"Harun" Joomla Hack? Please help me securing this website - security

one of my clients complained that she cannot log into her Joomla installation anymore. So I checked the database and saw, that all the user names and passwords (md5 value, I used a rainbowtable to check) are set to "harun". Did anyone ever hear about that? Google doesn't...
Also: what do I need to to now (besides changing passwords)? I'm not that "big" in web-dev and never faced such a problem.
Any help appreciated.

Clearly you have a great deal of cleanup to do....I hope you have a database backup! We had the same kind of thing happen to us a couple of years back, and installed RSFirewall. While attacks still occasionally occur, this wonderful extension has cut the damage by 99% for us. Good luck!

You need to clean up the website and find and fix the point of entry.
1. clean up the website
You could restore from a backup but it can be difficult to determine the exact date the website was compromised.
You could spend days trying to find and fix compromised files yourself.
The best option is probably to use a commercial service like www.myjoomla.com or sucuri.net which cost very little and are usually effective at finding and fixing infected websites. In particular, the myJoomla security tool can identify core Joomla files that have been changed and replace the changed ones with the original files.
2. find and fix the point of entry
Update Joomla to the latest version in the series.
Update all third party extensions to the latest versions.
Update Joomla, FTP/cPanel and Database passwords.
Check the Vulnerable Extensions List at vel.joomla.org to ensure you are not using any vulnerable extensions.
Also see the Official Security Checklist at http://docs.joomla.org/Security_Checklist and https://stackoverflow.com/a/19139389/1983389 and https://joomla.stackexchange.com/a/180/120 for tips on keeping your Joomla website secure.

For long time solution its an suggestion please change your server or host. As you said MD5 are set as "harun" as per my opinion its change by some kid's hacker by sim-link or some local jommala vul. attack . If its sim-link attack then you need to worried about host else if its jommla vul. then simply change the version or update it and make cleanup on your publichtml/ or soo on .And make sure there is no other php script or perl / python script not found on your Host.

Related

What's the point of updating Joomla?

I'm currently running and installation of Joomla v3.3.3 on a server. It says that there's an update available for v3.5.1. I'd like to know if it's a good idea to update to this version. There are several additional modules used by the website and I'm afraid that the whole frontend will be broken after updating. Are there any security issues? Or am I fine if I'm staying on this version?
its always best to stay up to date as the updates frequently address various security concerns. Its not difficult for a potential attacker to know when a website is built on the various popular frameworks. I can spot a joomla or wordpress site every time.
It is also best practice to backup your website before performing updates.
Myself, I like to create a copy of the entire site and database in another directory or sub domain and test update on that. if all seems good i then create a backup of the live site before installing the update as updates can fail for random reasons.
joomla updating guide
It's a best practice in web development to stay up to date, with updates we have improvements in security, functionality, performance or design.
Some extensions are not compatible with the latest joomla! versions, so you also need check the news for each extension in their websites, also you can check the updates in:
Extensions > Manage > Update > Find Updates Button
If for some reason you have an extension that should not be updated and you see the notification in the back-end, you can disable it in:
Extensions > Manage > Update > Update Sites
Note: Before any change in your site, create a backup. One popular extension to automate your backup process is Akeeba Backup.

How best to deal with ExpressionEngine registration spam?

I've got a whole load of EE sites under my belt and generally don't have much of a problem with spam. However, one site that I look after is getting bombarded by registration spam lately. It is an extremely low traffic site and was a bit neglected which meant it was running an old version of EE.
I've now updated the site to the latest EE version and gone through double checking that everything was locked down. I've even tried installing Low NoSpam but I'm still getting the attempted registrations.
My initial thoughts were that there was some security hole in this old version of EE. But since I have now updated everything I'm not so sure.
What is the best way to deal with this other than turning registrations off?
I personally find that RECAPTCHA is the best captcha system out there:
http://devot-ee.com/add-ons/recaptcha
It's ADA compliant, your visitors help translate books and its probably the most popular. Snaptcha would do the trick as well, but I personally think that if you need a captcha (which I hate :)) then go with RECAPTCHA :)
Oh and it's completely FREE too!!
Have you changed the Profile Member trigger word to something other than 'member'?
I had excellent results with Snaptcha for comment spam - it works for registration spam too. Worth a look.

Can you configure a Wordpress-based site for private use only?

