Actions

Difference between revisions of "Security Checklist/You have been hacked or defaced"

From Joomla! Documentation

< Security Checklist
(LTS numbering)
(On Line Action List)
Line 1: Line 1:
{{RightTOC}}
+
{{:Security Checklist/TOC}}
 
== You have been hacked/defaced ?==
 
== You have been hacked/defaced ?==
 
We are sorry for any basic language used in this document.
 
We are sorry for any basic language used in this document.
 
Before you post in the Joomla! Security Forum [http://forum.joomla.org/viewtopic.php?f=432&t=475313 please read this] checklist summary, then use it as a post template.
 
Before you post in the Joomla! Security Forum [http://forum.joomla.org/viewtopic.php?f=432&t=475313 please read this] checklist summary, then use it as a post template.
 
  
 
=== On Line Action List===
 
=== On Line Action List===
* Take your [http://docs.joomla.org/Taking_the_website_temporarily_offline#Using_the_htaccess_method_.28cpanel.29 site offline] '''We recommend the htaccess method'''
+
* Take your [[Taking_the_website_temporarily_offline#Using the htaccess method (cpanel)|website offline]] ('''We recommend the htaccess method''')
 
+
* Run the [http://forum.joomla.org/download/file.php?id=70500 forum post assistant and security tool] The simple Instructions [http://forum.joomla.org/viewtopic.php?f=428&t=272481 available here] You will need to unzip this file to your server joomla root
+
  
* Scan all machines with FTP, Joomla super admin, and Joomla admin access for malware, virus, trojans, spyware, etc. (see [http://docs.joomla.org/Security_Checklist_7#Local_Security local security])
+
* Run the [https://github.com/ForumPostAssistant/FPA/zipball/en-GB forum post assistant and security tool] The simple Instructions are [http://forum.joomla.org/viewtopic.php?f=621&t=582860 available here]. More detailed instructions are included in the download package. You will need to unzip this package and upload the fpa-en.php file to your server Joomla root The FPA is also [https://github.com/ForumPostAssistant/FPA/tarball/en-GB available in a tar.gz package] for those who desire or need a unix style package. The fpa-en.php file from the package will need to be uploaded to your server Joomla root.
  
 +
* Scan all machines with FTP, Joomla super admin, and Joomla admin access for malware, virus, trojans, spyware, etc. (see [[#Local_Security|Local Security]] below)
  
* Ensure you have the '''latest version''' of [http://www.joomla.org/download.html Joomla]  
+
* Ensure you have downloaded the '''latest version''' of [http://www.joomla.org/download.html Joomla] for the series of Joomla used on the site. (see [[#incompatible_versions|Incompatible Versions]] below)
  
 
* '''Notify your host''' and work with them to clean up the site, and to make sure there are no back doors to your site.
 
* '''Notify your host''' and work with them to clean up the site, and to make sure there are no back doors to your site.
  
* Review [http://docs.joomla.org/Vulnerable_Extensions_List Vulnerable Extensions List] to see if you have any vulnerable extensions and deal with them. A clue to any extensions being targeted is your logs file. Here is an example of what to look for,
+
* Review [http://vel.joomla.org/ Vulnerable Extensions List] to see if you have any vulnerable extensions and deal with them. A clue to any extensions being targeted is your logs file. Here is an example of what to look for,
 
<pre>//administrator/components/com_extension/admin.extension.php?mosConfig.absolute.path=http:</pre>
 
<pre>//administrator/components/com_extension/admin.extension.php?mosConfig.absolute.path=http:</pre>
 
or
 
or
 
<pre>../../../../../../../../../../../../../../../../proc/self/environ</pre>
 
<pre>../../../../../../../../../../../../../../../../proc/self/environ</pre>
  
* Review and action [http://docs.joomla.org/Category:Security_Checklist Security_Checklist] to make sure you've gone through all of the steps (please note some steps are optional, but please review them all).
+
* Review and action [[Security Checklist]] to make sure you've gone through all of the steps (please note some steps are optional, but please review them all).
  
* '''Change all passwords''' and if possible user names for the domains control panel, mysql, FTP, [http://docs.joomla.org/Why_should_you_immediately_change_the_name_of_the_default_admin_user%3F joomla Super Admin], and joomla Admin password; do change them often. Passwords should be at least 12 mixed alphanumeric characters and contain no common word phrases.  
+
* '''Change all passwords''' and if possible user names for the domains control panel, mysql, FTP, [[Why_should_you_immediately_change_the_name_of_the_default_admin_user%3F|Joomla! Super Admin]], and Joomla! Admin password; do change them often. Passwords should be at least 12 mixed alphanumeric characters and contain no common word phrases.  
* Do not use the standard Admin user. [http://docs.joomla.org/Why_should_you_immediately_change_the_name_of_the_default_admin_user%3F Disable it]. If you need to reset your admin password, see [http://docs.joomla.org/How_do_you_recover_your_admin_password%3F these instructions]  
+
* Do not use the standard Admin user, [[Why_should_you_immediately_change_the_name_of_the_default_admin_user%3F|disable it]]. If you need to reset your admin password, see [[How_do_you_recover_your_admin_password%3F|these instructions]].
  
* '''Replace''' all templates and files with clean copies,
+
* '''Delete and Replace''' all templates and files with clean copies,
* '''Check''' and/or replace all .pdf, image, photo files for exploits
+
* '''Check''' and/or replace all .pdf, image, photo files for exploits. Delete any that are suspicious
 
* Check you server logs for IP's calling suspicious files or attempting POST commands to non-form's
 
* Check you server logs for IP's calling suspicious files or attempting POST commands to non-form's
 
* Use proper permissions on files and directories. They '''should never be 777<ref>Permissions should never be 777</ref>, but ideal is 644 for files and 755 folders'''.
 
