Public Forums 71,145 posts

[wooohanetworks Friend wooohanetworksJoin date: September 2008Posts: 1239Downloads:0Uploads:2 Thanks: 148 Thanked: 138 times in 41 posts]

#134569

When opening the file called “CONFIGURATION.PHP” in the root directory, you will see the username and password for the admin and the username and db name for the MySQL.

When watching the Video on Joomla.org how to install Joomla, one is taught to create this file even manually before starting the installation. Watch this video!

This file is not crypted at all, it is lying there in the root of any Joomla System for any hacker “to see”.

The issue about it? You think that your FTP is secure or your htaccess is 100% of 100% secure. More comes below but be warned, a hacker does not stop when you place a htaccess in your root, he just gets challenged to have to do more..and the same you know about what to write into a htaccess the hacker also knows and mostly even more…he also can read the same forum posts like you where you may even provide him the key right away with telling not only the good members your security settings and sometimes even current user pass combos….:(( The best way to avoid hacks is to watch your behavior. Do not show off with your sites. Do not ask for too much respect for your work. Do not work with questionable business techniques on your site. Keep a low online profile when you have to or just be yourself when you are already “low profile” and do not have to play…

REMIND /> DO NOT POST PERSONAL OR BUSINESS INFORMATION IN FORUMS, DO NOT POST OR DISCUSS LIVE SITES OR FUTURE LIVE SITES IN FORUMS, DO NOT SHOWCASE YOUR OR YOUR CLIENTS SITES IN FORUMS, IF IT IS FOR ADVERTISING, LEISURE, FUN, FOR SO OR SHOWING OFF, REGARDLESS IF YOUR SITES ARE FOR OR NON PROFIT! YOU CAN ALWAYS USE THE PRIVATE MESSAGING SYSTEM.

To the main issue:

Now some webmaster forgot something. When entering some command in the browser bar and your site is not configured the right way, better said, the usual ways, you will get something like that root data below…

It is known that some sites are configured wrong by default and when using google picture search one will reach these directories after some clicks by accident.:cool:

Your Joomla root directory will look a bit different but will contain comparable data like the configuration.php, index.php and all your folders in the browser. Using a browser editor for example and all access permissions set too low, one can hack a site as a complete beginner with never having actually hacked at all. The Webmaster has given free access to anyone and no skills are needed to “hack”, like the shop in the mall leaves the office door and all cash registers open and even no sign is placed to stay out, e.g. “Staff only” or “Thiefs will be prosecuted”:

Root Directory (When clicking on “Parent Directory” one comes to the main ahop site:) This is a anonymized real root of a top shop currently having all his office doors open, found via a google search, so hitting system actually brought me into this directory. As I am not a hacker, I simply looked and wondered about them, at some point I was shown a login screen for admin of the shop indeed….. ) There are more than a few live sites online that are indexed in Google including their root index, meaning a simple google link brings one to the root index of those sites. They have the same value at Google like the other links, are treated the same way by Google, Google did not add a routine to sort out those links from their system by default, what would be easy for Google to do so! To deny showing links to the root index of websites. Why? Ask Google!

Index of /shop/site

Name Last modified Size Description

Parent Directory 23-Aug-2008 03:02 –
dfiles/ 13-Sep-2007 03:11 –
home/ 13-Sep-2007 03:12 –
include/ 13-Sep-2007 03:11 –
install/ 13-Sep-2007 03:11 –
pictures/ 13-Sep-2007 03:11 –
shopadmin/ 13-Sep-2007 03:11 –
exapi/ 13-Sep-2007 03:11 –
smtpmail/ 13-Sep-2007 03:11 –
wap/ 13-Sep-2007 03:11 –
index.php (ADDED AS EXAMPLE)
configuration.php (ADDED AS EXAMPLE)
Apache/1.3.41 Server at http://www.yourdomain.com Port 80

When clicking on the folder “System” one goes here:

