0

I have a Joomla 2.5 site with a plugin installed. That plugin sent me an email saying that someone tried to hack my site. What can I do to avoid hacking? This was the email:

** Local File Inclusion [GET:lm_absolute_path] => ../../../
** Local File Inclusion [REQUEST:lm_absolute_path] => ../../../

**PAGE / SERVER INFO


*REMOTE_ADDR :
76.8.53.131

*HTTP_USER_AGENT :


*REQUEST_METHOD :
GET

*QUERY_STRING :
lm_absolute_path=../../../&install_dir=http:// www .google. com/humans.txt?



** SUPERGLOBALS DUMP (sanitized)


*$_GET DUMP
 -[lm_absolute_path] =>
 -[install_dir] => http:// google. com/humans.txt?


*$_POST DUMP


*$_COOKIE DUMP


*$_REQUEST DUMP
 -[lm_absolute_path] =>
 -[install_dir] => http:// google. com/humans.txt?
HamZa
  • 14,671
  • 11
  • 54
  • 75
Ionut Gogu
  • 1
  • 1
  • 1
    This site seems to have a good bit of info on the attack: http://perishablepress.com/protect-against-humans-txt-query-string-scans/ – Cyclone Mar 09 '14 at 00:04
  • `What can I do to avoid hacking?` Securing a website isn't a simple task. There's a lot to take into account and since you're using Joomla, it's even more sensible to attacks. Don't forget that 3rd party plugins/components are one of the big security issues that Joomla has. – HamZa Mar 09 '14 at 00:06
  • It's not getting attacked that it is the problem, it is failing to fend off the attack. The attack has nothing to do with Joomla but does have to do with having a website. The suggestion in the article found by @Cyclone make sense if you are getting basically a DDOS from the requests. – Elin Mar 09 '14 at 12:49
  • The question at: http://stackoverflow.com/q/19134180/1983389 is similar – Neil Robertson May 05 '16 at 10:59

1 Answers1

1

my sites get attacked a few hundred times every day.

Depending on their popularity (and sheer luck) they get into "joomla" lists, or php lists, which are then tested for each possible vulnerability.

Keeping a site safe requires a lot of work. This should be enough to get you started - but is not a complete list:

  • Keep it up to date (joomla & components!)
  • make it readonly (possibly changing the owner of the files!), do not allow writing for all folders,
  • prevent execution from the folders you need to write to (cache, images usually) with an .htaccess.
  • schedule rkhunter + maldet to run hourly or daily
  • use a code versioning system so you can easily spot any new / changed files and rollback any attacks
  • use a deep packet inspection firewall - or a host that does it for you
  • use a plugin that adds extra protection to joomla - this you're doing already.
  • prevent fingerprinting
  • prevent direct execution except for index.php & administrator/index.php (ensure your components still work, this may require some tweaking)
  • keep logs (apache access_log, error_log, + log php errors)
  • read/ review the logs weekly. I know it's boring, but how else are you going to learn what's going on? Some regexp might be required if you want to do something else in your life other than this. In time you'll build scripts that remove all that's normal, leaving only strange / unusual requestes, at that point you can even have them mailed to you.
Riccardo Zorn
  • 5,590
  • 1
  • 20
  • 36