* Use proper permissions on files and directories. They '''should never be 777<ref>Permissions should never be 777</ref>, but ideal is 644 for files and 755 folders'''.
Line 34: Line 32:
  
 
== chmod and cron ==
 
== chmod and cron ==
 
  
 
IF you have permissions to access SSH (secure shell) via putty you can chmod the files and directories.
 
IF you have permissions to access SSH (secure shell) via putty you can chmod the files and directories.
Line 48: Line 45:
 
<pre>find /home/xxxxxx/domains/xxxxxxx.com/public_html -type d -exec chmod 755 {} \;</pre>
 
<pre>find /home/xxxxxx/domains/xxxxxxx.com/public_html -type d -exec chmod 755 {} \;</pre>
  
 
+
=== Monitoring for File Changes ===
To check for recent file changes within the last day on your system use these commands from putty (SSH - secure shell) or via a cron job.
+
To check for recent file changes on your system use these commands from putty (SSH - secure shell) or via a cron job.
 
If you run the command from a cron job you can schedule it to check for changed files several times each day.
 
If you run the command from a cron job you can schedule it to check for changed files several times each day.
 
Results will be sent to the domain account owner and show the time/date stamp for any changed files.
 
Results will be sent to the domain account owner and show the time/date stamp for any changed files.
Line 56: Line 53:
  
 
<pre>find /home/xxxxxx/domains/xxxxxxx.com/public_html -type f -ctime -1 -exec ls -ls {} \;</pre>
 
<pre>find /home/xxxxxx/domains/xxxxxxx.com/public_html -type f -ctime -1 -exec ls -ls {} \;</pre>
 
  
 
Please note your sites files may be located in public_html, httpdocs, www, or a similar place, and your physical path may also be different than in the examples. Adjust the physical path accordingly.
 
Please note your sites files may be located in public_html, httpdocs, www, or a similar place, and your physical path may also be different than in the examples. Adjust the physical path accordingly.
 
  
 
== 777 Permissions ==
 
== 777 Permissions ==
Line 79: Line 74:
 
* save the configuration.php file and your images and personal files one by one, (not the folder as it may contain unwanted files)
 
* save the configuration.php file and your images and personal files one by one, (not the folder as it may contain unwanted files)
 
* wipe the entire folder where Joomla! is installed
 
* wipe the entire folder where Joomla! is installed
* upload a new clean full package latest version of joomla 1.5.x or Joomla 1.7.x/2.5.x (minus the install folder)
+
* upload a new clean full package latest version of joomla 1.5.x or Joomla 2.5.x (minus the install folder)<ref>Incompatible Versions</ref>
 
* reupload your configuration file & images.
 
* reupload your configuration file & images.
 
* reupload or reinstall the latest versions of your extensions , templates (even better is to use original clean copies to ensure that the hacker/defacer did not leave any shell script files in your site)
 
* reupload or reinstall the latest versions of your extensions , templates (even better is to use original clean copies to ensure that the hacker/defacer did not leave any shell script files in your site)
  
 
To do this will take your site off line for around 15 minutes. To track down your hacked/defaced html may take hours or even longer.
 
To do this will take your site off line for around 15 minutes. To track down your hacked/defaced html may take hours or even longer.
 
  
 
=== Local Security ===
 
=== Local Security ===
Line 167: Line 161:
 
Raw Access Logs allow you to see who has accessed your site without the use of graphs, charts or other graphics. in cPanel for instance you can use the Raw Access Logs menu to download a zipped version of the server's access log for your site. This can be very useful when you need to see who is accessing your site quickly. Many people forget that this needs to be activated by the user of the account and is not automatically activated upon the creation of a hosting account in cPanel for instance!
 
Raw Access Logs allow you to see who has accessed your site without the use of graphs, charts or other graphics. in cPanel for instance you can use the Raw Access Logs menu to download a zipped version of the server's access log for your site. This can be very useful when you need to see who is accessing your site quickly. Many people forget that this needs to be activated by the user of the account and is not automatically activated upon the creation of a hosting account in cPanel for instance!
  
== Security Checklists Table of Contents==
+
<div id="incompatible_versions" />'''Incompatible Versions'''
# [[Security Checklist 1 - Getting Started|Getting Started]]  
+
This document applies to all versions of Joomla. Use the latest version of Joomla that is compatible with your existing Joomla websites version to repair your site. Some version upgrades require a [[Migrating_from_Joomla_1.5_to_Joomla_2.5|site migration]] and will render your Joomla site inoperative if used to replace an earlier version of Joomla when repairing site hacking. For example: Do not replace a 1.5.xx based site with version 2.5.xx of Joomla. Doing so will leave the site in an inoperative state and may also result in a loss of data.
# [[Security Checklist 2 - Hosting and Server Setup|Hosting and Server Setup]]
+
# [[Security Checklist 3 - Testing and Development|Testing and Development]]
+
# [[Security Checklist 4 - Joomla Setup|Joomla Setup]]
+
# [[Security Checklist 5 - Site Administration|Site Administration]]
+
# [[Security Checklist 6 - Site Recovery|Site Recovery]]
+
 
+
  
 
[[Category:FAQ]]
 
[[Category:FAQ]]
[[Category:Security]]
 
[[Category:Security_FAQ]]
 
 
<!-- KEEP THIS AT THE END OF THE PAGE -->
 
<!-- KEEP THIS AT THE END OF THE PAGE -->
[[Category:Security Checklist]]
 
 
 
[[Category:Security Checklist]]
 
[[Category:Security Checklist]]

Revision as of 10:10, 12 June 2013