I’m very happy to announce that the next best thing for Joomla has just been released!
After almost 5 years of planning, writing, rewriting and testing I’m pleased to reveal our Joomla Security Auditing service open!
I have been fixing hacked Joomla sites every day for many years now. I’ve seen it all, nothing is new, and everything is fixable – so “Don’t Panic!”
The tools you find here are the very tools I use myself when I’m debugging and fixing a hacked Joomla site or when I just want to know what state a current Joomla site is in. They are the result of years of Joomla experience, backed by a rock solid personal promise from myself.
It all starts with a full audit, that gathers information about your site. This then allows you to look under the hood of a hacked website, identify core files that have been modified, locate hackers backdoors, shells, remote code and other “bad” things with a simple control panel interface.
You can add unlimited Joomla sites to your control panel and audit them instantly on demand – we even give you your first audit for free!
Anyway, go and claim your free audit, and put the tools to the test!
Your very own on call experienced Joomla! Expert, ready for same day site fixes, hack fixes and Joomla! error message debugging. Simply request help then sit back and relax! No Fix No Fee! You have nothing to loose eh?
No problem at all! We can fix any hacked site easily, identifying any hacked core files or uploaded hacker shells using our unique toolset and auditing system. We will clean it all up for you and provide some advice on site security.
Dont panic! Dont make it worse! Just request our help and we will get you up and running as soon as we can, nothing is impossible, although some things take a bit longer . Relax, Sit back, and await our resolution.
This is a pay per incident service, our normal set fee is GBP£50 to cover an hour of work on your problem. If we dont fix it then there is no fee payable. Can’t be fairer than that!.
Many Many more Joomla based sites are being hacked daily at the moment – and ITS NOT JOOMLA’s fault!
Firstly let me say the sites were NOT hacked through Joomla! They were all hacked through Joomla Custom Components!
If you are running Joomla 1.0.10 then there are no known security holes in that version!
extCalender • OpenSEF • phpBB Forum (com_forum) • SimpleBoard Forum • VideoDB • Mambo-SMF Forum • LoudMouth • PollXT • HashCash • perForms • Google Page Rank Module • BSQ SiteStats • MultiBanners • MiniBB • New Article Component • Advanced Poll • JomBok • ArtLinks • PCCookBook • Mambo/Joomla SiteMap (Custom Component) • Galleria • com_spray
I write this to inform you of thiese facts, and also to let you know, as our customer, that none of the components on www.phil-taylor.com have been hacked or used to hack Joomla websites! Yippee!
You should really only install components from TRUSTED sources, from developers that you trust!
Again, ALL COMPONENTS ON PHIL-TAYLOR.com Have been HACKER SAFE certified! And have no known security issues (At this moment in time ) As experts in Joomla development we take pride in checking our components with an industry standard (expensive!) scanning solution used by the big players worldwide!
We have fixed over 50 hacked sites for new customers worldwide in the last 7 days!
Fix My Site is a very unique service offered by Phil Taylor.
(This is a fee per incident based service, no contracts and no strings involved!)
Fix My Site puts a very experienced and knowledgeable Mambo and Joomla expert at your fingertips when things go wrong on your site. For a set fee, you can have Phil Taylor (Or one of our other experts) login and take a look at that problem that has causing problems on your site.
See our site at http://www.phil-taylor.com/FixMySite
ONLY TRUST THE EXPERTS! – Beware of some other help sites that simply repair your site without giving advice on how hackers gained access or how to prevent further attacks. We are not just Joomla experts, we have huge amounts of experience in this area and can draw on this experience to provide the very best solution for you.
You have been warned!
If you want to stop hackers and do information security as a career, consider information assurance training.
It appears that while I was on holiday in New York my GPG Encryption key expired meaning that all attempts to submit site details securely using our online forms failed! If you have tried to use the following form in the last 4 days then you need to resubmit your details as they were not stored or (encrypted and) transmitted.
I have now revoked and replaced the keys used for this process (I understand many of you will have no idea what I’m talking about – dont worry )
If you need to email me directly then you need to refresh my public key – there is a new copy on all major keyservers and here
Obviously the first stage in securing your web site is to ensure that you are using a strong password. Ideally this should be a mixture of both upper and lower case characters and include a few numbers for good measure, not forgetting not to make it a real word.
