Creative web design & development

Joomla 1.5 security

Joomla 1.5 is now obsolete and not maintained anymore by the Joomla development team.

Recently we also noticed a significant increase of attacks on Joomla 1.5 sites.

Several of our clients had their sites completely hacked.

Although a hacked site is usually fixable (if you ask competent people), it is time consuming and can severely impact a business.
You can easily imagine the revenue loss when an e-commerce site is totally down for several days following an attack.

 

Here are a few examples of what we found and had to fix.

 

.htaccess file infection

This one is pretty nasty. The malware writes some code into the .htaccess file that will redirect visitors who accessed the site from a search engine.

It means that if somebody types the url of the site in the browser window he/she will access the site. But if the referrer is a search engine, the visitor will instead be redirected to a dodgy site .

If you have been the victim of this attack, you probably know that cleaning the .htaccess file alone won't get you out of trouble!
If you simply fix the .htaccess file it will get infected again within minutes, because there is more rogue code hidden in other places of the site.

 

Timed redirect

After a certain delay (around 20 seconds) the visitor is redirected to another site.
The visible part of the infection usually relies on code inserted in the index.php file of the Joomla installation. Once again,this is only the visible part of the iceberg and the infection is hidden deeper on random parts of the site.

I had to fix this on a large e-commerce site built with Joomla and Virtuemart.

The site generates a lot of traffic (and revenue). Of course, with the site infected, the clients would not be able to complete a purchase and the losses for the owner would rapidly become dreadful.

 

Site crash

We had another situation where the site simply stopped working. I guess the wanabee hackers had not been able to properly inject their crap, but the code in the main index.php file had been replaced by some base_64 encoded junk.

 

How hackers enter a site

Our job is to build sites not to teach people how to break them ;) that's why I don't want to go into too much details here.
But usually the hacker will find a way to install an uploader script on the targeted site, exploiting a weakness of the code in Joomla or an extension. Once this uploader in place (a basic html form) he will use it to upload a more sophisticated piece of junk called a shell.
A shell is web application that will give the attacker complete control over the targeted site. The code in the shell is always obfuscated using several levels of base_64 encoding and compression.

webshell example

 
Here is a screen capture of a webshell found on a client's site that had been infected. With this shell the hacker could even access the system disk of the web hosting server. In this particular case the web hosting company was also extremely deficient in terms of security, and I prefer not to name them!

If your login details are not secure enough (weak password) the attacker could access the admin part of your site and once inside...take control over the site. That's another reason not to use "admin" or "administrator" as the login name and to use strong passwords.

There are even more advanced techniques to break into the admin part of Joomla and create havoc!

 

Fixing a hacked site

 If your Joomla, Joomla-Virtuemart site has been hacked, we can fix it for you. You are welcome to contact us for a free diagnosis of the situation.
If we can fix it, and usually we can, we will propose you a quote for the work involved. It should take no more than a few hours to clean a site and remove malware. If the site is infected beyond repair (very rare case) we can also help you to reinstall, migrate to Joomla 2.5 or Joomla 3.0 and secure your Joomla installation.

 

Kontakta författaren

E-post:
Ämne:
Meddelande: