Things I have learned about why I got hacked (some tips to everyone)

[tinatoth]

After my site got hacked twice in the past few days, I have been checking both mambo and the joomla forum for tips, and step by step I learned some interesting new things.

I have learned what to look for in my raw logs to track the hackers moves around the server. (PM me if you need details on what to look for yourself)
So I checked my raw server logs, and found that my site was hacked through the com_smf (mambo-smf bridge component), or more precisely, the smf.php file.

Indeed, the file did not contain the "Direct access not allowed" line suggested in this thread.

I contacted the maker of the component script, and while he agreed to add the line into the script, we had an interesting discussion about the whole case. I showed him my server logs, and he pointed me to some more factors in the reason why the hack was made possible.

Apart from the possible vulnerability in smf.php, it was also the settings on my server which allowed it to happen.

More precisely,

open_basedir restrictions were NOT SET, and allow_url_fopen was ON.

That is the opposite from what it should be for site safety.

I contacted my webhost about it. They appologized for not having open_basedir restrictions defined for my account (that is something which regulates which directories can access the php on the server, if it is not set to your account only, then hackers can execute php commands on your server as they wish), and they promised to fix the error . However they refused to disable allow_url_fopen for me, because as they say, "many PHP scripts require other PHP scripts to be called or included in the URL" . Ideally, they would have done it for my account strictly, but instead they told me I can do it myself with a local php.ini file, so hopefully that should sort it.

So now, what I would suggest to everyone who got hacked recently (and those who haven't as well) is to log into their mambo admin panel, click on "system info" in the "system" menu bar, and then the "php info" tab.

Check whether your allow_url_fopen is ON or OFF (should be OFF), and if your open_basedir is defined, or not.

If your open_basedir says "none", you should contact your host about it. They should restrict it to your account's directory only, so that only scripts from your account could access the php on your server.

If your allow_url_fopen says "ON", then also contact your host and ask if they can turn it off, or alternatively if you can use a local php.ini to disable it yourself.

Hopefully they should help you.

Here is an interesting article which describes the hacker methods which got most of us hacked recently, and why these server settings could have helped:
http://www.technosailor.com/lessons-...file-execution. It also contains a few more tips on safety, which I haven't tried myself yet, but if anyone has, let us know your experiences.

And finally, for the record, there are many other precautions to take regarding hack safety, described in many other threads here, such as

* making sure your file permissions are set correctly, (I have found this page useful for that),

* making sure your register_globals is OFF (that too is something to check in your system php info and contact your host about or switch off with a local php.ini file),

* making sure your 3rd party addons' php files contain the line specified in this thread,

* try putting what this thread suggests into your .htaccess file

* Delete any 3rd party components/mambots/modules you are not using from your mambo installations. They may be out of date and vulnerable to attacks. It doesn't matter if they are not published, they could pose a threat for as long as they're on your server.

* keep your mambo and all other addons like message boards, galleries etc. up to date and patched up.

* Subscribe to the security announcements forum and the general announcements forum to get notified of new mambo patches on time.

* And finally make regular backups of the site and the database. The best way to do that is to use the "backup" function in your cPanel, or a similar control panel (I assume Plesk and H-sphere have such options too). If you don't have access to such a control panel, then contact your host about the best way to back up your site regularily.



I think this is all I have to share for now... keep in mind I am no expert, but I simply wanted to share my experiences over the past few days with everyone, in hope that someone might find them helpful.

If anyone has anything to add, if I have missed anything, or got anything wrong, let me know.

I'm sure I am not the only one here determined to do everything in my power to defend my site from hackers.

[Lookingsharp]

thanks for the help im going to check with my host about the:

"open_basedir restrictions were NOT SET, and allow_url_fopen was ON."

also just change your config file to 444 when you dont want to write to it, ive had no problems.

[chyna]

Quote:

Originally Posted by tinatoth

After my site got hacked twice in the past few days, I have been checking both mambo and the joomla forum for tips, and step by step I learned some interesting new things.

I have learned what to look for in my raw logs to track the hackers moves around the server. (PM me if you need details on what to look for yourself)
So I checked my raw server logs, and found that my site was hacked through the com_smf (mambo-smf bridge component), or more precisely, the smf.php file.

Indeed, the file did not contain the "Direct access not allowed" line suggested in this thread.

I contacted the maker of the component script, and while he agreed to add the line into the script, we had an interesting discussion about the whole case. I showed him my server logs, and he pointed me to some more factors in the reason why the hack was made possible.

Apart from the possible vulnerability in smf.php, it was also the settings on my server which allowed it to happen.

More precisely,

open_basedir restrictions were NOT SET, and allow_url_fopen was ON.

That is the opposite from what it should be for site safety.

I contacted my webhost about it. They appologized for not having open_basedir restrictions defined for my account (that is something which regulates which directories can access the php on the server, if it is not set to your account only, then hackers can execute php commands on your server as they wish), and they promised to fix the error . However they refused to disable allow_url_fopen for me, because as they say, "many PHP scripts require other PHP scripts to be called or included in the URL" . Ideally, they would have done it for my account strictly, but instead they told me I can do it myself with a local php.ini file, so hopefully that should sort it.