Index of /shop/site/exapi/System

Name Last modified Size Description

Parent Directory 13-Sep-2007 03:11 –
Collection/ 13-Sep-2007 03:11 –
Command/ 13-Sep-2007 03:11 –
Data/ 13-Sep-2007 03:11 –
Debug/ 13-Sep-2007 03:11 –
Exception/ 13-Sep-2007 03:11 –
IO/ 13-Sep-2007 03:11 –
Object/ 13-Sep-2007 03:11 –
Protocol/ 13-Sep-2007 03:11 –
Security/ 13-Sep-2007 03:11 –
Serialization/ 13-Sep-2007 03:11 –
Service/ 13-Sep-2007 03:11 –
Soap/ 13-Sep-2007 03:11 –
Text/ 13-Sep-2007 03:11 –
Web/ 13-Sep-2007 03:11 –
Xml/ 13-Sep-2007 03:11 –
*.php 07-Sep-2007 10:04 1k

and so on…:confused:

Now, thank you, dear webmaster, I am free to open your files and log into your Joomla for example and, in some cases, see and access all the credit card and banking account data of your clients.:-[

What to do, actually I also do not know it. Is here some pro who can explain all that in detail, then please head on!:)

Some things I know too:

When you work on an own server, dedicated or virtual, you have to disable root login at least. Watchdog tells you this when enabled and finding out that root access is possible on your server, so turn on watchdog.

The best thing to do, I am not a pro in these fields, is to set your folder and file access permissions the right way.

But, as Joomla does not work no more when not using 755 etc. it is sort of easy for hackers, who will have no problem at all to gain access also when the permissions are set to deny access.´or even the shown “show index of” is not possible at all.

Sorry to say it is simply naive to think, a hacker will stop at a login screen, a htaccess file or at the files permissions etc.., “there the hackers’ fun and the adventure, the challenge just begins”.

But the normal case is, one changes the access permissions when configuring a site and does forget to change them to more secure again or even for convenience, lets them all on 777 for example.

Any useful comments, like how to change all that would be appreciated I think.

The only way I know it is to use e.g. McAfee Hacker Free Site Services costing a few thousand dollars a year.

[wooohanetworks Friend wooohanetworksJoin date: September 2008Posts: 1239Downloads:0Uploads:2 Thanks: 148 Thanked: 138 times in 41 posts]

#276078

One thing I would never do and the best is this example:

Before I signed up here at Joomlart.com, I signed up at TemplatePlazza.com, also only Joomla templates and extensions.

There a big topic was these days…they were hacked their site, had to rebuilt all content and demo site etc. and moved all to new servers. Okay, this is the only way to handle it but they, seems they are kind of still young guys and not so mature to handle it in an accepting way…

They posted an article about this on their new site and added “And you hacker you, did you know you have done…” and so on, like some Joomlagangsters who now officially declared war on a hacker or even the whole hacker community.

I will not wonder when they get hacked again. This is one way one should not handle a hack at all. Now they have their site on the same server as some other Joomla clubs, if this will avoid any future hacks, there is a huge clip between belief and dream…

Other things will be not to come any visitor and also hackers with claims you have the newest software against hacks, against people who use stuff from your site without adding domains or paying for downloads when you actually do not have. As their knowledge is same as the educated user and only those who actually would also never abuse your site become scared for nothing and feel very uncomfortable due messages that rather keep customers away from your business than showing them, your business is hack free, secure where it is actually not. A lot of clubs come this way and when you compare this to the big sites in the internet business they have such expensive material but never would talk about it.

Thanks.