Those naughty hackers aren’t stupid and are well aware that people may use the number 3 to replace the letter e in a password. It’s also extremely important that you don’t use the same password on multiple sites, you only need one of those sites to be hacked for all your sites to be vulnerable. See this blog entry for a typo3 horror story.
Unfortunately people are lazy and often re-use passwords or chose ones that appear strong to them but are in fact pretty weak and vulnerable to brute force attacks, and this is where the problem currently lies in Joomla.
Every Joomla site creates a super-administrator user by default with exactly the same name – “admin”. As you can see from the screenshot there is no option to rename this super-administrator account during the installation.
So what does this mean? For a hacker it’s a dream scenario as without doing anything you have given them 50% of the credentials they need to break into your site and do as they wish with all your precious work.
In the long term the solution is for Joomla itself to be updated to allow you to chose the default super-administrator username as well as the password. There are however several steps you can undertake right now.
As soon as you have installed Joomla and logged in for the first time go to the user-manager and create a brand new super-administrator with a strong password. Then log out and re-login with the newly created account and go back to the user-manager and demote the “admin” user to manager level, apply your changes and then delete the “admin” user.
(You have to do it this way as Joomla does not allow you to delete a super-administrator.)
If you’re wondering why I didn’t suggest just changing the username of the “admin” user rather than creating a new one that’s because the “admin” user always has the same userid of “62″ which potentially is another piece of useful information for a hacker or script-kiddie.
If you are at all worried about your Sites Security, or would like us to provide you with a security consultancy service then please get in touch!
It has come to our attention that there is a site on the internet that is distributing Joomla’s full version zip files that are modified to add code to allow a hacker to break into your site.
This post is subtitled “How to check your downloaded Zip file is genuine and unmodified“.
Rule number #1: ONLY EVER download from a TRUSTED SOURCE (This is the joomlacode.org site) unless absolutely necessary.
Rule number #2: Check that your downloaded file is unmodified by checking the md5 sum of the file.
The md5 what?
Well check out this page (Click the files tab):
You will see the main download Joomla_1.5.8-Stable-Full_Package.zip has a md5 of 36b9c161b46bf973a96201135e933219
We can check this md5 hash in several ways, for example on linux we can type
which will give us:
We can then compare that output with the md5 hash on the above web page – if they are different, even by only one char, then the zip file you have downloaded has been modified in some way – however little – DO NOT USE it if the md5hash does not match EXACTLY.
There are more secure ways of “signing” package files, with GPG Encryption/Signatures, but the Joomla Project Team are behind the times with GPG and have not yet taken advantage of the same system that linux package maintainers use – GnuPG.
There are many other ways to compare md5 hashs – and some windows applications as well
The Joomla Core team have today released Joomla 1.5.1 to specifically address a security issue,
The official announcement was:
The Joomla! community is pleased to announce the immediate availability of Joomla! 1.5.1 [Seenu]. Since the stable release of Joomla! 1.5 we have seen huge numbers of downloads which has helped to push the total number of downloads to over 3 million in less than a year.
We have found in one of the new features of Joomla! 1.5, an XML-RPC Blogger API plugin, a high priority security vulnerability. While this feature is disabled by default on every Joomla! 1.5 install and would have to be manually enabled for the vulnerability to exist, we strongly recommend that all Joomla! 1.5 users upgrade to Joomla! 1.5.1.
The core developers of Joomla! have just released a statement about a security exploit in Joomla 1.5.0
After releasing Joomla! 1.5 stable we have discovered a high priority security issue. The vulnerability has been discovered in XML-RPC in combination with the blogger API. There is a security problem in this code that makes it possible to alter the articles on your site (including removal). This problems has been fixed currently by members of the development team and the Joomla! bug squad, solution is now available from Subversion. So what do you need to do until we release Joomla! 1.5.1? All Joomla! users who have enabled the XML-RPC Blogger API plugin should disable it! If you have never enabled this plugin you do not need to do anything.
This comes hot on the tail of an xml-rpc issue in wordpress also !
