways to protect such files, but most are not optimal. Many users and developer groups, such as Gallery2 and Apache.org strongly recommend against keeping vulnerable files and confidential data inside public_html.

The following method seems to be the simplest and most elegant way to protect read-only files that, for whatever reason, must be stored in public_html. In this example, we protect configuration.php, perhaps the most confidential file of any Joomla! site.

Using this method, even if the Web server somehow delivers the contents of PHP files, for example due to a misconfiguration, nobody can see the contents of the real configuration file.

Directions

1. Move configuration.php to a safe directory outside of public_html and rename it whatever you want. We use the name joomla.conf in this example.

2. Create a new configuration.php file containing only the following code (See Important Notes below.):

<?php
require( dirname( __FILE__ ) . '/../joomla.conf' );

3. Make sure the new configuration.php file is not writable, so that it can not be overwritten by the Joomla! Web admin interface.

4. If you need to change configuration settings, do so manually in the relocated joomla.conf.

Important Notes!

In the above code example, do not include blank lines or any characters (including blank spaces) before the php start tag. If you do, you will very likely see the following error.

Warning: Cannot modify header information - headers already sent by (output started at
/home/xxxxx/public_html/configuration.php:2) in /home/xxxxx/public_html/index.php on line 250

Note that leaving out the PHP end tag ( ?> ) in the above code example is intentional. This ensure that any blank lines at the end of the file will NOT be interpreted as HTML, which would cause an error. Leaving the PHP end tag out is an accepted method for avoiding such conflicts. This works because the PHP interpreter automatically halts PHP interpretation at the end of every file. The only time you actually need the PHP end tag is if HTML code follows the PHP code in the same file.

See also How to adjust Joomla 1.5 defines

How do I block direct access to critical files using .htaccess?

  1. Make a backup copy of your .htaccess file. Use your backup file to recover if the following fails. Be sure to delete the backup file once you are finished.
  2. Add the following to your .htaccess file. This example will protect both the configurtation.php and .htaccess files.
<Files .htaccess>
order allow,deny
deny from all
</Files>

<FilesMatch "configuration.php">
Order allow,deny
Deny from all
</FilesMatch>

How do I recursively adjust file and directory permissions?

Using Joomla! Administration

In the Back-end, go to Site –> Global Configuration –> Server.

Using the UNIX shell

Note: The find command automatically assumes that it should start from the current directory. To be safe, go to your public_html directory and specify a path as the first argument. Some shells, such as bash on Apple OS X, must have a path specified in the find command.

find . -type f -exec chmod 644 {} \;
find . -type d -exec chmod 755 {} \;
chmod 707 images
chmod 707 images/stories
chown apache:apache cache

The Vulnerable Extensions List is a valuable source of information on what NOT to install.

http://docs.joomla.org/Vulnerable_Extensions_List

 

How do I block directory scans using .htaccess?

Directions

Add Apache rewrite rules to your .htaccess file. For example, the following will redirect all attempts to access files with names starting with, “phpMyAdmin” to index.php.

Sample Apache Rewrite Rule

RewriteRule ^/phpMyAdmin.*$ /index.php

Some Regular Expression Tips

^ Means start of filename
. Means any character other than newlines
* Means one or more of the previous character

 

How can I change PHP settings using .htaccess?

Introduction

This FAQ explains how to set boolean PHP configuration directives using php_flag. The format for php_flag is: php_flag name on|off

Directions

1. Open the .htaccess file located in your site’s home directory, or if you don’t have one, create a blank one now. Note the period character (.) at the beginning of the file name.

2. Add any of the following code samples to your .htaccess file, each on it’s own line. These sample commands will prevent common global variable injection attacks, cross site scripting (XSS) sttacks, and code injection attacks.

php_flag register_globals off
php_flag allow_url_fopen off
php_flag magic_quotes_gpc on

Note that although the magic_quotes_gpc directive adds a layer of security, for performance reasons it is not considered a best practice. If you have verified that your site correctly filters and validates all user data (and every production site really should), then there is no need to add this directive. If you have any doubt, add it.

3. Save the .htaccess file in your site’s home directory.

4. Test your site’s front end and back end.

How can I check if mod_rewrite is enabled?

Many problems with search engine optimization (SEO) arise from the fact that a host has not enabled mod_rewrite on the server.