[wooohanetworks Friend wooohanetworksJoin date: September 2008Posts: 1239Downloads:0Uploads:2 Thanks: 148 Thanked: 138 times in 41 posts]

#276079

[FONT=”Book Antiqua”]Some interesting article about this topic from the Simple Thoughts blog

http://blog.taragana.com/index.php/archive/full-disclosure-nis-security-hole-full-access-by-nis-client-root/

Full Disclosure: NIS Security Hole / Full Access by NIS Client Root

Several years ago I noticed a big issue with NIS security at Sun, which I promptly reported hoping for a patch. Today I found out it is still there. Hopefully a full disclosure will help solve it. In typical NFS-NIS setup, users on NIS client machines login to their NIS accounts (like Windows users login to their domain server). Normally root access in local machines are provided to users to make it easy to install software. In NIS, by default, root squash feature is implemented which prevents local root account from accessing NIS mounted directories. So far so good. However, unknown to most, a bug in NIS implementation allows local root accounts to access all information in any NIS users accounts.

So if you only have access to your local machine (as root) then you will be able to view all the NIS mounted home directories of all NIS users, even if they never logged in to your machine. This effectively makes all account data like emails, programs etc. visible, even that of your boss, to almost everyone else. In short an ideal recipe for insider attack.

The way to accomplish is deceptively simple.
But first assure yourself that as a root you cannot indeed access any NIS account’s home directories. Suppose there is a NIS user whose login is angsuman. Now as a root try to access ~angsuman. You will be denied access.

All you have to do is su angsuman instead. You will now be logged in as NIS user angsuman. Now you can access all the data belonging to user angsuman. Just cd ~angsuman and have fun. It is that simple!

How to protect your company as a system administrator?
Either you have to move away from NIS based authentication or you will have to restrict access to local root account. This has the downside of requiring more system administration work and potentially creating more bottlenecks.[/FONT]

[wooohanetworks Friend wooohanetworksJoin date: September 2008Posts: 1239Downloads:0Uploads:2 Thanks: 148 Thanked: 138 times in 41 posts]

#276083

The best way to avoid hacks is to avoid them upfront.

The best way to avoid hacks is to watch your behavior. Do not show off with your sites. Do not ask for too much respect for your work. Do not work with questionable business techniques on your site. Keep a low online profile when you have to or just be yourself when you are already “low profile” and do not have to play…Do not think it has value to your client when you showcase his material in forums, do not think you really make valuable advertising for your client or for yourself when posting your or your clients work in forums. Think over your complete way of acting with the property that is mostly not even yours but the ones of clients.

When your site is not a site that stores sensible data like credit card information, banking account information, social security numbers with adresses and names of the people belonging to them, telephone numbers, identificational documents and other valuable data people can sell for profit when reading out the databanks you have or even only the files stored on your servers, you mainly are already hack free. BUT, PITFALLS COME IN WHEN YOU DO NOT COMPLY TO THE RULES ABOVE, so here again and get into your head, mind, brain:

The best way to avoid hacks is to watch your behavior. Do not show off with your sites. Do not ask for too much respect for your work. Do not work with questionable business techniques on your site. Keep a low online profile when you have to or just be yourself when you are already “low profile” and do not have to play…Do not think it has value to your client when you showcase his material in forums, do not think you really make valuable advertising for your client or for yourself when posting your or your clients work in forums. Think over your complete way of acting with the property that is mostly not even yours but the ones of clients. Property on the internet is the way like outside. People with a lot of money and e.g. big cars get their cars stolen when not taking care of them or even showing off like known for some parts of the societies worldwide. Also when this dream is nice, we currently do not all live in Dubai and crime is so low and everyone has so much money that hate and jealousy will never come up. Also there, tourists shall take care of their handbags and wallets when outside. Now as the internet makes us dream and forget all that, rich animations and rich content makes us think we already have a blooming peaceful world but that is just a dream and most who do not dream are offended by those aspects including the people living this dream where reality is something else for them.

Now the other types of hacks, the ones that are for profit and are mostly stealth hacks:

The serious hackers hack only for profit. It is also rare that a competing business hires a hacker to hack your site but also this can be reality. There is also the issue about business spying, companies hire hackers to spy out the competition.

