Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
“8 simple ways to hack your Joomla!”

Tenko Nikolov

@tnikolov

JWC’13
a few words about me
Partner & CEO, SiteGround
Founder, 1H - www.1h.com
17+ years of IT Experience
Graduated Law School......
SiteGround is the home
of 100,000 Joomla! sites
we face hundreds if not thousands of security attacks
per day
“Why would somebody hack me?”
Hackers don’t really care about your site. All
they care is to send some spam.
“Security is a not a product, but a process.”

If anybody tells you your site is unhackable, that guy is a liar!
1. Outdated Joomla! Core
Quick demo..

..of Joomla! file upload security bug
more info on the hack
•

All versions before 3.1.5 and
2.5.14 are vulnerable

•

Can be executed by any user,
no admin rig...
More info on the hack
Joomla!
http://goo.gl/8YwZIk!
!

Sucuri!
http://goo.gl/WjLKGm!
!

SiteGround!
http://goo.gl/NWkZTz
Always update!

There is no excuse for not updating!
Use software to get notified and update
Joomla! Core
Admin Tools
https://www.akeebabackup.com/products/admin-tools.html
!
!

Watchful.li
https://watchful.li/features/
SiteGround does automatic Joomla! Updates
too ;)

Remember to create a backup before updating.
Read security bulletins
!
Joomla! Security News:
http://feeds.joomla.org/JoomlaSecurityNews
!
Sucuri:
http://blog.sucuri.n...
2. Extensions
•

Here’s a Scenario:

•

Your site is up to date

•

Your extensions are up to date

•

But you still get hacked…

•

Won...
Extension vulnerabilities
•

Sometimes when vulnerability in an extension is
found, it takes the extension developers too
...
Popular WAFs
“ModSecurity supplies an array of request filtering and other
security features to the Apache HTTP Server, IIS and NGINX.
M...
SiteGround adds more than 200 mod_sec rules
every week.
example mod_sec rule

!!!!!!!!!!!#!30.Sep.2013!
!!!!!!!!!!!#!joomla!com_seminar!Cross!site!scripting!Vulnerability!
!!!!!!...
CloudFlare and Incapsula are advanced
mod_security alike FREE services which add
a CDN functionality.
More Security Bulletins

Joomla! Extensions Security News:
http://feeds.joomla.org/JoomlaSecurityVulnerableExtensions
3. Themes
“Templates are software, not just a bunch of graphics. Template
developers do release security upgrades all the time. Make...
Example

RocketTheme SQL injection in their modules!
!
http://www.rockettheme.com/blog/extensions/1300-important-securityv...
WAF is good for themes too.
4. Weak passwords
Let me tell you a story…
On April 9th we got hit by a huge brute force
attack towards many Joomla!s
bots used more than a thousand different IPs
per server to scan for passes…

… and we blocked more than 92,000 IPs in tota...
In 12 hours we blocked more than 15 million
login requests

But still, we thought many passwords were guessed
We then tried to brute force our clients
ourselves.

And we were shocked how many passwords we found.
Over 40% of our customers used Really Weak
passwords.

Like REEEEEALLLY WEAK!
Let me show you how easy it is to crack a
dumb password, say: “admin123”

Username is admin
So in less than 10 seconds I’ve got your
password
Tip: Change your password to full sentence it’s easy to remember and hard to guess like:
!

“I love to watch the sunset.”
Tip 2: Change your username!

admin2 is not acceptable too ;) Try with yourname_adm1n
Tip 3: Implement captcha on your login page
5. Outdated Server Software
Old PHP 5.3 running as CGI remote execution
exploit

http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
Quick demo how it works:

http://testdomainname.com/j25/index.php?-s
MySQL p a s s w o r d - l e s s a u t h s e c u r i t y
vulnerability. All 64bit MySQL versions up to
5.1.61, 5.2.11, 5.3....
Make sure your server side software is current
at all times.
6. Incorrectly configured server software
Apache Symlinks bug

http://seclists.org/fulldisclosure/2013/Aug/81
7. Joomla! Permissions
Correct Joomla! Permissions set

•

Folders:

755

•

Files:

644

•

configuration.php

444
Incorrect Joomla! Permissions set

•

All:

777

•

Anything more than

755
It’s a must to have account isolation, when
hosted on shared.
8. Malware
Viruses and Trojans steal your login details.