So now, what I would suggest to everyone who got hacked recently (and those who haven't as well) is to log into their mambo admin panel, click on "system info" in the "system" menu bar, and then the "php info" tab.

Check whether your allow_url_fopen is ON or OFF (should be OFF), and if your open_basedir is defined, or not.

If your open_basedir says "none", you should contact your host about it. They should restrict it to your account's directory only, so that only scripts from your account could access the php on your server.

If your allow_url_fopen says "ON", then also contact your host and ask if they can turn it off, or alternatively if you can use a local php.ini to disable it yourself.

Hopefully they should help you.

Here is an interesting article which describes the hacker methods which got most of us hacked recently, and why these server settings could have helped:
http://www.technosailor.com/lessons-...file-execution. It also contains a few more tips on safety, which I haven't tried myself yet, but if anyone has, let us know your experiences.

And finally, for the record, there are many other precautions to take regarding hack safety, described in many other threads here, such as

* making sure your file permissions are set correctly, (I have found this page useful for that),

* making sure your register_globals is OFF (that too is something to check in your system php info and contact your host about or switch off with a local php.ini file),

* making sure your 3rd party addons' php files contain the line specified in this thread,

* try putting what this thread suggests into your .htaccess file

* Delete any 3rd party components/mambots/modules you are not using from your mambo installations. They may be out of date and vulnerable to attacks. It doesn't matter if they are not published, they could pose a threat for as long as they're on your server.

* keep your mambo and all other addons like message boards, galleries etc. up to date and patched up.

* Subscribe to the security announcements forum and the general announcements forum to get notified of new mambo patches on time.

* And finally make regular backups of the site and the database. The best way to do that is to use the "backup" function in your cPanel, or a similar control panel (I assume Plesk and H-sphere have such options too). If you don't have access to such a control panel, then contact your host about the best way to back up your site regularily.



I think this is all I have to share for now... keep in mind I am no expert, but I simply wanted to share my experiences over the past few days with everyone, in hope that someone might find them helpful.

If anyone has anything to add, if I have missed anything, or got anything wrong, let me know.

I'm sure I am not the only one here determined to do everything in my power to defend my site from hackers.

BRAVO!! You've done a fantastic job putting this together.

[arnj]

Hi Tina,

I followed your suggestions and aggregation of the fixes to the T, and so far no hackie. Thank you very much!

[dkone]

Woooow! This is a very good checklist,..should be a sticky-post, really. Well done and thanks alot.

I have, of course, just written a flaming email to my host as all what you suggested applies to my hosting package,...

[tynana]

Hi geez I hate to ask but I am at the end of my rope. I keep setting my permissions as stated and then I get nothing but errors and have to set them back to get the site back up.

Can someone PM me if they would want to help, I am at my wits end

Thanks
Tynana

[tinatoth]

what kind of errors? 500 internal server error?

[tynana]

No I am getting the Failed to Open stream, I think is what is said and they coincide with folders I have set the permissions on. I tried increasing the permissions a little at time but it didn't work until I set them back to the original 755.
I was trying to secure the components in adminstrator because the last hack used the com_remository. Also last week when I was working on my files I checked to make sure the "Direct access not allowed" suggested lines were in the 3rd party files. My remository already had it covered

For future reference if someone hacks you make sure you check com_remository for this file c99.php and delete it.

Thank you

[dkone]

Yes, in my eyes that seems to be the most common front for hacks / attacks.

Well, using a third-party component to place a php-shell is actually notn a hack,....my grandmother could do it,...I really do not understand what these kids are proving to themselves. It's just so sad!!!

Tynana, you will not be abler to protect yourself by setting permissions correctly. If the php-shell, hence, the c99.php file is in place your permissions are screwed anyway. It's a neat little tool, believe me. Setting permissions correctly will not do the job!

Instead, there are many other things to consider:

1. PhP directives - fopen, register_globals, opern_basedir
2. Ways to prevent axploits with .htaccess and apache directives.
3. Updating vulnerable 3rd party components !Important!
4. BACKUP-BACKUP-BACKUP

My Tip: Have a look in the Joomla! Forum,...things seem to be covered much much much beter there!!

[arnj]

Quote:

Originally Posted by tynana

No I am getting the Failed to Open stream, I think is what is said and they coincide with folders I have set the permissions on. I tried increasing the permissions a little at time but it didn't work until I set them back to the original 755.

What were you setting your directories to before? All Mambo directories should be at 755, and files at 644.

However, this will cripple certain things in Mambo, if you can live with that. You'll not be able to install components/modules/mambots, and upload to the media directory, but I just change those directories temporarily when doing these actions and then set them back.

So far, hack proof.

[arnj]

Quote:

Originally Posted by dkone

Tynana, you will not be abler to protect yourself by setting permissions correctly. If the php-shell, hence, the c99.php file is in place your permissions are screwed anyway. It's a neat little tool, believe me. Setting permissions correctly will not do the job!