If I build a site using Wordpress, is there a straightforward way to restrict access to the whole site to only those who I specify?
I've looked a few plugins that attempt to redirect unregistered users to the login page, but most seem old, fragile, or generally just hacks.
I want to know if a standard Wordpress installation lets you do this, or otherwise if there's a decent and secure plugin to do it. I need a solution that doesn't involve changing the default wordpress PHP scripts as I don't have direct access to the server. It's quite important that the solution is secure.
Any help or past experience would be appreciated.
EDIT: Apologies if this is better suited to http://wordpress.stackexchange.com, wasn't aware this existed. Please move if necessary :-)
The new version of WP, I believe v 3.1.2, has this option for pages and posts under the quick edit.
You can set a password per post / page or mark them as private.

No-code or little-code website

What is a (free) technology which requires the least amount of code for creating a website with the following requirements:
Sign-up/login
Form for adding your personal info. which gets databased
Each person can view and edit their own info
Admin can view and edit any
The form needs to be easily customizable and extensible (by the website's owner, not during run-time)
Is there a beginner tutorial for such a thing?
(For me, this question is about a friend who wants me to do this, but I want him to do it himself so I don't have to get roped into maintenance. I also want to keep it more general for the sake of Stack Overflow and future readers.)
Edit: I thought I remembered some ASP.NET tutorials that were mostly drag/drop or things where it was all but made for you from the database schema (which can be made with SSMS's GUI) but I can't seem to find them now.
Responding to posts below requesting specifics: this site will be for potential clients to sign-up and enter their company's info and fill out a form about their advertising needs.
I thought about putting this on SU instead, but since there was likely going to be some coding involved (I assumed no-code was an unreachable goal) SO seemed more appropriate.
Your friend can consider a framework like drupal. It has a bit of a learning code but, you can create a website with everything you ask for without code. You may want to modify it to change the look but there are themes for that.
Also, some hosts like godaddy.com have this installed and you do not have to worry about the complex installation procedures. Just start modifying the content of the site, select a built in template and go...
PhpBB? I think you need to specify what the website is going to be used for before you can get better/more specific answers.
... have a look at Drupal or Joomla, expect a learning curve nevertheless.
Is this friend a programmer as well? If so, I'd suggest building such a site using a PHP framework. Deploying an existing forum/wiki is also an option of course, but will probably have much more features than you describe. But if s/he's not a programmer, I don't see how s/he will be able to develop a site like that in a reasonable amount of time.
Why not using a CMS like wordpress, drupal and co. ?

hardening drupal for a live deployment

Are there any special security measures to take when deploying a Drupal site to a production server?
For instance: I can imaging that we need to remove install.php from the root directory. Are there any more actions?
Or is there maybe a module available which checks the site for "world readiness"
The status report on http://your-site/admin/reports/status will tell you if anything is not quite right.
Under the performance admin page you can turn on various caching settings, but test your site with them turned on before deploying.
There is a book by greggles for securing drupal, which may be worth a look.
Ideally you've tested your code for insecurities before deploying, but configuration can often be missed. There's a mode for analyzing your Drupal site for misconfiguration that would lead to vulnerabilities http://drupal.org/project/security_review
Security Review makes the following checks:
Safe permissions on system files
PHP in comments or nodes
Whether error reporting is on
Unsafe input formats
If private files is on and if the files directory is outside webroot
Allowed upload extensions
Admin permissions granted to untrusted users
In addition to other suggestions, remove update.php also.
I'd also (re)move /scripts from the webroot
It's a minor thing, but you could remove the text files in the root of the distribution which leak the version number. Such as CHANGELOG.txt etc.
I don't remember how safely cron.php protects itself from flood-calling. You may want to look into whether it is worth limiting that to local-only or command-line-only access.
Ensure that .inc files are processed by PHP.
all this answers make you stop thinking after your install is done - but software has a history and after installing drupal you have one more baby to watch - in drupalĀ“s case watch VERY closely! This means you MUST subscribe to the drupal security mailing list and read all mails that are coming form there - be prepared to get many emails. It is good, that the drupal team is providing these informations fast, but it is sad that there are really too many of these mails, what might be related to drupals programming style. be prepared to get up more than once in the middle of the night to update your drupal installation because some extension developer never did understand, why input from the web must be sanitized (yes, these kind of security problems are still happening in the drupal world.)
So "hardening" means "keeping up with updates", in drupals case these come quite often. Think about this if you have many sites and want to deploy to multiple servers - automatic deploymemts will help you save a lot of time.
Here's an excellent rundown for Drupal 7: http://www.madirish.net/242.
Most of its suggestions are relevant to Drupal 6 as well.
You should also remove the Theme registry rebuilding setting.
It rebuilds your theme registry on every pageload, so it makes your site very slow.

Resources