NYCPHP Meetup

[Leam Hall]

PR9?

Keep in mind that FTP passwords were sent in clear text so some of the 
info might have been snooped. Also, some unix versions have an 8 
character password maximum length. If your punctuation came in chars 9 
or 10 it might not have been there. If the host was not using shadow 
passwords the /etc/passwd file might have had encrypted passwords and be 
readable by another user on the system.

Turning off FTP is a great idea, as is using something like SFTP or vsftp.

Leam

Barrie North wrote:
> We found the attacks/IP in the server logs. A financially backed hacker
> outfit from Nigeria, go figure. The joys of having a PR9 site =P
> 
> Our password was 10 chars including letters, numbers and punctuation. We are
> hosted on a "secured" rackspace server.
> 
> We don't have FTP running any more!
> 
> Barrie North
> ~Fully Managed Joomla Sites~
> www.simplweb.com/joomla
> ~Join the Community at compassdesigns.net~
> www.compassdesigns.net/join-the-community.html
> 
> 
> On Thu, Mar 26, 2009 at 7:29 PM, Atir Javid <atirjavid at gmail.com> wrote:
> 
>> Hello Barrie,
>>
>> May I inquire as to how you verified the attack?  I know that FTP
>> bruteforcing is extremely difficult, and that is very improbable.
>> What you may have faced was a dictionary attack, which may have worked
>> with some luck if you had a weak password.  A password including a mix
>> of
>>
>> 1) UPPERCASE
>> 2) lowercase
>> 3) punctuation/!#$.,
>> 4) numbers
>>
>> and have a good strong/long password you would never fall victim to
>> dictionary.
>>
>> As for bruteforce, an ftpd simply denies access after 3 or 5
>> (configurable, usually defaults to 3) failed login attempts for some
>> time.  Some hosts go as far as restricting ftp access until you call
>> them and verify the problem.  Also, brute forcing over a TCP pipe a
>> slow protocol such as FTP is virtually impossible.  At this rate it
>> would take YEARS to bruteforce the password if not DECADES.
>>
>> @ Other users
>> Also make sure to go into joomla user configuration and change the
>> username of 'admin' to something else.
>> To protect your joomla administation section  If you have a static ip,
>> you can add
>>
>> order allow,deny
>> deny from all
>> allow from your.static.ip.here
>>
>> to a file called .htaccess in your administration folder.  If for some
>> reason your ip changes and you get locked out, simply login via FTP
>> and update the .htaccess file.  There are some other advanced methods
>> for protecting your administration folder.
>>
>> Also, FTP was a protocol developed 30+ years ago.  It is not secure,
>> clear text authentication, etc.  FTP must go.  If you can help it, do
>> not use ftp, instead SFTP, or SSH.  Just.. anything but FTP.  Sadly,
>> thats all that is easy to use, highly available across all hosts, and
>> not everyone on shared hosting provides SSH access.  If you can do
>> without it, do without it. http://wooledge.org/mywiki/FtpMustDie
>>
>> I have seen more sites hacked due to unpatched php or bad php
>> code(mostly from 3rd party addons) more than I have with FTP though.
>>
>> Still with good security practices you can reduce the risk considerably.
>>
>> Peace.
>>
>>
>>
>>
>> 2009/3/26 Barrie North <barrie at compassdesigns.net>:
>>> We got hacked last month by a brute force attack on our FTP password.
>> Once
>>> they had that, they got into the Joomla files.
>>>
>>> Any site can be hacked. The other half of the equation is vigilance and
>>> backups :)
>>>
>>> Barrie North
>>> ~Fully Managed Joomla Sites~
>>> www.simplweb.com/joomla
>>> ~Join the Community at compassdesigns.net~
>>> www.compassdesigns.net/join-the-community.html
>>>
>>>
>>> On Wed, Mar 25, 2009 at 11:23 PM, Mark Simko <masimko at verizon.net>
>> wrote:
>>>> Several of my clients' 1.0.15 sites have been hacked this week!  Is
>>>> there a problem with 1.0?
>>>>
>>>> I don't see an announcement on joomla.org
>>>>
>>>> I just saw that my site was hacked the other day. Fortunately they
>>>> bunged it up a bit, so the code didn't run, but instead gave an error
>>>> message.
>>>>
>>>> What they had done is append javascript to the index.php file. It was
>>>> disguised as ascii codes, and there were several var defined and
>>>> substituted in, but the result was that it attempted to open a hidden
>>>> iframe directed to siplank.com. When I tried to open siplank.com in a
>>>> web browser (yes, I did that! I do lots of crazy things out of
>>>> curiosity) Firefox stopped it with a warning about the site being known
>>>> for malware.
>>>>
>>>> I'm running 1.5.9 on a shared host. I will be calling my host and asking
>>>> them what they can find out from their logs as to what happened.
>>>>
>>>> _______________________________________________
>>>> New York PHP SIG: Joomla! Mailing List
>>>> http://lists.nyphp.org/mailman/listinfo/joomla
>>>>
>>>> NYPHPCon 2006 Presentations Online
>>>> http://www.nyphpcon.com
>>>>
>>>> Show Your Participation in New York PHP
>>>> http://www.nyphp.org/show_participation.php
>>>
>>> _______________________________________________
>>> New York PHP SIG: Joomla! Mailing List
>>> http://lists.nyphp.org/mailman/listinfo/joomla
>>>
>>> NYPHPCon 2006 Presentations Online
>>> http://www.nyphpcon.com
>>>
>>> Show Your Participation in New York PHP
>>> http://www.nyphp.org/show_participation.php
>>>
>> _______________________________________________
>> New York PHP SIG: Joomla! Mailing List
>> http://lists.nyphp.org/mailman/listinfo/joomla
>>
>> NYPHPCon 2006 Presentations Online
>> http://www.nyphpcon.com
>>
>> Show Your Participation in New York PHP
>> http://www.nyphp.org/show_participation.php
>>
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> New York PHP SIG: Joomla! Mailing List
> http://lists.nyphp.org/mailman/listinfo/joomla
> 
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
> 
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php