artclass.org.uk has now been hacked into five times. So far the web host has managed to sort it out each time once at the expense of me having to rebuild the entire site from scratch… but I think they aren't very happy with me and they think the fault is somewhere with joomla or a plug in for it.. it's driving me nuts is there anything `i can do ?

What Joomla version are you using?

Are you making sure the joomla version is current?

Are you making sure your machine you use to access the site is secure? - e.g. some viruses will target ftp accounts and upload files using the account details

When you say scratch - you are not transferring any folders or htaccess files from a hacked version to the new version?

Cheers
Paul

Also, check the Joomla vunerable extensions list and make sure you aren't using anything bad
docs.joomla.org/Vulnerable_Extensions_List

If you have any forms on the site make sure the inputs are properly validated and sanitised.

I'm using 2.5. it's up to date. my site hosts provide a CP and tell me that the password protected ftp is secure. The "from scratch" was when an old version 1.5 was hacked into. I had to literally start again with 2.5 No files were re-used. I haven't check which extensions might be the problem but I'll look at the list… I'm thinking of buying security software. what do think ?

Hi,

The main reason for most hacked site is from out of date Joomla version and 3rd vulnerable extensions. In addition if you are using a shared hosting environment then there is nothing that can guarantee 100% security of your site.

Regards,

joomla is up to date.. there may be vulnerable extensions but it's not proving easy to find out which of the few I have that might be a problem. The site that lists them isn't easy to use. I'm not sure what you mean by a shared hosting environment.. I don't own my own server I buy hosting if that's what you mean….

either way what would be helpful would be some practical suggestions about how I might track down the hacker's route into the site and how I might protect the site in future. That nothing is 100% secure isn't useful information.

Hi,

Shared hosting environment means your server is being used to host hundreds or even thousands of websites including yours, if that server is not well configured, when a website is exploited, the attacker could gain total control of all websites hosted in that server. I mentioned this because the protection must come from both web applications and the underneath infrastructure.

One of my client's website was hacked frequently even after I did everything to protect it, I contacted the hosting provider and they admitted that one of the websites hosted in the same server was exploited, then I had to move to a VPS and have not seen any attacks until now.

Back to your issue, if you are able to read your website's access log, it could be useful to gather some information about the attacker. The following link could be useful for you:

webdesign.about.com/od/security/qt/website-security-probes-visible-in-error-logs.htm

Regards,

OK, well I've no reason to think that the issue is server side. I have several site with the same host and none of the others is experiencing any problems. The host has been very quick to help me deal with the attacks, restoring the website and investigating the problem.
There is software for sale (eg OSE Security Suite) that claims to scan site files for existing malware, protect against hacker-attack patterns, examine all upload activity etc… it's not particularly cheap but the reviews are excellent. Is it likely to be worth the investment ?

I will ask Rob as he has used this software a fair bit

Have you also looked at admin tools pro and rsfirewall - I've used admin tools pro for a long time and like it

I've not used rsfirewall much but people have commented on here how much they like it

May be worth taking a look at these extensions as well

The same guy also makes akeeba backup which is a great extension and my all time favourite

- although its not security as such it is excellent for backups and with the pro version can be configured to auto backup to AWS

Cheers
Paul

Hi there,

Also the issue with sites getting hacked is that most hackers will add a rootkit file during the initial hack so even if you have updated all extensions they will still have access to the rootkit.

I highly recommend using that scan that Phil Taylor runs: myjoomla.com/

It's very good and will likely find any issues that it may have.

Let us know what you find.

Anthony

So I tried Phil Taylor's scan. There was a long list of issues, of which, when I worked through them, very few were significant. I'm not sure if I'm any further forward but for the sake of keeping the thread as useful as possible to anyone else looking at this and for my own review…

Here's what was found / what I did about it.

*enabled the cache in the site configuration - followed the instructions given
*changed the favicon: to complete once I work out where to insert the htlm code - followed instructions from a site for which a link was given
*updated an extension-a routine thing isn't it
*protect the administrator Url with a .htaccess password - this looked like it might be significant but no clues were given about how you might achieve such a thing.
*Enable Gzip Compression - Followed the instructions given: seemed sensible for speed but nothing to do with security
*remove files from tmp folder - just deleted them in dreamweaver: seemed good housekeeping
*Checked suspect content in five files - the tools given with the audit allowed me to inspect the dodgy code, one was related to the code to upload things to flickr the others were Zen grids use of the eval( ) function: nothing malicious
* Reviewed and deleted php error log - nothing suspicious in it… more housekeeping
*suggested installing akeeba backup - which I tried to do but it needs PHP 5.3 to be running and at best I'm running 5.2.. I sent a note to my host provider
*two other issues to do with the server environment and php configuration seemed minor and didn't come with any instructions on what to do about them or else I couldn't follow them
*a suggestion to alter the default database prefix - came with a warning to backup the database first which put me off using the tool provided to do the job, as I haven't been able to install the backup extension.

I also changed the username from admin to something less obvious.

will any of that make any difference to the vulnerability of the site… I doubt it.. I was hoping to see some gaping hole somewhere that would explain the five recent successful hacks… go figure.

htaccess - your host should have a option to this via your hosting setup cpanel or set up via an extension

favicon its a case of uploading to the template folder - www.joomlabamboo.com/forum/joomla-tips-and-tricks/90559-favicon#90606

the default prefix should be different from jos_ as its not a 1.5 site anymore - no?

php version wise - take a look here - www.akeebabackup.com/home/news/55-general/1501-end-of-php52-support.html

I'm sure other folks will chip in but these are my initial thoughts

Cheers
Paul