[Cialug] Slight OT: Joomla & Security

Josh More jmore at starmind.org
Thu May 24 07:20:14 CDT 2012 

Run JoomlaScan on your installs:
http://blog.pepelux.org/2011/10/30/joomlascan-v1-3/ .  Fix what it
finds.  Remove any extensions you don't need.

Then run ClamScan on each directory structure:
http://www.clamav.net/lang/en/ . Fix what it finds.

Then manually review what remains and make sure it's needed. Install
Joomla from scratch in a separate directory and do "diff -r" against
your two targets to make sure that no PHP has been modified.  (You may
need to install it with whatever extensions you're using, depending on
what you're using.)

Once all that is done, harden your system by:
* Removing any Apache modules that you do not need.
* Disabling Allow Override for each vhost
* Installing and tightening PHP-Suhosin (both pieces)
* Installing and configuring Mod_Security2, using the core rules and
only blocking what you absolutely must to get your site to work.
* Installing AppArmor with ChangeHat configured to isolate each site.
* Do an external scan of the server(s) with nmap, configured for all
ports, to find a hidden listening daemon.
* Write a short script that strips Write permissions for all on the
entire Joomla tree (except where needed (trial and error)) and one
that turns them back on so you can update the system.


This is what I consider the absolute minimum to run a
Joomla/Drupal/Wordpress framework live on the Internet. If you were
highly targeted, there'd be a lot more that you'd need to do.


-Josh More



On Wed, May 23, 2012 at 2:51 PM, jrnosee <jrnosee at gmail.com> wrote:
> Anyone on here good with Joomla and it's security?  I've got two Joomla
> based sites (one for my church and one for my townhomes) that I assist
> with.  They've both been hacked.  I'm trying to remove the damage but it
> keeps coming back.  I'm not sure if it's being accessed and re-hacked
> remotely or if something on the page is re-adding the malicious code.  If
> anyone could help me with this please email me off list.  I
> would truly appreciate any assistance I might get.
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug

More information about the Cialug mailing list