Beerwin's World of Stuff

things for, on and about web

Newsflash

Due to lack of interest in my destop projects (PlainHTML, ShutDownerXP, and newly, WE editor), i decided to shut down all activity regarding desktop projects, this time for good.

In the meantime, i've found my code editor of choice, in the great Eclipse editor, so this is another reason not to develop "yet another web editor". Many third-party components used in my projects are too much buggy, to continue development, some of them outdated, and i don't have time to fix them all. It's a waste of my time, and it will lead to nothing. I'm committing my time to PHP development from this time forward.

The BWS project will be cut down to a minimum, and the forum section will be shut down. I will archive the site, and remove pretty much everything not related to PHP development and web design.

I am introducing a new feature: Logging in with GMail account credentials.

I believe, this will be a good idea, since it won't require to register on the BWS site.

I began to upload some new kind of stuff, widening the content scope of this site. When new information is too valuable to be collected by different content bots, i will put them behind authentication.

User accounts created for the forum are member accounts, thus enabling for you to see these internal articles.

Sign Up here for free!

There is a new template available on BWS: Silver Plating

This is a new template for larger sites, portals, community sites, galleries, etc.

 

 

I want to see it

Old web templates were dropped, because they are out-of-date did not comply with today's standards, and many more reasons.

Those templates will not be available anymore.

Community

HomeResourcesWeb DesignHow to protect your Joomla! installation?

How to protect your Joomla! installation?

Details
Created on Monday, 04 April 2011 22:00

If you are a Joomla! user, you already had your web site(s) infected by some kind of malware, or just injected with some ad code.

This is really annoying, and some times requires to rebuild your site from scratch.

Here is a way of securing your Joomla! installation.

I know about the problems and file permissions, let's see the solution

keyJoomla! has a vulnerability coming from its design, and that is its installation system. Many server installations are running PHP as an Apache extension, and if this is the case with your hosting provider, this article is for you then.

When you are installing an extension, Joomla! uploads the .zip or .tar.gz file, unpacks it and places its contents to specific directories, as the extension requires. If you uploaded your Joomla! files, you presumably had it done by using FTP. However, any files created by Joomla! (including those unzipped by the extension manager and installer, Media Manager, or any other component) are owned by an user called Apache or  www-data, which is the Linux user running the web server and PHP.

And here is the source of the problem: You don't have control over those files created by Joomla!/Apache/PHP. These file can be easily written by the web server process, and if the server is infected, or there are any malicious scripts on it (or maybe in your folder) and they got executed (also by the Apache process), they can infect all the other files/folders owned and/or writable by the apache or www-data user.

For this, you will have to know about file permissions (under linux/unix - if you were using FTP before, you will now what i'm talking about), but here is a brief explanation:

A file or directory on a Linux/unix file system has some kind of attributes, which do contain the permissions as well:

In an FTP client, or in a Linux file listing you will see them like this, for example:

  • for a directory: drwxr-x-r-x, or 755
  • for a file: -rw-r--r--, or 644

The first character shows that the file system object is a file(-) or a directory(d).

The other nine characters are the file permissions: read(r) , write(w) and execute(x). Execute on files means (roughly) that it can be executed in a shell (bash), but on folders means, that the folder can be listed (for any purpose, not just the strict meaning of displaying a list of it).

Users on a Linux/unix system are handled in three ways (related to files, folders etc): owner (who created the file, but ownership can be transferred), group (which the user belongs to), andothers (anyone else).

So, the permissons are grouped like this:

u means user (owner), g means group, o means others

u  g  o
rwxrwxrwx
7  7  7

This example is about a file readable, writable, and executable by anyone.

Normally, all the files uploaded by you via FTP, will have default permissions of rw-r--r-- (644) for files and rwxr-xr-x (755) for directories. Alternatively, you may have rw-rw-r-- (664) for files and rwxrwxr-x (775) for directories. You should never have rw-rw-rw (666) and rwxrwxrwx (777), or at least, the third group/digit should be r--/r-x, (4 / 5).

Now, returning to Joomla! installation, whatever Joomla does with files, creates them in the Apache process. Usually, you can't write these files, but the Apache process can, and if an infected file is being executed by the Apache process, the malicious script inside the infected file will implicitly have access to all the files owned by Apache, and all of your files writable by everyone (rw-rw-rwrwxrwxrwx or 666/777). If the apache/www-data user is in the same group with your FTP/SSH user, the script will have access to your group-writable files (rw-rw-r--/rwxrwx-rx or 664/775) as well.

The results can be devastating to your site (not only for your Joomla! installation, but your other scripts as well. Some cutting-edge scripts are also capable of modifying your graphics (jpeg, gif, png) files as well). The best case scenario is, that your site will not run (when the injected script is crappy and breaks down your PHP code), but this is not the common case, worst-case scenarios often occur, such as your page displaying various ads (sometimes offending, content not suitable for children, etc), or even worst, your site may infect your visitors' computers with malware, adware, spyware, or your site may turn into a phishing site. Neither result is desirable, and it may go to the extent of your site being suspended/deleted by your hosting provider or even a lawsuit against you. This is serious.

Now, the technical stuff:

  1. Make sure, you have installed all the required Joomla! extensions, and patches.
  2. Copy your files to your computer (or if you have ssh access to your site, to a directory outside your web root - which cannot be accessed by apache), just for beeing sure.
    If you have root access to your server, just chown all the files in your joomla installation to your user, and skip the following two steps.
  3. Delete all the files and folders in your Joomla! installation.
  4. Copy the files (you had copied earlier) back to where they were. (now all the files will belong to you, not the apache or www-data user)
  5. Change permissions to read only (rw-r--r--/rwxr-xr-x or 644 / 755) for all user groups (including owner), recursively (Most FTP clients can do this, by marking the checkbox which has a label something like "apply permissions recursively"). If you have shell (ssh) access, just run this command:
    • for files: chmod 644 <yourfile>
      where <yourfile> means the file on which you wish to change permissions
    • for directories: chmod -R 755 <yourdirectory>
      -R means recursive proocessing, <yourdirectory> means the directory which ou are setting the permissions on.

After you had set the permissions for your Joomla! installation files, neither the Apache process or anyone else except you will be able to write the file. Additionally, make sure, your FTP/SSH credentials are kept safe.


Discuss this article
You need to log in or register to participate in this discussion.

Latest news

From the blog