A lot of talk has gone on recently regarding CSRF and Joomla 1.0.13/1.5. CSRF is a problem for all web based applications and the upcoming Joomla 1.0.14 and Joomla 1.5 stable have both been hardened against such security vulnerabilities. Hardened, not made secure, as it is practically impossible to secure against each and every CSRF there is without interrupting workflow. Joomla, as do most other webapps, has made it as difficult as possible to use CSRF to hack a Joomla site.
The advice issued by ourselves recently is still just as valid now as it will be when Joomla 1.0.14/1.5 are released – Please follow these rules:
– ALWAYS click LOGOUT in Joomla Admin when you finish
- NEVER browse other websites while logged in to Joomla Admin
- If you allow users to upload/modify your site through any third party component then don’t browse/or limit your surfing of your own site while logged in to Joomla Admin
- NEVER click on links to “Upgrade this component” in 3rd Party Components
- NEVER browse forums while logged into Joomla Admin
However, there is always a better, more secure option,
Prism (formerly, Webrunner) is a prototype application that lets users split web applications out of their browser and run them directly on their desktop. What this really means in non-techie speak is that you can launch a scaled down web browser in its own process and use that to administrator your Joomla Site. Prism is a scaled down Firefox web browser that is designed for web applications – so already its more secure as its not Internet Explorer based
We have been highly active in using webrunner/prism since the first release – and we are addicted.
Once you have prism installed, simply double click its icon and you will be prompted to give a URL and NAME (and a few optional options).
For the URL set this as your admin console – like http://www.mysite.com/administrator/
and the NAME set to “Administrator for mySite” – also check the desktop shortcut icon.
Then you will be promptly shown your admin page – you can now login securely and continue administrating your Joomla site in Prism and NOT IN YOUR REGULAR BROWSER – this creates separation between your normal surfing and your Joomla Administrator.
By doing this you 100% protect yourself from the CSRF vulnerability reported in Joomla and other web apps – once you get addicted (as are we) to Prism you will never use your browser for web applications again!!!
Hope you like the tip!
We write this blog post with sadness. On the 4th December 2007 a nice white hat hacker notified the Joomla Core Development team of a CSRF Vulnerability in Joomla 1.0.13 and Joomla 1.5 RC3.There have been many reports of these vulnerabilities around the web since then.
The nature of the vulnerability means that your site cannot be hacked while you sleep (like many of the other types of 3rd party component issues), but requires you (the sites Super Admin) to be logged into Joomla Admin while at the same time surfing sites (maybe even your own) that contain links to [THINGS] that send [NAUGHTY] requests back to your Joomla Admin Console without you knowing. This can lead to complete disaster and even complete server compromise.
The Joomla Developers took only 4 days to fix this in Joomla 1.5 SVN and then shortly after released Joomla 1.5 RC4 stating they had fixed this category A5 Security [High] Vulnerability.
To date, no changes and no attempts by the core development team have been made to the Joomla 1.0.13+ SVN tree to fix this vulnerability in Joomla 1.0.13 Update: Changes are now in SVN for the next version of Joomla 1.0.x – about time!
In an effort to assist them we spent a few hours and backported code from Joomla 1.5 RC4 to Joomla 1.0.13 and made all the changes required to fix Joomla 1.0.13 and make it secure from this type of vulnerability.
Details of this can be found in the following forum thread:
I personally emailed all three lead developers with the same information as I published there, including providing the diff/patch files to Joomla 1.0.13. I have been assured that once Joomla 1.5 stable is released time will be spent on fixing this issue in Joomla 1.0.13 (I object to this – why take 4 days to fix unreleased software and over 4 weeks to fix software running on millions of sites already?!?)
Here is my professional advice to help you stay safe from the known and publish vulnerability until the next version of Joomla 1.0.x is released.
The number one bit of advice I can give all site admins at the moment is to – LOGOUT OF YOUR JOOMLA ADMIN as soon as you finish using it, and do not surf around the internet in other tabs/browser windows while administrating your Joomla site, and if you allow users to modify your site’s frontend, be careful not to surf your frontend as well while logged in.
Do not install any 3rd party components/mambots/modules/AND TEMPLATES!!! from untrusted sources, if these components choose they can use this vulnerability to do[BAD] things…