Difference between revisions of "Security Checklist/You have been hacked or defaced"

From Joomla! Documentation

< Security Checklist
(43 intermediate revisions by 3 users not shown)
Line 1: Line 1:
{{RightTOC}}
+
{{:Security Checklist/TOC}}
 
== You have been hacked/defaced ?==
 
== You have been hacked/defaced ?==
 
We are sorry for any basic language used in this document.
 
We are sorry for any basic language used in this document.
 
Before you post in the Joomla! Security Forum [http://forum.joomla.org/viewtopic.php?f=432&t=475313 please read this] checklist summary, then use it as a post template.
 
Before you post in the Joomla! Security Forum [http://forum.joomla.org/viewtopic.php?f=432&t=475313 please read this] checklist summary, then use it as a post template.
 
  
 
=== On Line Action List===
 
=== On Line Action List===
* Take your [http://docs.joomla.org/Taking_the_website_temporarily_offline site offline] temporarily to prevent others being infected
+
* Take your [[Taking_the_website_temporarily_offline#Using the htaccess method (cpanel)|website offline]] ('''We recommend the htaccess method''')
  
* Run the [http://forum.joomla.org/download/file.php?id=70500 forum post assistant and security tool] The simple Instructions [http://forum.joomla.org/viewtopic.php?f=428&t=272481 available here] You will need to unzip this file to your server joomla root
+
* Run the [https://github.com/ForumPostAssistant/FPA/zipball/en-GB forum post assistant and security tool] The simple Instructions are [http://forum.joomla.org/viewtopic.php?f=621&t=582860 available here]. More detailed instructions are included in the download package. You will need to unzip this package and upload the fpa-en.php file to your server Joomla root The FPA is also [https://github.com/ForumPostAssistant/FPA/tarball/en-GB available in a tar.gz package] for those who desire or need a unix style package. The fpa-en.php file from the package will need to be uploaded to your server Joomla root.
  
 +
* Scan all machines with FTP, Joomla super admin, and Joomla admin access for malware, virus, trojans, spyware, etc. (see [[#Local_Security|Local Security]] below)
  
* Ensure you have the '''latest version''' of [http://www.joomla.org/download.html Joomla]  
+
* Ensure you have downloaded the '''latest version''' of [http://www.joomla.org/download.html Joomla] for the series of Joomla used on the site. (see [[#incompatible_versions|Incompatible Versions]] below)
  
 
* '''Notify your host''' and work with them to clean up the site, and to make sure there are no back doors to your site.
 
* '''Notify your host''' and work with them to clean up the site, and to make sure there are no back doors to your site.
  
* Review [http://docs.joomla.org/Vulnerable_Extensions_List Vulnerable Extensions List] to see if you have any vulnerable extensions and deal with them. A clue to any extensions being targeted is your logs file. Here is an example of what to look for,
+
* Review [http://vel.joomla.org/ Vulnerable Extensions List] to see if you have any vulnerable extensions and deal with them. A clue to any extensions being targeted is your logs file. Here is an example of what to look for,
 
<pre>//administrator/components/com_extension/admin.extension.php?mosConfig.absolute.path=http:</pre>
 
<pre>//administrator/components/com_extension/admin.extension.php?mosConfig.absolute.path=http:</pre>
 +
or
 +
<pre>../../../../../../../../../../../../../../../../proc/self/environ</pre>
  
* Review and action [http://docs.joomla.org/Category:Security_Checklist Security_Checklist] to make sure you've gone through all of the steps (please note some steps are optional, but please review them all).
+
* Review and action [[Security Checklist]] to make sure you've gone through all of the steps (please note some steps are optional, but please review them all).
  
* '''Change all passwords''' and if possible user names for the domains control panel, mysql, FTP, [http://docs.joomla.org/Why_should_you_immediately_change_the_name_of_the_default_admin_user%3F joomla Super Admin], and joomla Admin password; do change them often. Passwords should be at least 12 mixed alphanumeric characters and contain no common word phrases.  
+
* '''Change all passwords''' and if possible user names for the domains control panel, mysql, FTP, [[Why_should_you_immediately_change_the_name_of_the_default_admin_user%3F|Joomla! Super Admin]], and Joomla! Admin password; do change them often. Passwords should be at least 12 mixed alphanumeric characters and contain no common word phrases.  
* Do not use the standard Admin user. [http://docs.joomla.org/Why_should_you_immediately_change_the_name_of_the_default_admin_user%3F Disable it]. If you need to reset your admin password, see [http://docs.joomla.org/How_do_you_recover_your_admin_password%3F these instructions]  
+
* Do not use the standard Admin user, [[Why_should_you_immediately_change_the_name_of_the_default_admin_user%3F|disable it]]. If you need to reset your admin password, see [[How_do_you_recover_your_admin_password%3F|these instructions]].
  
