Knowledgebase : Security

We have at least 3 times every week where a customer comes to us with a hacked Joomla website. Usually, the Joomla website will be either filled with hidden malicious content, is redirected to another website with malicious content, has all its data erased, or is simply does not show up.

Here are, according to our experience, the top 10 reasons on why your Joomla website got hacked:

  1. Your website has very old extensions installed: This is the top and most common reason behind a hacked Joomla website. You should always keep your extensions up-to-date, and if you’re using an extension that is no longer supported, then try to find an alternative. If not, have a developer take a look at that extension to ensure it has no vulnerability issues.
  2. You're using an older version of Joomla: We know that it's hard to keep your Joomla website up-to-date with the latest version, especially if you have a lot of extensions (components, modules, plugins) that will be broken if you upgrade Joomla. But you must do this, you can’t keep on using an outdated version forever.
  3. You have write permissions on your .htacess file: By default, your .htaccess file has write permissions on it because Joomla has to update it, especially when you’re using SEF. The problem is that this will leave your .htaccess vulnerable to attacks that aim at changing it. You should always set your .htaccess permission to 444 (r-xr-xr-x) or maybe 440 (r-xr-x-r-x).
  4. You have write permissions on your *.php files: Neither the web server nor the world should have write permissions on your Joomla *.php files. You should ensure that the permissions of all your *.php are set to 444.
  5. Allowing users to upload scripts: For example, if a component accepts images, you should ensure that only images are allowed to be uploaded. Users should not be able to upload scripts (such as *.php files)
  6. Giving execute permissions on public directories: In this context, public directories mean those directories where users are able to upload their files to. Imagine someone uploading a file to one of your upload directory (in a way or another). If that file is a script, and if that directory allows for scripts to run, then the individual can easily run the malicious script. Public (upload) directories should all be given a permission of 766 (owner can read, write, and execute. The rest can only read and write).
  7. Using non-prominent extensions: You should always use extensions that are used and tested by many people. Using an extension that is used by very few people is not a good practice, and can get your website hacked (attacker can use several techniques such as XSS, SQL injection, etc…). In case you feel obliged to use such an extension, have a developer review it for security.
  8. Giving credentials to untrusted developers: You shouldn’t give your website credentials to untrusted developers. And, if you really have to, then change all your passwords once the developer is done working. We have already explained how to change your Joomla database password with no downtime.Note: At itoctopus, we immediately destroy the customer’s website credentials once we’re finished working on it.
  9. Giving all the possible permissions to the database user: Once your Joomla website is setup, the database user should only INSERT rows, UPDATE rows, DELETE rows, and CREATE tables. He should not DROP tables or DROP the database. Ensure that only the necessary permissions are given for the Joomla database user.
  10. Feeling confident that your website cannot get hacked or that no one would hack your website: Regardless of whether you have a small charity website or a huge school website, your website is susceptible for hacking. Many hackers use software to scan the Internet for websites with vulnerabilities and attack them, just because they can! Always take your website’s security seriously, don’t think that if you’re too small no one would consider hacking your website, or that if you’re too big you are secure enough and no one would be able to hack your website.

Currently there are newly active vulnerability for wordpress related with revslider plugin. This plugins is a premium plugin but some user does not aware about it because some themes already bundled with it.

Attack sequence.

1. Discovery. Normally the bot will try to find vulnerable version of the plugins.

2. Exploit. It will use the script to upload malicious theme to the site

3. Take over. If the exploit successful it will inject Fileman backdoor.

Recommendation :

Install sucuri scanner plugin inside the worpress and scan the wordpress blog for vulnerability.

 https://wordpress.org/plugins/sucuri-scanner/

 

 

Mass infection of WordPress sites due to TimThumb

Recently a new high risk vulnerability was discovered in the highly popular TimThumb script. TimThumb is a small php script for cropping, zooming and resizing web images (jpg, png, gif). Perfect for use on blogs and other applications.
 
TimThumb is included in a lot of WordPress plugins and themes (free and paid). Exploiting this vulnerability an attacker can upload and excute a PHP file of his choice on a vulnerable website.
 
By default the script allows uploding files from a list of trusted external domains specified below:
// external domains that are allowed to be displayed on your website
$allowedSites = array (
	'flickr.com',
	'picasa.com',
	'blogger.com',
	'wordpress.com',
	'img.youtube.com',
);
It should not be possible to upload files from another external domain. However, the check is flawed because you can bypass it using a domain like blogger.com.hacker.com. This domain passes the check but belongs to hacker.com, making the script exploitable.
 
Hackers are already exploiting this vulnerability in the wild and there are thousands of sites hacked.

Does Anti Malware Plugin protect against this vulnerabiliy?

Yes. All requests made in order to exploit this vulnerability are denied with a "Precondition Failed" error message.

Your vulnerable WordPress sites are safe.

If you install AM plugin after hacked, then you should scan your accounts and delete all possible backdoors/malware already installed.

iWHOST Support System