Hacked, Cracked, whatever

Sep 01 2006

(4 votes)

Joomla CMS - General

Written by eyez

In light of all the recent attacks on Joomla! and its extensions, new ways of securing sites need to be found quickly.
This very site was hacked (or cracked, as apparently it's now called -who cares) while still running 1.0.10 a week ago, while I was on hollidays without internet access.

To the hackers

(never heard anyone call themselves a cracker, so I'll keep using hacker):

Thanks for only changing the one frontpage article and not making a mess of all the rest.
This is the second time this site got hacked.
I offer tutorials and ressources about Flash and Joomla for free.
I really do not understand: how can anyone take pride in defacing or hacking such a site?
If someone can explain the mind and thoughts of such people to me?
In my opinion, it is as if a gangster walks around bragging how he robbed $0.50 from the homeless guy out in the street!
Shame on you. Just because you can, doesn't make it right, cool, or whatever.
Exploiting one single security hole on as many sites as possible is just plain stupid, waste of time and energy, anyone can.
If you got skillZ, contribute to the code. If not, you're a looser!

To the Joomla! developers and extension contributors

The current "stable" version 1.0.11 introduces recommendations for some settings to make sites more secure.
It seems strange to only have one (1) person working on the current version's SVN: Rey?! Is there still a team around?
It also seems strange, reading the purpose of the stability releases such as .11:

Maintenance Release Number (1.1.X)

An increment of the maintenance number usually indicates bug fixing within the minor release and possibly small enhancements and limited new features.

Fully backward compatible with previous maintenance increments.

to see code and recommendations introduced which (would) make this version not backwards compatible with previous versions at all, as it breaks some widely used extensions.

The last few updates have almost always introduced as many new bugs as they fixed bugs. It might be in the best interest of future users to focuse all efforts on making 1.5 beta / Stable, but as I said before, at the moment, millions of sites run on 1.0.x. This code needs better updates. Not new features, just all bugs fixed / no new ones introduced.

Once a site gets hacked, from the users perspective it doesn't make ANY difference if it's Joomla core or an extension at fault, the result is the same: site gone. Of course, it is easy to say, as during the last weeks, "Joomla 1.0.10 is secure, there are no known issues" and "only use trusted extensions". But looking at the changelog, it appears there were holes in the Core (ok, related to specific server settings, but not all users can change these, and "change host" is no real answer either..).

What am I trying to say here?

12 month of existence, 12 versions (.0 to .11), 12 updates, 12 times worrying and hoping everything still works ok afterwards.

Certification for Com_ Mod_ Bots appears to be too difficult & involved to manage, so quality control on listed extensions should be reinforced: allow users to submit security issues somehow, with dev' notification if possible. Work done by the Extensions team is great, but 700+ is too much to manage.
If I want to use one particular extension, there should be a one click way to get security information about it: when was it last updated, has it undergone code checks, does anyone feel there might be issues with it..
It is evident now Joomla! is being targeted more and more by hackers, and security needs more focus.
The long awaited auto-update for Core seems like an important feature so you can keep a site secure and up-to-date just from your browser. I'd rather have a few extensions break than the whole site go down.
Updates need a broader tester public so bugs can be found before releases.
If more than X issues are reported / confirmed / fixed within a week of release, release a fix version such as 1.0.x.a, or a new dot version.
The only place any indications about how to secure extensions are found is an entry on the developer wiki I'm sure not many dev's are aware off. This particular entry should be made much more prominent than a simple "Tip and Trick"!
Maybe even use push (send a mail to all registered dev's of Forge & Extensions), instead of relying on pull and them to look for / find such info.
What good is a big red warning to new users as soon as they log into admin if there's no Help on how to fix the listed issues?! As a new user, all I see is: there's a serious problem! But what then, what IS the Danger, how serious are these issues, and what should I do now?
Clicking the provided link takes me to a loong page about lots of things to worry about (like: should I really use Joomla! then if it is not secure and i need to do all these things before it gets any better..?), but no quick answers about the 3 red items on my site!
Core needs to integrate a backup option into the CMS itself for vital stuff: it should be possible to secure a current copy of for example config.php and database contents at least. Selective backup of folders / tables would be nice of course, but at least a bare minimum!

Computer age

Comments (3) >>

Show/Hide comments toggle

rob said:

Hi

As someone who's had a whole series of sites hacked over the last months I fully sympathise with you!
As usual you make some great points.
I'd add just one, which is sort of related to what you were saying about no introducing feature changes in the 1.0.x code base: The developers should between releases really maintain the same code structure for all *.html.php files, I extensively rewrite these files for most of my sites and place them in my templates folder. I bon't appreciate doing a maintainance upgrade and finding that the interfaces for all these files have changed and 20 or so sites start showing php errors :S
As a developer I'd be the first to admin that I'm not as security knowegable as I could be - hey there's only so many hours in a day :D,
I'd point any developer to this post - http://forum.joomla.org/index.php/topic,78781.0.html as a good starting reference

September 26, 2006 | url

kaitan dev said:

i have6 joomla sites,4 corporate,3 hacked 2 times:)
i was digging and found the exploits
google a while,found 23 vulnerables sites in 2 minutes
thinking seriously at asp...
they were turkish kids,no need for a bigger iq than 40 to do this...

December 04, 2006 | url

Just thinking said:

Hey there. I have often come to your site for resources. It is a good site and thanks for running it. With regards to being hacked or cracked, those guys did you a big favor because it helped you to do something about security. When a company suddenly has a hard drive that crash on them and the last backup they made was last month, very strict backup policies come into action. With Joomla sites, it is 99% of the time user error or the server setup or third party components and not the Joomla code base. Unfortunately if a Joomla site does get cracked, it really hurts the overall security and trust image of Joomla and the Joomla community. There is a recent thing that happened with a site in South Africa that wil lbe in the news for the next few days. Dunno what happened there and if it was really a crack or not, but it is definately very bad publicity and ammo for anti open source activists. The Joomla team really works very hard and if you follow their instructions in the forums with regards to security your will be as safe as a house. If you have to do some drastic things like change to another host, then do it. That is exactly what I did. The old host was not willing to change things on the server for me to make my sites more secure. It was quite a mission to move 20 odd websites but now I am very happy with my new host.

July 06, 2007

Write comment

Show/Hide comment form toggle