* '''Replace''' all templates and files with clean copies,
+
* '''Delete and Replace''' all templates and files with clean copies,
* '''Check''' and/or replace all .pdf, image, photo files for exploits
+
* '''Check''' and/or replace all .pdf, image, photo files for exploits. Delete any that are suspicious
 
* Check you server logs for IP's calling suspicious files or attempting POST commands to non-form's
 
* Check you server logs for IP's calling suspicious files or attempting POST commands to non-form's
* Use proper permissions on files and directories. They '''should never be 777<ref>Permissions should never be 777</ref>, but ideal is 644 for files and 755 folders'''.  
+
* Use proper permissions on files and directories. They '''should never be 777<ref>Permissions should never be 777</ref>, but ideal is 644 for files and 755 folders'''.
 +
* Disable [http://docs.cpanel.net/twiki/bin/view/AllDocumentation/CpanelDocs/AnonymousFTP anonymous] FTP
 +
 
 +
== chmod and cron ==
 +
 
 +
IF you have permissions to access SSH (secure shell) via putty you can chmod the files and directories.
 +
If you do not have shell access, you can run the commands from [http://en.wikipedia.org/wiki/Cron cron] by setting up a temporary cron job. Copy and paste the command into a cron job. Run the job about 2 minutes after saving the job.
 +
When using the command by putty or a cron job, the use of the full physical path to public_html is recommended for best results.
  
IF you have permissions to access SSH (secure shell) via putty/sftp you can chmod the files and directories.
 
You can use the following commands from within the public_html (or similar) directory.
 
 
For files use:
 
For files use:
<pre> find -type f -exec chmod 644 {} \; </pre>
+
 
 +
<pre>find /home/xxxxxx/domains/xxxxxxx.com/public_html -type f -exec chmod 644 {} \;</pre>
 +
 
 
and for directories use:
 
and for directories use:
<pre> find -type d -exec chmod 755 {} \; </pre>
 
  
* Request to be put on another server with '''php as cgi and suphp''' and '''up-to-date serverside software''' (apache, php etc) on your existing host or find another server host if necessary.
+
<pre>find /home/xxxxxx/domains/xxxxxxx.com/public_html -type d -exec chmod 755 {} \;</pre>
  
 +
=== Monitoring for File Changes ===
 +
To check for recent file changes on your system use these commands from putty (SSH - secure shell) or via a cron job.
 +
If you run the command from a cron job you can schedule it to check for changed files several times each day.
 +
Results will be sent to the domain account owner and show the time/date stamp for any changed files.
 +
When using the command by putty or a cron job, the use of the full physical path to public_html is recommended
 +
for best results.
  
To check the recent file changes on your system use these commands or via a cron job
+
<pre>find /home/xxxxxx/domains/xxxxxxx.com/public_html -type f -ctime -1 -exec ls -ls {} \;</pre>
<pre> find \public_html -ctime -1 </pre>
+
 
or
+
Please note your sites files may be located in public_html, httpdocs, www, or a similar place, and your physical path may also be different than in the examples. Adjust the physical path accordingly.
<pre> find \public_html -mtime -1 </pre>
 
''Please note the location of your files may be public_html or httpdocs or similar. ''
 
  
 +
== 777 Permissions ==
 +
'''If''' the server your are on requires 777 permissions for Joomla to work correctly,
 +
then''' request to be put on another server''' with php as cgi and suphp and up-to-date
 +
serverside software (apache, php etc) on your existing host or find another server host if necessary.
 +
 
To protect directories that seemed to need 777 permissions to run or as a default in your images/media folder try this code within a .htaccess file within the open folder.
 
To protect directories that seemed to need 777 permissions to run or as a default in your images/media folder try this code within a .htaccess file within the open folder.
 
