Hackers – The Good, The Bad and The Ugly

March 12, 2009 – Yardstick Services’ website was hacked. Our index.php file was replaced and our administrator username and password were changed. I was stressed out and angry. But once I got through the usual emotions associated with this kind of disruption to life and business, I put my learning hat on and set my sights on buffing up on my Joomla security. For anyone that wants to avoid the same pain that I went through, here is a quick checklist including a couple invaluable Joomla extensions.

THE GOOD

The good news is that there are are a number of things that you can do today to protect your site from hackers.

• First and foremost, change all of your usernames and passwords. You never know if someone just ran a script and got lucky because your username was ‘admin’ and your password was ‘12345’. If you want to test how strong your current passwords are then run them through the Password Meter.
• Remove any unneeded files and folders from your site. This was Yardstick’s vulnerability. When we upgraded our site to Joomla 1.5.9 using Fantastico in our webhosts cpanel, it installed an antiquated template called ‘beez’ which ended up being the hole by which the hacker could access the index.php file and change the admin username and password.
• Check that all of your files and folders have the correct permissions. Files should be set to 644 while folders should be set to 755. These permissions can be set using an FTP program like Filezilla.
• Make sure you have the most recent version of Joomla installed.
• Make sure all of your components, plug-ins, templates, extensions and so on are the most recent versions. Being provided by 3rd parties, these are very frequently full of holes.
• Use Joomla’s pre-configured .htaccess file to block a number of typical exploits. You need to rename the file and make the appropriate changes in your Joomla administration yourself. There are a number of good forum post on Joomla’s site about .htaccess. And if you really want to get secure, you can add these lines you your .htaccess file. I used my .htaccess file to block the hackers IP address…which unfortunately probably blocked a hundred other people in that section of New York but so be it.
• If you want to hide your administrator login page (which I highly recommend), then install JSecure. It’s a very simple extension that lets you set a key that needs to be entered at the end of your http://www.mysite.com/administrator/ URL. Just another layer to deter malicious attempts at accessing your admin.
• Finally, I was pleasantly surprised by GuardXT which is a Joomla extension that runs checks on your Joomla setup for you and flags with a green – yellow – red light system(similar to what we use for our Website Analysis service) any issues that you may have. I found that because I am using shared hosting that I can’t fix everything but it did catch a lot of stuff that I wouldn’t have found otherwise.

THE BAD

OK, if you have already been hacked then you’re feeling the pain. Don’t worry, there are still a few thing you can do to fight the good fight.

• Get a hold of your raw access logs off your server. If you can see the time when your site was “hacked” (usually when the index.php was replaced) you can get IP address of the perpetrator. Then use an IP tracer to get their location and internet service provider. This may not be their actual location and ISP if they are using masking or some other elusive technique but it’s worth a shot. I have emailed my hackers Internet Service Provider and they were more than receptive to take my logs and learn everything they could about the hacker’s behaviour and IP address. Hackers are bad for their business as much as yours.
• If the hacker has put up their own splash page then they will probably want you to email them. DO NOT EMAIL THEM. You never know what they will do with your IP address or personal information. But you can report them to the email provider in question. Again, hackers are bad for their business as much as yours.
• Some US forums and blogs have reported that you can contact the FCC. I sent them an email but have not heard back. You can see their response that I’ve added in the comments below. Apparently they don’t deal with internet fraud but the Department of Justice may.

THE UGLY

So, you fixed all your security holes and you’ve done your best to report your hacker’s IP address to the authorities. Still, your site is probably sitting with a very unpleasant splash page. Here’s where it gets ugly. You may not be able to fix your site. My hacker had made changes to my database and my files and folders. Rather than trying to go through and individually find and fix what was changed, I opted to just restore a backup I had made of my site a few days before.

• Always, always always have a backup of your site and make sure that you have tried a full restore of your site at least once to make sure your backup procedure works. This is a scary area for many DIY designers but well worth the time. Otherwise, you are left with a complete rebuild from scratch.
• If you have to rebuild your site, don’t fret, it is a chance to take a look at those old extensions and templates. If you do rebuild your site, be sure to keep a change log of everything you do to your site. It can be as simple as an excel file or word doc but I can’t tell you how many times I have gone through one of my change logs to remember what I did to the formatting of part of a css file or the modification to an extension.
• And since you’re at this stage, it wouldn’t be a bad idea to take a long hard look at your current webhost. Take a look at their chat forums (or just Google them) and see what kind of issues other users are having. Shared webhosts that serve seedy websites are often riddled with security issues that you cannot do anything about.

If you want to learn more about Joomla security, check out the official information at the Joomla documentation site

That’s today’s braindump. Keep secure and have fun.