Yes, you are right. c99.php is evil. Everyone should search for this file regularly.

However, although permissions probably wouldn't help in this case, they are truly important in the overall security scheme, wouldn't you agree?

[tynana]

Quote:

Originally Posted by arnj

What were you setting your directories to before? All Mambo directories should be at 755, and files at 644.

However, this will cripple certain things in Mambo, if you can live with that. You'll not be able to install components/modules/mambots, and upload to the media directory, but I just change those directories temporarily when doing these actions and then set them back.

So far, hack proof.

Well since I am still new to mambo and php, mambo 7 months and php about the same, I have to admit that I am somethimes over my head.
Dummy me I set the directories at 644 , that is what shut it down, so now I will try to set the files as you suggest to 644.
I have already set my the register_globals to off as I heard suggested and there was a thread somewhere in the forums about adding to the .htaccess which I did and the site had no trouble with that
I believe some of these things my host will have to fix because I am on a shared server. But there is one thing listed here that they should have set already and I will check that too. I'm sorry if I can't remember the names of some of these things, servers and settings I am still learning too.

But I want to thank all of you for the input and I will try to check everything on the list. I will post after doing this and list any problems in hopes that it helps someone else (and me )

Blessings on you wonderful people!
Tynana

EDIT!!! it's the opern_basedir that I have to have my host check I think

[rrmccabe]

What does it take to get Mambo working with the open_base restriction?

We have it off now (after getting hacked) and when I try to upload an image or create an image directory we get a message like this:

Warning: fopen() [function.fopen]: open_basedir restriction in effect. File(/home/httpd/vhosts/sacredheartwdm.org/httpdocs/images/stories//fdsfdsfdsfdf/index.html) is not within the allowed path(s):

Thanks in advance. Mambo and one other weather script is not working because of this.

Rich

[Mungbeans]

I have webhosting that hasn't set the openbase_dir. I'm attempting to set the open_basedir on my part of the server through the apache .htaccess file thus:

php_admin_value open_basedir "/home2/clothes/public_html/my_dir"

/my_dir is where mambo is located

Once this is set I get a 500 error and can't open Mambo. What are the corresponding .htaccess settings and should I change the configuration file as well?

[tinatoth]

Quote:

Originally Posted by rrmccabe

What does it take to get Mambo working with the open_base restriction?

We have it off now (after getting hacked) and when I try to upload an image or create an image directory we get a message like this:

Warning: fopen() [function.fopen]: open_basedir restriction in effect. File(/home/httpd/vhosts/sacredheartwdm.org/httpdocs/images/stories//fdsfdsfdsfdf/index.html) is not within the allowed path(s):

Thanks in advance. Mambo and one other weather script is not working because of this.

Rich

Well it should be working, because by default php should have the open_base set to your account. All my mambo sites run with that in place, no problem whatsoever. When you say, upload an image, where is it you upload it, is it in a text editor or...?

Quote:

Originally Posted by Mungbeans

I have webhosting that hasn't set the openbase_dir. I'm attempting to set the open_basedir on my part of the server through the apache .htaccess file thus:

php_admin_value open_basedir "/home2/clothes/public_html/my_dir"

/my_dir is where mambo is located

Once this is set I get a 500 error and can't open Mambo. What are the corresponding .htaccess settings and should I change the configuration file as well?

I'm not sure but I think only your host can define your open_basedir restriction.
I don't think you can set it through .htaccess.

[cipher_nemo]

Tinatoth, Thank you!

You gave all the info and links I ever needed to prevent casual hackers from ripping apart my Mambo CMS. Even months later, your post is helping new users.

[dkone]

And as I was involved in this thread ever since, here my findings, wich really! helped with all my Mambo sites. Apart from correct permissions, security through htaccess and so forth, there are two essential things to consider:

1. Make sure ALL your Components/Modules have the "direct access" line inluded.

2. Run your OWN php.ini configuration for your site! (That's probably the most important one.) Get your php.ini right and the turkish kids with their limited horizon won't have a chance.

Furthermore, I check my logs from time to time and use a little php app called "filist.php" to check by date if anything has ben dumped on the site.

Should anyone need help with the above points, iam very happy to help!

[trichnosis]

this is a perfect article . thanks for sharing that

[tartis]

Quote:

Originally Posted by dkone

And as I was involved in this thread ever since, here my findings, wich really! helped with all my Mambo sites. Apart from correct permissions, security through htaccess and so forth, there are two essential things to consider:

1. Make sure ALL your Components/Modules have the "direct access" line inluded.

2. Run your OWN php.ini configuration for your site! (That's probably the most important one.) Get your php.ini right and the turkish kids with their limited horizon won't have a chance.

Furthermore, I check my logs from time to time and use a little php app called "filist.php" to check by date if anything has ben dumped on the site.

Should anyone need help with the above points, iam very happy to help!

Can I just have the local php.ini with register_globals = off as the only line? Where on the site does the local php.ini file need to reside, and what permissions?