<pre># secure directory by disabling script execution
 
<pre># secure directory by disabling script execution
Line 57: Line 74:
 
* save the configuration.php file and your images and personal files one by one, (not the folder as it may contain unwanted files)
 
* save the configuration.php file and your images and personal files one by one, (not the folder as it may contain unwanted files)
 
* wipe the entire folder where Joomla! is installed
 
* wipe the entire folder where Joomla! is installed
* upload a new clean full package latest version of joomla 1.5.x (minus the install folder)
+
* upload a new clean full package latest version of joomla 1.5.x or Joomla 2.5.x, joomla 3.x (minus the install folder)<ref>Incompatible Versions</ref>
* reupload your configuration file & images, templates (even better is to use original clean copies to ensure that the hacker/defacer did not leave any shell script files in your site)
+
* reupload your configuration file & images.
* reupload or reinstall the latest versions of your extensions.
+
* reupload or reinstall the latest versions of your extensions , templates (even better is to use original clean copies to ensure that the hacker/defacer did not leave any shell script files in your site)
  
 
To do this will take your site off line for around 15 minutes. To track down your hacked/defaced html may take hours or even longer.
 
To do this will take your site off line for around 15 minutes. To track down your hacked/defaced html may take hours or even longer.
 
  
 
=== Local Security ===
 
=== Local Security ===
Line 77: Line 93:
 
** [http://www.microsoft.com/security/ Microsoft Malicious Software Removal Tool]
 
** [http://www.microsoft.com/security/ Microsoft Malicious Software Removal Tool]
 
** [http://www.free-av.com/de/tools/12/avira_antivir_rescue_system.html Linux AntiVirus boot cd]
 
** [http://www.free-av.com/de/tools/12/avira_antivir_rescue_system.html Linux AntiVirus boot cd]
 +
** [http://www.javacoolsoftware.com/spywareblaster.html spyware blaster]
 +
** [http://www.siteadvisor.com/ siteadvisor]
 
* Consider the [http://ubcd4win.com/ Ultimate Boot CD for Windows] used for repairing, restoring, or diagnosing almost any home computer problem
 
* Consider the [http://ubcd4win.com/ Ultimate Boot CD for Windows] used for repairing, restoring, or diagnosing almost any home computer problem
  
Line 83: Line 101:
 
* Do not use the standard jos_ table prefix and avoid one click installers where possible
 
* Do not use the standard jos_ table prefix and avoid one click installers where possible
  
* Set the [http://feeds.joomla.org/JoomlaSecurityNews?format=xml joomla security newsfeed] as the main top module in your joomla admin control panel
+
* Set the [http://feeds.joomla.org/JoomlaSecurityNews?format=xml joomla security newsfeed] as the main top module in your joomla admin control panel. [[Screen.modulesadministrator.edit.15#Feed_Display|Set up the Security Newsfeed]]
 
** [[Screen.modulesadministrator.edit.15#How_to_access|Add the Admin Feed Display Module]] if it is missing. Enable it to the first place on your sites back end control panel.
 
** [[Screen.modulesadministrator.edit.15#How_to_access|Add the Admin Feed Display Module]] if it is missing. Enable it to the first place on your sites back end control panel.
** [[Screen.modulesadministrator.edit.15#Feed_Display|Set up the Security Newsfeed]]
 
  
 
* Consider adding a [http://forum.joomla.org/viewtopic.php?p=1568940#p1568940 bot block list] to your .htaccess file
 
* Consider adding a [http://forum.joomla.org/viewtopic.php?p=1568940#p1568940 bot block list] to your .htaccess file
Line 114: Line 131:
 
=== Malicious Code or Odd Links appearing on your site ===
 
=== Malicious Code or Odd Links appearing on your site ===
  
Check that the original template file does or does not insert the [http://forum.joomla.org/viewtopic.php?f=432&t=411735 unwanted code] or that you downloaded a paid for template from a non trusted source eg file sharing sites
+
Check that the original template file does or does not insert the [http://forum.joomla.org/viewtopic.php?f=432&t=411735 unwanted code/Malicious Javascript ] or that you downloaded a paid for template from a non trusted source eg file sharing sites
  
 
'''[http://www.iss.net/threats/gumblar.html Gumblar]''' doesn’t use any particular script vulnerability.
 
'''[http://www.iss.net/threats/gumblar.html Gumblar]''' doesn’t use any particular script vulnerability.
Line 144: Line 161:
 
Raw Access Logs allow you to see who has accessed your site without the use of graphs, charts or other graphics. in cPanel for instance you can use the Raw Access Logs menu to download a zipped version of the server's access log for your site. This can be very useful when you need to see who is accessing your site quickly. Many people forget that this needs to be activated by the user of the account and is not automatically activated upon the creation of a hosting account in cPanel for instance!
 
Raw Access Logs allow you to see who has accessed your site without the use of graphs, charts or other graphics. in cPanel for instance you can use the Raw Access Logs menu to download a zipped version of the server's access log for your site. This can be very useful when you need to see who is accessing your site quickly. Many people forget that this needs to be activated by the user of the account and is not automatically activated upon the creation of a hosting account in cPanel for instance!
  
== Security Checklists Table of Contents==
+
<div id="incompatible_versions" />'''Incompatible Versions'''
# [[Security Checklist 1 - Getting Started|Getting Started]]
+
This document applies to all versions of Joomla. Use the latest version of Joomla that is compatible with your existing Joomla websites version to repair your site. Some version upgrades require a [[Migrating_from_Joomla_1.5_to_Joomla_2.5|site migration]] and will render your Joomla site inoperative if used to replace an earlier version of Joomla when repairing site hacking. For example: Do not replace a 1.5.xx based site with version 2.5.xx of Joomla. Doing so will leave the site in an inoperative state and may also result in a loss of data.
# [[Security Checklist 2 - Hosting and Server Setup|Hosting and Server Setup]]
 
# [[Security Checklist 3 - Testing and Development|Testing and Development]]
 
# [[Security Checklist 4 - Joomla Setup|Joomla Setup]]
 
# [[Security Checklist 5 - Site Administration|Site Administration]]
 
# [[Security Checklist 6 - Site Recovery|Site Recovery]]
 
# [[Security Checklist 7 - Security Checklist 7| Security Checklist 7 ]]
 
  
 
[[Category:FAQ]]
 
[[Category:FAQ]]
[[Category:Security]]
 
[[Category:Security_FAQ]]
 
 
<!-- KEEP THIS AT THE END OF THE PAGE -->
 
<!-- KEEP THIS AT THE END OF THE PAGE -->
[[Category:Security Checklist]]
 
 
 
[[Category:Security Checklist]]
 
[[Category:Security Checklist]]

Revision as of 12:18, 19 August 2013

You have been hacked/defaced ?[edit]

We are sorry for any basic language used in this document. Before you post in the Joomla! Security Forum please read this checklist summary, then use it as a post template.

On Line Action List[edit]

  • Run the forum post assistant and security tool The simple Instructions are available here. More detailed instructions are included in the download package. You will need to unzip this package and upload the fpa-en.php file to your server Joomla root The FPA is also available in a tar.gz package for those who desire or need a unix style package. The fpa-en.php file from the package will need to be uploaded to your server Joomla root.
  • Scan all machines with FTP, Joomla super admin, and Joomla admin access for malware, virus, trojans, spyware, etc. (see Local Security below)
  • Notify your host and work with them to clean up the site, and to make sure there are no back doors to your site.
  • Review Vulnerable Extensions List to see if you have any vulnerable extensions and deal with them. A clue to any extensions being targeted is your logs file. Here is an example of what to look for,
//administrator/components/com_extension/admin.extension.php?mosConfig.absolute.path=http:

or

../../../../../../../../../../../../../../../../proc/self/environ
  • Review and action Security Checklist to make sure you've gone through all of the steps (please note some steps are optional, but please review them all).
  • Change all passwords and if possible user names for the domains control panel, mysql, FTP, Joomla! Super Admin, and Joomla! Admin password; do change them often. Passwords should be at least 12 mixed alphanumeric characters and contain no common word phrases.
  • Do not use the standard Admin user, disable it. If you need to reset your admin password, see these instructions.
  • Delete and Replace all templates and files with clean copies,
  • Check and/or replace all .pdf, image, photo files for exploits. Delete any that are suspicious
  • Check you server logs for IP's calling suspicious files or attempting POST commands to non-form's
  • Use proper permissions on files and directories. They should never be 777[1], but ideal is 644 for files and 755 folders.
  • Disable anonymous FTP

chmod and cron[edit]

IF you have permissions to access SSH (secure shell) via putty you can chmod the files and directories. If you do not have shell access, you can run the commands from cron by setting up a temporary cron job. Copy and paste the command into a cron job. Run the job about 2 minutes after saving the job. When using the command by putty or a cron job, the use of the full physical path to public_html is recommended for best results.

For files use:

find /home/xxxxxx/domains/xxxxxxx.com/public_html -type f -exec chmod 644 {} \;

and for directories use:

find /home/xxxxxx/domains/xxxxxxx.com/public_html -type d -exec chmod 755 {} \;

Monitoring for File Changes[edit]

To check for recent file changes on your system use these commands from putty (SSH - secure shell) or via a cron job. If you run the command from a cron job you can schedule it to check for changed files several times each day. Results will be sent to the domain account owner and show the time/date stamp for any changed files. When using the command by putty or a cron job, the use of the full physical path to public_html is recommended for best results.

find /home/xxxxxx/domains/xxxxxxx.com/public_html -type f -ctime -1 -exec ls -ls {} \;

Please note your sites files may be located in public_html, httpdocs, www, or a similar place, and your physical path may also be different than in the examples. Adjust the physical path accordingly.

