[joomla] several 1.0 sites hacked this week!
Mark Simko
masimko at verizon.net
Thu Mar 26 16:39:58 EDT 2009
On Thu, 2009-03-26 at 12:00 -0400, joomla-request at lists.nyphp.org wrote:
Top posting because of the length of the prior post.
The tone of this response appears condescending, although it may not
have been meant that way. Perhaps it's just the title that gives the
post that appearance.
I can think of several reasons why a site may still be running an older
version of Joomla! than the latest and greatest. It may be that the
client does not want to pay for the work involved in an upgrade, or that
the client cannot afford to pay for it. Or, perhaps the extensions being
used on the site do not have stable 1.5 versions yet.
There may be reasons why the site is run on a shared host. To some that
may seem like a less than ideal situation, but for others, shared
hosting and low hosting fees may fit them better.
I think the original post about being hacked was meant to be informative
and perhaps intended to spark a discussion. This reply seems like a
lecture. If so, it's unwarranted. If I'm wrong about the intent, then I
apologize, but sometimes the elitist tone gets my ire up.
Mark
> Top 10 Stupidest Administrator Tricks
> >From Joomla! Documentation
>
>
> 10. Use the cheapest hosting provider you can find.
>
> Preferably use a shared server that hosts hundreds of other sites,
> some of which are high-traffic porn sites. Don't check the list of
> recommended hosting providers.
>
> 9. Don't waste time with regular backups.
>
> Maybe the hosting provider will help you out.
>
> 8. Don't waste time adjusting PHP and Joomla! settings for increased security.
>
> Hey, the install was brain-dead easy. How bad could the rest be?
> Worry about those details only if there's a problem.
>
> 7. Use the same username and password for everything.
>
> Use the same username and password for your on-line bank account,
> Joomla! administrator account, Amazon account, Yahoo account, etc.
> Hey, who has time to keep track of so many passwords? And anyway,
> since you don't change passwords, it's easier to just use the same one
> all the time, everywhere.
>
> 6. Install your brand new beautiful Joomla!-powered site, and
> celebrate a job well done.
>
> Don't worry about it again. After all, if you don't make any more
> changes, what can go wrong?
>
> 5. Do all upgrades on the live site right away.
>
> Who needs a development and testing server anyway? If an
> installation fails, you'll just uninstall it again. That will
> hopefully also undo any damage the installation caused.
>
> 4. Trust third-party extensions.
>
> Install all the cool-looking stuff you can find. Anyone smart
> enough to write a Joomla! extension will provide perfect code that
> blocks every known exploit attempt, now and forever. After all, almost
> all this stuff is provided for free by well-meaning, good-hearted
> people who know what they are doing.
>
> 3. Don't worry about updating to the latest version of Joomla!
>
> Hey, nothing has gone wrong so far, and if it ain't broke don't
> fix it! Same plan for the third-party extensions. Too much work;
> life's a beach.
>
> 2. When your site gets cracked, panic your way into the Joomla! Forums.
>
> Start a new post with a very familiar title: "My Site's Been
> Hacked! (sic)" Be sure not to leave relevant information, such as
> which obsolete versions of Joomla! and third party extensions you
> installed.
>
> 1. Once your site's been cracked, fix the defaced index.php file and
> assume all else is well.
>
> Don't check raw logs, change your passwords, remove the entire
> directory and rebuild from clean backups, or take any other overly
> paranoid-seeming action. When the attackers return the next day,
> scream loudly that you've been "hacked again," and it's all Joomla!'s
> fault. Ignore the fact that removing a defaced file is not even step
> one in the difficult process of fully recovering a cracked site.
>
>
More information about the Joomla
mailing list