d@mn scammers/hackers

From: Mike Harrison 

The little Linode slice that hosts chugalug.org
and a handful of other sites had a Joomla install brute forced.
Actually nailed on October 10th, but they did not
install and abuse things until yesterday.

The apache logs show many many thousands of login/password attempts
on the two joomla sites on this system... from only two IP's. in rapid 
succession. and they finally got one. Then they uploaded a new theme, with 
some extra functionality in the files.

Note: Both IP's were from static ip leasing services. That's a new twist 
to me... usually they are from another hacked server.

And then they went "Bank of America Customer Fishing"
This server was only a relay, it's some interesting code.

As many of you are also hosting/using Joomla and other content management 
systems, you might want to look at your logs. Moving your login/admin
urls is the first step, there are many more worth taking.

I'm out of the internet / web hosting / security business and yet, since 
the beginning of September, I've been involved in 6 comprimises, 2 of which, 
like this one, I was partially responsible for some part of the system.
The others I was just called in to help clean up afterwards.

My relevant almost on topic point is: It seems to me the intensity, focus 
and volume of hacks, comprimises and abuses have seeming increased 

Be careful out there. I'm putting my uber-paranoid hat on after
about 10 years of not wearing it (all the time), you should also.

The not so nice people are out to get us all. All of us.

=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 fail2ban probably would have helped... It can be a pain on websites at times... You're going to see more of it.... Just because I'm paranoid doesn't mean they're not after me.... Regards, dtb - -- "Some things in life can never be fully appreciated nor understood unless experienced firsthand. Some things in networking can never be fully understood by someone who neither builds commercial networking equipment nor runs an operational network." RFC 1925 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlB/ZgUACgkQABP1RO+tr2R2rQCfT40LarRsKtBGrX2QvQHXEPKO 4oQAn2Mvst/KM+acZhO7EevnqPC2hJ/A =C3ca -----END PGP SIGNATURE-----

=============================================================== From: Mike Harrison ------------------------------------------------------ My answer: I'm tossing the free non-paying CMS driven sites to the market. I am not in the business and wasted too much of my time helping entities that have no resources and I am now barely affiliated with. The ones I care about and will still host will have some interesting things added to their code and structures. None of them are on common CMS's. (Joomla/Drupal)

=============================================================== From: K I Goldman ------------------------------------------------------ Mike=2C I may have just been helping a friend look into this hack. Do you see hits= like:http://www.somsitethatisnotrealbutisjoomla.org/administrator/template= s/bluestork/stcp.php?action=3Dstart&time

=============================================================== From: Mike Harrison ------------------------------------------------------

=============================================================== From: David White ------------------------------------------------------ Thanks for the heads up. I don't host any Joomla sites, but do host a number of Drupal/Wordpress sites - and many of those are .orgs, some of which haven't been looked at in a while. I've heard many, many horror stories about Joomla. Not saying Drupal and Wordpress don't have issues- they certainly do. But I never hear the amount of stories about them that I do of Joomla. Your email reminds me that I really need to get a better logging system in place than I currently have. Now that I finally have pfSense on my home network, I might look into either a static IP or a dynDNS account and log everything here... Sent from my iPhone

=============================================================== From: Mike Harrison ------------------------------------------------------ It's partially the code, but more the kind of people that use such things. ie: clueless. - Joomla (and Drupal and many others..) are incredible. They enable people that can follow directions to have pretty websites. And while using XYZ Obscure CMS is partially security through obscurity, it helps to have a lesser known front door. It's like running SSH on an odd port. It doesn't mean they can't still nail you, it does mean that when a guy is hitting port 6969 (or whatever) he wants your server a little more than average. I could probably follow explicit directions for performing brain surgery. That does not mean I should attempt it. (Any Volunteers? he he..)

=============================================================== From: Stephen Haywood ------------------------------------------------------ So they brute forced your admin password? It wasn't a joomla 0-day? Stephen Haywood Information Security Consultant W: www.averagesecurityguy.info T: @averagesecguy

=============================================================== From: John Aldrich ------------------------------------------------------ Any known issues with WordPress? One of the groups I'm a member of uses WordPress for the CMS. Just thought I'd check.

=============================================================== From: Stephen Haywood ------------------------------------------------------ Wordpress is pretty bad too. The big thing to watch out for is the plugins for Wordpress. I have my blog hosted at wordpress.com but I would never be comfortable running my own wordpress install.

=============================================================== From: Jason Brown ------------------------------------------------------ I run somewhere around 10 WP installations, hard to remember the count. People try to get in all the time. Follow basic best practices with file permissions and passwords just like any other LAMP install and I have never had a breach. The basics here are good: http://codex.wordpress.org/Hardening

=============================================================== From: Rod-Lists ------------------------------------------------------ I see a lot wordpress exploits and I don't run wordpress. Others may correct me but my impression is wordpress is the windows of the CMS world. Both good and bad. ----- Original Message -----

=============================================================== From: Stephen Haywood ------------------------------------------------------ For anyone interested, wpscan by ethicalhack3r checks for a number of WP vulnerabilities. It is a Ruby script and is included in BackTrack5. www.wpscan.org Stephen Haywood Information Security Consultant W: www.averagesecurityguy.info T: @averagesecguy I run somewhere around 10 WP installations, hard to remember the count. People try to get in all the time. Follow basic best practices with file permissions and passwords just like any other LAMP install and I have never had a breach. The basics here are good: http://codex.wordpress.org/Hardening

=============================================================== From: Jason Brown ------------------------------------------------------ Definitely good and bad. These lists are really much longer, and there is a lot of overlap. good: Easy for an average computer user to update content, navigation, etc if the templates are done correctly. Low admin maintenance. Easy to setup. Low resource usage, large plugin base. bad: Easy for Joe six pack to install, one click installer in most hosting packages, just like anything else default installs are insecure. large plugin base, lots of articles on how to do "X" with wordpress that are terrible. (the ones I love is are to run php code embedded in your blog posts / pages ACK!). --Jason

=============================================================== From: Mike Harrison ------------------------------------------------------ Well, not MY password, but the web dude for the non-profit I was hostings password.. Yeah, best I can tell it looks like a direct brute force. I have another Joomla website ran by a clueful guy they were trying the same thing. (He is IT at Unum during the day, and the site seems updated and clueful, we relocated the /administrator directory anyway) Maybe a 0 day helped, but it seems to be a rapid targeted brute force at the /administrator logins. Keith, what did you see?

=============================================================== From: K I Goldman ------------------------------------------------------ Looks like it was brute force. The apache error log for the site averages 1 MB/week. That week it was 64GB. Keith