777 Permissions[edit]

If the server your are on requires 777 permissions for Joomla to work correctly, then request to be put on another server with php as cgi and suphp and up-to-date serverside software (apache, php etc) on your existing host or find another server host if necessary.

To protect directories that seemed to need 777 permissions to run or as a default in your images/media folder try this code within a .htaccess file within the open folder.

# secure directory by disabling script execution
AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi
Options -ExecCGI

especially in your images folder

  • Make sure that is in a htaccess file in a directory that will not run any scripts or remove the extensions as required

Do check with your hosting provider to see if they have purposely secured the server your site is on; and that they or you perform regular (weekly) security updates to keep the server up to date. Check you have jail shell. A rule of thumb is the less you pay, the less they care

A Safe route for disaster relief[edit]

  • save the configuration.php file and your images and personal files one by one, (not the folder as it may contain unwanted files)
  • wipe the entire folder where Joomla! is installed
  • upload a new clean full package latest version of joomla 1.5.x or Joomla 2.5.x, joomla 3.x (minus the install folder)[2]
  • reupload your configuration file & images.
  • reupload or reinstall the latest versions of your extensions , templates (even better is to use original clean copies to ensure that the hacker/defacer did not leave any shell script files in your site)

To do this will take your site off line for around 15 minutes. To track down your hacked/defaced html may take hours or even longer.

Local Security[edit]

  • Don't store user name/password in ftp program
    • Use a password manager such as the free keepass
  • Scan all machines with FTP, Joomla super admin, and Joomla admin access for malware, virus, trojans, spyware, etc.

Other Considerations[edit]

  • Do not use the standard jos_ table prefix and avoid one click installers where possible
  • Use sFTP instead of FTP where possible
  • Check for any added sub domains and/or added directories
  • Check cron for any cron jobs not set up by domain administrator
  • Download and [3]
  • Deny any IP's that you got to the IP ban on your site but it may belong to a proxy site.
Was your site hacked in the past and proper site sanitation not used to remove actual
(and hidden) hack thus leaving a backdoor for reinfection.

Malicious Code or Odd Links appearing on your site[edit]

Check that the original template file does or does not insert the unwanted code/Malicious Javascript or that you downloaded a paid for template from a non trusted source eg file sharing sites

Gumblar doesn’t use any particular script vulnerability. This script is injected into every web page ( I would imagine though not confirmed, if infected page is edited then saved it will also be in database) on a site. Script changes every time it is accessed. It has been seen on phpBB, SMF and vBulletin forums, on WordPress 2.7.1 blogs, on proprietary PHP sites. The script starts with (function( and has no name and is obfusticated. A common Gumblar version breaks sites due to a bug in script.

iFrames

In recent iframe exploits the malicious code was only injected into files with most common filenames (e.g. index.html, index.php, etc.). Related Forum Sticky

Contributors & Editing[edit]

mandville PhilD fw116 JeffChannell dynamicnet

References[edit]

  1. Permissions should never be 777
  2. Incompatible Versions
  3. Review raw access and error logs.

When your hosting provider runs PHP as an Apache Module it executes as the user/group of the webserver which is usually "nobody", "httpd" or "apache". Under this (ownership) mode, files or directories that you require your php scripts to be able to write do need 777 permissions (read/write/execute at user/group/world level) if the ownership of the files and directories are not Chown (Change Owner) to the User. Such a scenario is absolute unacceptable from a security perspective since '777' not only allows the webserver to write to the file; it also allows anyone else to read or write to the file. If your provider is not able to change this, one should strongly consider changing host!

Logs Make sure that in your control panel your raw access logs have been activated for review!

Raw Access Logs allow you to see who has accessed your site without the use of graphs, charts or other graphics. in cPanel for instance you can use the Raw Access Logs menu to download a zipped version of the server's access log for your site. This can be very useful when you need to see who is accessing your site quickly. Many people forget that this needs to be activated by the user of the account and is not automatically activated upon the creation of a hosting account in cPanel for instance!

Incompatible Versions

This document applies to all versions of Joomla. Use the latest version of Joomla that is compatible with your existing Joomla websites version to repair your site. Some version upgrades require a site migration and will render your Joomla site inoperative if used to replace an earlier version of Joomla when repairing site hacking. For example: Do not replace a 1.5.xx based site with version 2.5.xx of Joomla. Doing so will leave the site in an inoperative state and may also result in a loss of data.