You here, at Joomlart.com working on your rather small sites will mostly never face these issues mentioned. One thing you may face:

Case example:

You are a web designer and work on a sort of successful online store of a client. The store is currently online and you simply build a new one with Joomla for your client.

Now, you think it is not a mistake to make some advertising too, with posting your work in any forum you work with. Your signature contains relevant information about you, as you think it is good so, people shall trust you. But, as you know, you work with material that is not yours when you post a live url of a shop you make for a client. Now you think, you have that shop on your test server and this way hackers do not know the real url where the shop will later be online. Kind of naive when you showcase your clients future workspace to the public and there is already the logo and name of the shop present. Now you may have changed the site name and obscured anything, do not show any reference to the shop name, how it will be called later. Oh, you still have there your signature with your company name, homepage and on the homepage you showcase your proud work on the same projects of your clients you showcased here. Now, one look on the screenshots you gave or were made from your top shop showcased or even only provided the url for to get some assistance will make anyone, “remind photographic memory”, to know at ease what shop you have later in your homepages own showcase was the one you presented here obscured only and talked about e.g. the issues that make the site insecure. You simply can make your clients a lot of trouble with that behavior.

Now, slip into the mind of the hacker. You seek stores that process credit cards independently, not only using PayPal etc. but also offline. People send their data to the shop and the information is stored online for a later use, and sometimes a later use is not only the use by your client to charge his clients their purchases online offline but the use by hackers to sell this data to others or even to use them right away, abuse them right away.

What way you think is the easiest? To go over these forums like this and to watch out for those designers who showcase all their pride and post anything that actually is not even their own.

Mostly they do not think about these issues and one cannot say they do not care but are not aware of it and sometimes got the luck that their clients do not know they did post their property into public forums that are not secured like Fort Knox or PayPal Sites etc.. So, good luck that in cases where a hacker takes the easy way and does it like that, spotting the victims in forums to hack them later, namely at points of time when the old shop is already moved to the new shop you built and people know about it, also about what you all experienced in errors you mentioned in the forums what you had to do here and there and also know all your weak spots of your sites…and hacks the shops unrecognized by you or your client, never shows a “hacked” sign on the frontend or even changes anything on the server or the site, just quietly reads out all the data from your clients sites without anyone knowing about it at any point of time. Only thing people know later, that another 100,000 data sets were stolen from online shops worldwide…and among those hundreds of shops making the total, may be the one of your client(s).

Things you can do to avoid this for your client are obvious, do not be so naive and / or negligent to your or even the property of your clients. This applies to all cases, if for this case example or the regular behavior online.

Or, continue, know about it and do not care. What you can do when you had such case, probably see in the logiles of the sites you administer some indices that the db that stores credit cards and banking accounts was accessing and read out from outside? Call the F.B.I. or any other countries agency that handles such cases. And on sites like that, e.g. http://www.fbi.gov you will find the same information about this like I wrote inhere, this is actually nothing new and should be basic stuff to base a business and personal behavior on, regardless all the bad publicity about the state from sides, e.g. Television, money making musicians of any color, race etc. who often only abuse the topic to get your bucks for anti-state props, the internet and questionable forums, blogs, sites etc. including video material and other propaganda like material on YT and other video and social networking sites…

Just today on the homepage of the Federal Bureau of Investigations, an article about cybercrimes, check it out:

http://www.fbi.gov/page2/oct08/cyberthreat101708.html

Thanks.

[Menalto Friend MenaltoJoin date: May 2007Posts: 4736Downloads:0Uploads:43 Thanks: 2 Thanked: 531 times in 361 posts]

#276085

And the point with this posts was?

[wooohanetworks Friend wooohanetworksJoin date: September 2008Posts: 1239Downloads:0Uploads:2 Thanks: 148 Thanked: 138 times in 41 posts]

#276086

<em>@Menalto 86865 wrote:</em><blockquote>And the point with this posts was?</blockquote>

That guys like you are one reason why sites get hacked. Even your own site gets hacked, you already stated you do not mind it and ask what the point is.