They want to spam, remember?
Stay up to date on anti-virus software.

Or use Linux.. Or a Mac ;)
So let’s recap…
•

Update your Joomla!

•

Update your extensions. Read security bulletins ones in a while.

•

Update you...
Questions?
In case you wondered - here’s my test
environment

•

CentOS 6 64bit VM with 2.6.32 kernel

•

Apache/2.2.25 (latest)

•

...
Thank you!
Tenko Nikolov

@tnikolov tenko@siteground.com
8 Simple Ways to Hack Your Joomla
8 Simple Ways to Hack Your Joomla
Upcoming SlideShare
Loading in …5
×

8 Simple Ways to Hack Your Joomla

81,432 views

Published on

A presentation by Tenko Nikolov (@tnikolov) on Joomla World Conference 2013 about the most common ways to get your Joomla site hacked.

Published in: Technology

8 Simple Ways to Hack Your Joomla

  1. 1. “8 simple ways to hack your Joomla!” Tenko Nikolov @tnikolov JWC’13
  2. 2. a few words about me Partner & CEO, SiteGround Founder, 1H - www.1h.com 17+ years of IT Experience Graduated Law School... Passionate photographer Performance addict Security freak
  3. 3. SiteGround is the home of 100,000 Joomla! sites
  4. 4. we face hundreds if not thousands of security attacks per day
  5. 5. “Why would somebody hack me?”
  6. 6. Hackers don’t really care about your site. All they care is to send some spam.
  7. 7. “Security is a not a product, but a process.” If anybody tells you your site is unhackable, that guy is a liar!
  8. 8. 1. Outdated Joomla! Core
  9. 9. Quick demo.. ..of Joomla! file upload security bug
  10. 10. more info on the hack • All versions before 3.1.5 and 2.5.14 are vulnerable • Can be executed by any user, no admin rights needed • The attacker can obtain full access to Joomla! and its surrounding userspace
  11. 11. More info on the hack Joomla! http://goo.gl/8YwZIk! ! Sucuri! http://goo.gl/WjLKGm! ! SiteGround! http://goo.gl/NWkZTz
  12. 12. Always update! There is no excuse for not updating!
  13. 13. Use software to get notified and update Joomla! Core
  14. 14. Admin Tools https://www.akeebabackup.com/products/admin-tools.html ! ! Watchful.li https://watchful.li/features/
  15. 15. SiteGround does automatic Joomla! Updates too ;) Remember to create a backup before updating.
  16. 16. Read security bulletins ! Joomla! Security News: http://feeds.joomla.org/JoomlaSecurityNews ! Sucuri: http://blog.sucuri.net/?s=joomla
  17. 17. 2. Extensions
  18. 18. • Here’s a Scenario: • Your site is up to date • Your extensions are up to date • But you still get hacked… • Wonder why?
  19. 19. Extension vulnerabilities • Sometimes when vulnerability in an extension is found, it takes the extension developers too much time to fix it. • Therefore it’s always good to use a WAF! • WAF = Web Application Firewall
  20. 20. Popular WAFs
  21. 21. “ModSecurity supplies an array of request filtering and other security features to the Apache HTTP Server, IIS and NGINX. ModSecurity is a web application layer firewall. ModSecurity is free software released under the Apache license 2.0.” -Wikipedia
  22. 22. SiteGround adds more than 200 mod_sec rules every week.
  23. 23. example mod_sec rule !!!!!!!!!!!#!30.Sep.2013! !!!!!!!!!!!#!joomla!com_seminar!Cross!site!scripting!Vulnerability! !!!!!!!!!!!#!http://cxsecurity.com/issue/WLBD2013090184! !!!!!!!!!!!SecFilterSelective!REQUEST_FILENAME!"index.php"!"chain,id:00680"! !!!!!!!!!!!SecFilterSelective!ARG_option!"com_seminar"!chain! !!!!!!!!!!!SecFilterSelective!ARG_search!"onmouseover"
  24. 24. CloudFlare and Incapsula are advanced mod_security alike FREE services which add a CDN functionality.