1. Enable SEO in your administrator! (administrator > SEO > Enable > Save)

2. Rename your htaccess.txt to .htaccess, or use your existing .htaccess file.

3. Place ONLY the following lines in your .htaccess file.

     Options +FollowSymLinks
     Redirect /joomla.html http://www.joomla.org

4. Point your browser to: http://www.mysite.com/joomla.html

(Replace ‘mysite.com’ with your site’s actual URL.)

5. If you are redirected to www.joomla.org, mod_rewrite is working. If you get an error, mod_rewrite is not working.

6. Note: if your site is located in a sub-domain, for example “test” you need to modify .htaccess as follows:

     Options +FollowSymLinks
     Redirect /test/joomla.html http://www.joomla.org

 

How do I switch to PHP5 using .htaccess?

Overview

Many shared server environments currently run .php scripts using the PHP4 interpreter and .php5 code using the PHP5 interpreter. Rather than changing all your file extensions, and perhaps breaking many links, use a .htaccess file to dynamically map one extension to the other.

IMPORTANT CAVEAT: One common reason for doing this is that hosts leave PHP4 configured with register_globals ON in order to support legacy code while offering PHP5 with register_globals OFF. If you are on a shared server at a host that has configured register_globals ON server wide, you should be very worried!

Turning register globals OFF via a local php.ini or a .htaccess file will NOT offer you any extra protection. Another exploited account on your server can simple hack yours. For server security, and since php 4.2, register globals is OFF server wide by default (php default). Any host overriding this is inviting trouble. If you need register globals ON for a specific site, simple use a .htaccess file for that specific directory, and server wide security will not be compromised. Of course, if you do this be sure all effected scripts fully sanitize input data.

Requirements

1. Your Apache server must be configured to use .htaccess files. If not, you may be able to request this from your host. 2. Your Apache configuration must allow the following setting. If not, you may be able to request this from your host. 3. Your host must have configured the .php and .php5 file extensions as described above. If not, they may possibly have chosen other extensions. Check with your host.

Directions

1. Check to be sure your site is configured to use .htaccess files.

2. Make a backup of the .htaccess file in your root public_http directory. If you don’t have a .htaccess file at this location, create one now.

3. There are various ways to set the comman, depending on your server configuration. One of the following will probably work. Add ONE the following lines at the end of your .htaccess file. If unsure which to use, check with your hosting provider on which version works best for your configuration.

AddType x-mapp-php5 .php
AddHandler application/x-httpd-php5 .php
AddHandler cgi-php5 .php

4. Carefully test.

5. Delete the backup .htaccess file. Don’t leave backups of .htaccess files in public directories.

How do I password protect directories using .htaccess?

Overview

This FAQ explains how to protect the Joomla! /administrator/ directory on Apache servers using the htpasswd utility. You can easily adapt these instructions to protect other directories. If you need help finding or creating your .htaccess file, start here.

Caveat (From Apache.org)

Basic authentication should not be considered secure for any particularly rigorous definition of secure. Although the password is stored on the server in encrypted format, it is passed from the client to the server in plain text across the network. Anyone listening with any variety of packet sniffer will be able to read the username and password in the clear as it goes across.

Not only that, but remember that the username and password are passed with every request, not just when the user first types them in. So the packet sniffer need not be listening at a particularly strategic time, but just for long enough to see any single request come across the wire.

And, in addition to that, the content itself is also going across the network in the clear, and so if the web site contains sensitive information, the same packet sniffer would have access to that information as it went past, even if the username and password were not used to gain direct access to the web site.

Don’t use basic authentication for anything that requires real security. It is a detriment for most users, since very few people will take the trouble, or have the necessary software and/or equipment, to find out passwords. However, if someone had a desire to get in, it would take very little for them to do so.

Basic authentication across an SSL connection, however, will be secure, since everything is going to be encrypted, including the username and password.

Directions

1. If you are unfamiliar with the Apache htpasswd utility, you may want to read the following link first. Apache Authentication, Authorization, and Access Control

2. Check to be sure your site is configured to use .htaccess files. If not sure, ask your host.

3. Decide where to put your .htaccess file. Because Apache recursively searches all directories in a path for .htaccess files, the higher in your directory structure you place this file, the more directories it will control. If there is already an .htaccess file in the directory you choose, it’s probably best to add the new code to it.

4. Decide where to store your.htpasswd and .htgroups files. These files should NEVER be publicly accessable through the Web. Below is an example directory structure showing good locations for each file. Note that the /auth/ directory in this example is NOT accessible from the Web.

