Automated hacking of Joomla Web sites

A lot has been written about Google-aided automation of hacking. There is little I can add to this topic besides some personal and practical advice.

If you’re running Joomla 1.5 you may have noticed queries of the sort  “powered by joomla .domain_name_extension” in your Apache access.log file. It’s almost certain you’ll find a few of these if you’re running a Web site with an Israel domain suffix – .co.il. This is an interesting attack vector – Islamic groups use Google to search for Israeli Web sites powered by vulnerable versions of the Joomla 1.5.x software.  If the exploit works then the results are anything from Web site defacing to taking over the admin account.

Here are 4 tips to mitigating this particular class of vulnerability:

1) Stay up to-date with the latest version of Joomla software. There are a ton of resources on the Web telling people how to do that. Use Google.

2) Less is more. The latest versions of Joomla 1.5.x have more than enough functionality for a world-class content web site. Instead of installing a bunch of vulnerable plugins – concentrate on writing interesting and relevant content.

3) Obfuscate. Remove references to “Powered by Joomla” in templates and document.php:

a. Edit the footer and document templates, you can do that in the administrator GUI.

b. Edit libraries/joomla/document/document.php and remove the Meta generator tag reference to Joomla 1.5.   I see no reason in advertising to search engines what version of the CMS you’re using.   Put anything else instead – like DotNet Nuke if you’re running Joomla on a Ubuntu box. I don’t believe you can use Google for passive OS fingerprinting like p0f.

c. Rename the admin user account – call it anything else but admin – no point in giving the bad guys an advantage.

4) Diversify your applications.    Diversification is a technique used in investing and telecommunications in order to reduce risk. Basically what it means is to distribute your application services and create a smaller attack surface on your content management site. If you need a mailing list – use one of the commercial mailing list services like Constant Contact. If you need a social network – use a commercial service like Ning or use an Open Source social networking application like Elgg. If you need a blog then use WordPress or Blogger. Diversification means not putting all your eggs in one basket – if someone hacks your server and steals a list of 5000 names, you might be liable for third party lawsuits, you may have committed a criminal offense under one of the US State privacy laws like California SB1386 or EU privacy regulation depending on where your servers reside.  If someone steals names from Constant Contact — you won’t have liability and without names, your database is a less attractive target for identity theft attacks.