  25. 25. More Security Bulletins Joomla! Extensions Security News: http://feeds.joomla.org/JoomlaSecurityVulnerableExtensions
  26. 26. 3. Themes
  27. 27. “Templates are software, not just a bunch of graphics. Template developers do release security upgrades all the time. Make sure you install them. I've seen many sites getting hacked because of a dated template with a SQL injection or XSS vulnerability.” -Nicholas Dionysopoulos
  28. 28. Example RocketTheme SQL injection in their modules! ! http://www.rockettheme.com/blog/extensions/1300-important-securityvulnerability-fixed !
  29. 29. WAF is good for themes too.
  30. 30. 4. Weak passwords
  31. 31. Let me tell you a story…
  32. 32. On April 9th we got hit by a huge brute force attack towards many Joomla!s
  33. 33. bots used more than a thousand different IPs per server to scan for passes… … and we blocked more than 92,000 IPs in total across our network in just
  34. 34. In 12 hours we blocked more than 15 million login requests But still, we thought many passwords were guessed
  35. 35. We then tried to brute force our clients ourselves. And we were shocked how many passwords we found.
  36. 36. Over 40% of our customers used Really Weak passwords. Like REEEEEALLLY WEAK!
  37. 37. Let me show you how easy it is to crack a dumb password, say: “admin123” Username is admin
  38. 38. So in less than 10 seconds I’ve got your password
  39. 39. Tip: Change your password to full sentence it’s easy to remember and hard to guess like: ! “I love to watch the sunset.”
  40. 40. Tip 2: Change your username! admin2 is not acceptable too ;) Try with yourname_adm1n
  41. 41. Tip 3: Implement captcha on your login page
  42. 42. 5. Outdated Server Software
  43. 43. Old PHP 5.3 running as CGI remote execution exploit http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
  44. 44. Quick demo how it works: http://testdomainname.com/j25/index.php?-s
  45. 45. MySQL p a s s w o r d - l e s s a u t h s e c u r i t y vulnerability. All 64bit MySQL versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22 are vulnerable http://blog.sucuri.net/2012/06/security-vulnerability-in-mysql.html
  46. 46. Make sure your server side software is current at all times.
  47. 47. 6. Incorrectly configured server software
  48. 48. Apache Symlinks bug http://seclists.org/fulldisclosure/2013/Aug/81
  49. 49. 7. Joomla! Permissions
  50. 50. Correct Joomla! Permissions set • Folders: 755 • Files: 644 • configuration.php 444
  51. 51. Incorrect Joomla! Permissions set • All: 777 • Anything more than 755
  52. 52. It’s a must to have account isolation, when hosted on shared.
  53. 53. 8. Malware
  54. 54. Viruses and Trojans steal your login details. They want to spam, remember?
  55. 55. Stay up to date on anti-virus software. Or use Linux.. Or a Mac ;)
  56. 56. So let’s recap… • Update your Joomla! • Update your extensions. Read security bulletins ones in a while. • Update your themes. Don’t forget that! • Use strong passwords and non default admin usernames. • Make sure your server side software is current (PHP, Apache) • Make sure your server side software is correctly setup • Use correct file permissions for Joomla! • Watch up for that sneaky malware
  57. 57. Questions?
  58. 58. In case you wondered - here’s my test environment • CentOS 6 64bit VM with 2.6.32 kernel • Apache/2.2.25 (latest) • PHP 5.3.10 (latest is 5.3.27) • Joomla! 2.5.13
  59. 59. Thank you!
  60. 60. Tenko Nikolov @tnikolov tenko@siteground.com

×