/home/mysite/public_html/.htaccess
/home/mysite/auth/.htpasswd/
/home/mysite/auth/.htgroups/

5. Create the .htpasswd and .htgroups files as explained in the official Apache HowTo, referenced above. (Since you’ve read the always current and official documentation at Apache.org, we’ll spare you the trouble of displaying it again here.)

6. If a .htaccess file already exists in the directory you have chosen, make a backup copy. If the file does not exist, create a new file with that name now. (Don’t forget the dot at the beginning of the name.)

7. Add the following code to the .htaccess file. Adjust the example paths (marked in red) as needed for your server. Adjust the group name that you created in step 5 if it differs from the below example.

AuthUserFile /home/auth/.htpasswd
AuthGroupFile /home/auth/.htgroups
AuthType Basic
AuthName "LWS"
require group admins

8. Test carefully.

9. Remove all backup .htaccess files from public_http directories.

10. If you can not use the Apache htpasswd utility, here’s a free, online script that creates the necessary files for you. You’ll need to know the user name, password, and path. The script does the rest for you. Note that for more advanced configuration, such as the use of groups, you’ll need to edit the resulting files.

.htaccess Generator: http://www.webmaster-toolkit.com/htaccess-generator.shtml

How do I restrict directory access by IP address using .htaccess?

Overview

This can be a very effective way to protect your Joomla! administrator directory. Any other directory in public_html can be protected in the same way. This method only works if you have a static IP address assigned to you. Anyone attempting to browse such directories using a different IP Address will get a 403 Forbidden error.

Directions

  1. In the directory you wish to protect, open (or create) a file called, .htaccess. (Note the dot at the beginning of the file name.)
  2. Add the following code to this file, replacing 100.100.100.100 in this example with the static IP address you plan to allow:
Order Deny,Allow
Deny from all
Allow from 100.100.100.100

 

  • Optional: You can enter partial IP Addresses, such as, 100.100.100. This allows access to a range of addresses.
  • Optional: You can add multiple addresses by separating them with comma’s.
100.100.100.101, 100.100.100.102

 

How do I block direct hot linking to image files using .htaccess?

Caveats

  1. Your server must allow .htaccess files for this technique to work.
  2. If you do not have a .htaccess file in your root directory, see the related FAQ first.
  3. Do not use this method to redirect image hot links to HTML pages or to servers that are not your own.
  4. Hot linked images can only be replaced by other images, not with HTML pages.
  5. As with any .htaccess rewrite, you may block legitimate traffic, such as users behind proxies or firewalls.

Directions

  1. Create a jpeg image called no_hot_link.jpe. Note that the odd file extention (.jpe) is intentional and important. Place this file in your images directory.
  2. Place the following code in the .htaccess file of your root directory.
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?your_site\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule .*\.(jpe?g|gif|bmp|png)$ /images/no_hot_link.jpe [L]

Explanation

The first line begins the Apache rewrite rule. The second line matches any requests from your own site, here called your_site.com url. The [NC] flag means “No Case”, which means, match upper and lower case characters. The third line allows empty referrals. The last line matches any files ending with the extension jpeg, jpg, gif, bmp, or png. This is then replaced by the no_hot_link.jpe file in your images directory. This JPEG file uses the extension jpe instead of jpg to prevent these rules from blocking your replacement image. Block hot linking from specific domains

To stop hotlinking from specific domains only, such as myspace.com, blogspot.com and livejournal.com, while allowing other web sites to hotlink to your images, use the following code:

RewriteEngine On
RewriteCond %{HTTP_REFERER} ^http://(.+\.)?myspace\.com/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.+\.)?blogspot\.com/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.+\.)?livejournal\.com/ [NC]
RewriteRule .*\.(jpe?g|gif|bmp|png)$ /images/nohotlink.jpe [L]

You can add as many different domains as you want. Every RewriteCond line except the last one should end with the [NC,OR] flags. NC means to ignore case. OR means “Or Next”, as in, match this line OR the next line. The last RewriteCond omits the OR flag to stop matching after the last RewriteCond.

Display a 403 forbidden code

Alternatively, you can display a 403 Forbidden error code. Replace the last line of the previous examples with this line:

RewriteRule .*\.(jpe?g|gif|bmp|png)$ - [F]

http://joomlacode.org/gf/project/jts/

Joomla! Tools Suite (JTS) is a Joomla!
environment audit, maintenance and
diagnostic application written in PHP.
The JTS suite of tools can diagnose,
report and advise on common
installation, health and security
issues, including performing several
common performance and recovery
actions.

Tagged : / / / / / /