[Cialug] Slight OT: Joomla & Security

David Champion dave at dchamp.net
Thu May 24 10:35:49 CDT 2012


All good stuff. One thing that Josh didn't point out, but may be 
obvious, is to change all of your passwords. A lot of stuff gets 
"hacked" simply because someone left a default or easy to guess 
password. If you follow all of the steps below, but don't change the 
admin password, it was all wasted effort.

It's also very common for people to install a CMS once, and never 
install security updates. I'm on a joomla mailing list, and they 
frequently come out with critical updates that patch vulnerabilities. If 
you've installed joomla (or anything else) with a manual download 
instead of using your distribution's package manager, you're on your own 
for security updates.

Some CMS's are nice enough to have an update option in the site's admin 
section.. but it doesn't do you any good unless you use it.

-dc

On 5/24/2012 7:20 AM, Josh More wrote:
> Run JoomlaScan on your installs:
> http://blog.pepelux.org/2011/10/30/joomlascan-v1-3/ .  Fix what it
> finds.  Remove any extensions you don't need.
>
> Then run ClamScan on each directory structure:
> http://www.clamav.net/lang/en/ . Fix what it finds.
>
> Then manually review what remains and make sure it's needed. Install
> Joomla from scratch in a separate directory and do "diff -r" against
> your two targets to make sure that no PHP has been modified.  (You may
> need to install it with whatever extensions you're using, depending on
> what you're using.)
>
> Once all that is done, harden your system by:
> * Removing any Apache modules that you do not need.
> * Disabling Allow Override for each vhost
> * Installing and tightening PHP-Suhosin (both pieces)
> * Installing and configuring Mod_Security2, using the core rules and
> only blocking what you absolutely must to get your site to work.
> * Installing AppArmor with ChangeHat configured to isolate each site.
> * Do an external scan of the server(s) with nmap, configured for all
> ports, to find a hidden listening daemon.
> * Write a short script that strips Write permissions for all on the
> entire Joomla tree (except where needed (trial and error)) and one
> that turns them back on so you can update the system.
>
>
> This is what I consider the absolute minimum to run a
> Joomla/Drupal/Wordpress framework live on the Internet. If you were
> highly targeted, there'd be a lot more that you'd need to do.
>
>
> -Josh More
>
>
>
> On Wed, May 23, 2012 at 2:51 PM, jrnosee<jrnosee at gmail.com>  wrote:
>> Anyone on here good with Joomla and it's security?  I've got two Joomla
>> based sites (one for my church and one for my townhomes) that I assist
>> with.  They've both been hacked.  I'm trying to remove the damage but it
>> keeps coming back.  I'm not sure if it's being accessed and re-hacked
>> remotely or if something on the page is re-adding the malicious code.  If
>> anyone could help me with this please email me off list.  I
>> would truly appreciate any assistance I might get.
>>



More information about the Cialug mailing list