I think everyone can see you now, this is namely the last answer one can await from anyone. You are not thinking about your side, not about the ones of others, you simply do not care if sites are hacked, if the people here in the forum get probably big troubles when so, as they work for clients. You do not want to see that all this is sadly the reality of us.

The list goes on, the simple rules how to act in a forum show exactly what not to do and what you do obviously wrong.

Thanks, see you, meaning I see you, who you are and what you stand for. And do not come me with “credits” or anything else here.

Have a great sunday!

[mfcphil Friend mfcphilJoin date: September 2007Posts: 2866Downloads:3Uploads:218 Thanks: 211 Thanked: 388 times in 133 posts]

#276087

<blockquote>That guys like you are the reason why sites get hacked.

Thanks, see you, meaning I see you, </blockquote>

Are you saying Menalto got your site hacked???

[mfcphil Friend mfcphilJoin date: September 2007Posts: 2866Downloads:3Uploads:218 Thanks: 211 Thanked: 388 times in 133 posts]

#276088

<blockquote>The best way to avoid hacks is to watch your behavior. </blockquote>

<blockquote>Keep a low online profile</blockquote>

<blockquote>Do not think it has value to your client when you showcase his material in forums</blockquote>

I think its time to start practising what you PREACH

[mfcphil Friend mfcphilJoin date: September 2007Posts: 2866Downloads:3Uploads:218 Thanks: 211 Thanked: 388 times in 133 posts]

#276089

At 1.41pm you posted this

<blockquote>That guys like you are the reason why sites get hacked.

Thanks, see you, meaning I see you, </blockquote>

at 1.57pm you edited your post to read this

<blockquote>That guys like you are one reason why sites get hacked. Even your own site gets hacked, you already stated you do not mind it and ask what the point is.

I think everyone can see you now, this is namely the last answer one can await from anyone. You are not thinking about your side, not about the ones of others, you simply do not care if sites are hacked, if the people here in the forum get probably big troubles when so, as they work for clients. You do not want to see that all this is sadly the reality of us.

The list goes on, the simple rules how to act in a forum show exactly what not to do and what you do obviously wrong.

Thanks, see you, meaning I see you, who you are and what you stand for. And do not come me with “credits” or anything else here.

Have a great sunday!</blockquote>

MAKE YOUR MIND UP!!!

[Menalto Friend MenaltoJoin date: May 2007Posts: 4736Downloads:0Uploads:43 Thanks: 2 Thanked: 531 times in 361 posts]

#276090

<em>@wooohanetworks 86866 wrote:</em><blockquote>That guys like you are one reason why sites get hacked. Even your own site gets hacked, you already stated you do not mind it and ask what the point is.

I think everyone can see you now, this is namely the last answer one can await from anyone. You are not thinking about your side, not about the ones of others, you simply do not care if sites are hacked, if the people here in the forum get probably big troubles when so, as they work for clients. You do not want to see that all this is sadly the reality of us.

The list goes on, the simple rules how to act in a forum show exactly what not to do and what you do obviously wrong.

Thanks, see you, meaning I see you, who you are and what you stand for. And do not come me with “credits” or anything else here.

Have a great sunday!</blockquote>
One word from you and i ban you from the forum for 10 to 30 days, for insulting me.

[shertmann Friend shertmannJoin date: September 2008Posts: 339Downloads:0Uploads:1 Thanks: 22 Thanked: 42 times in 26 posts]

#276117

i want to add some few words here, if you want to open a security risk treat post would be good, but how menalto said i read lines after lines of info that will not lead me to anywhere.

sorry if menalto or any other guy has his site attacked but as one time said there is nothing you can do if a real cyber criminal decides to attacks you, maybe a script kiddie or a root kit user can be ser away with a lot of measures. or at least make the work a little harder

[Author]

Posts