hacking

  • Backdoors

    Website backdoors are stealthy mechanisms designed to bypass normal authentication to allow attackers persistent access to a website’s backend, long after the initial breach. This continued access facilitates repeated infections, even if the original malware is cleared. Detecting backdoors poses a significant challenge due to their diverse formats and the variety of specific tasks they are programmed to perform within a compromised website or server environment.

  • Brute Force Attack

    A brute force attack is just a trial and error process, that runs repeatedly to obtain the correct username and password information. An automated software is being used in this process which does not decrypt the information but just continue trying with set of words and letters.. Millions of IP’s and huge number of computers are involved in this process to check different username and password combinations and avoid triggering multiple attempt limits.

  • Choose your extensions carefully

    Choose your extensions wisely - one basic rule when you develop a Joomla site. And same applies to you, weekend webmasters! Your site is a sitting duck, waiting for hackers (especially script kiddies. Well, easy to say it, but what can be seen as "wise" choice here?

  • Clean Hacked Website Files

    By comparing infected files with known good files (from official sources or reliably clean backups) you can identify and remove malicious changes.

    Caution

    It is important that you compare the same version of your Joomla! core files and extensions. Core files on the 2.x branch are not the same as the 3.x branch and so on.

    Never perform any actions without a backup. If you’re unsure, please seek assistance from a professional.

    To manually remove a malware infection from your Joomla! files:

    1. Log into your server via SFTP or SSH.

    2. Create a backup of the site files before making changes.

    3. Search your files for reference to malicious domains or payloads you noted.

    4. Identify recently changed files and confirm whether they are legitimate.

    5. Review files flagged by the diff command during the core file integrity check.

    6. Restore or compare suspicious files with clean backups or official sources.

    7. Remove any suspicious or unfamiliar code from your custom files.

    8. Test to verify the site is still operational after changes.

    If you can't find the malicious content, try searching the web for malicious content, payloads, and domain names that you found in the first step. Chances are that someone else has already figured out how those domain names are involved in the hack you are attempting to clean.

    Diff tools to compare suspicious files with known-good copies:


     

  • Clickjacking

    Is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages. On a clickjacked page, the attackers load another page over it in a transparent layer, in most cases using HTML FRAME based techniques. The users think that they are clicking the buttons they are actually seeing, while they are in fact performing actions on the hidden page. This way the attackers can trick users into performing actions which the users never intended. There is no way of tracing such actions to the attackers later, as the users would have been genuinely authenticated on the hidden page.


     

  • Cross Site Scripting (XSS)

    Cross Site Scripting is a hacking technique whereby malicious scripting code (usually javascript) is injected into user input forms (in a similar way to SQL injection attacks) or incorporated in a URL query string.

  • CSRF Attack

    A Cross Site Request Forgery (CSRF) attack relies on the trust a website has for a user to execute unauthorized requests and or transactions. For example, say a user is logged into their Joomla! websites' administrator interface in one tab and is browsing a compromised site in another tab.

  • Denial of Service Attacks (DOS, DDOS)

    A denial of service attack takes place when a hacker overloads a system with large or repeated requests for a service.

  • Directory Traversal

    A website is stored within a file system on a server. Some of the server's file system is therefore exposed to the outside world and can be accessed by an end-user's web browser. The part of the file system (or directory structure) that is visible to the outside world is limited to a specific root folder and its contents.

  • Disable the user name "admin"

    In various blog posts, security bulletins, etc. you can read, that you need get rid of the default "admin" user with Super Administrator privileges (and with the default UserID of 62 or 42 - depending on Joomla version) to prebent hackers using the well known username and user ID to start dictionary attacks or carry out successful SQL injection attacks against your site, but how? If you go to Joomla user manager, and want to simply delete it, you can't. More, you can't even disable it! WTF...
    Hey, it's not that complicated!
    Let me show you how can you do it in a simple - and fool-proof way!

  • Full Path Disclosure

    Full Path Disclosure (FPD) vulnerabilities enable the attacker to see the path to the webroot/file. e.g.: /home/omg/htdocs/file/. Certain vulnerabilities, such as using the load_file() (within a SQL Injection ) query to view the page source, require the attacker to have the full path to the file they wish to view. Then the attacker can use this info to perform other type of attacks based on the obtained information.

  • Hacktools

    Hacktools are specialized tools used by attackers to exploit vulnerabilities in CMSes for unauthorized access or malicious purposes.

  • Help, I was (almost) hacked!

    Pissed off, eh? Me too! After you put together your site (small or big, hobbyist site or a large corporate one) and installed all the security gizmos available out there you began to receive all kind of alerts about hacking attempts. This is the good scenario - succesful hacking attempts usually aren't reported: you experience the sometimes devastating effects by visiting the site.

    Anyway, you probably get frustrated over time, and you definitively will try to do something above just stopping these attacks.

  • How to Remove Malware & Clean a Hacked Joomla Site

  • How to Remove Malware & Clean a Hacked Joomla Site

  • HTTP Sniffing

    HTTP stands for 'HyperText Transfer Protocol', and it is the mechanism used to transfer data from one computer to another across the Internet. You can use HTTP to request information from a server, or to send information to a client by wrapping the request or data in a 'packet'.

  • I want the print and email icons back as in previous Joomla!

    A client called me one of these days with this request. He told me, that what was once a simple one click action to print, email or edit an article in frontend in Joomla 1.5 has became an uncomfortable, two click  process, which in some devices proved to be increasingly difficult. After a bit of digging around I found for him an easy to implement template override which make him happy.

  • Infinite loop detected in JError

    Today I have faced a strange, never seen before error. I have worked on recovering a server with couple of old Joomla sites after a major crash, when one of sites ceased to "fly" again, and showed up nothing else but a white screen with this text:

    Infinite loop detected in JError

  • JavaScript hijacking

    JavaScript hijacking is a technique that an attacker can use to masquerade as a valid user and read sensitive data from a vulnerable Web application, particularly one using Ajax (Asynchronous JavaScript and XML). Nearly all major Ajax applications have been found vulnerable.

  • Locate modified files

    If files have been modified on your server, or files have been uploaded for instance, you can check the timestamps on those files to find out when the attacker was on your site. This is typical in the case of sites being defaced or malicious code being injected somewhere. Most of the time, the attacker will have gained access to your site shortly before modifying or uploading files to it.

Page 1 of 2