HISA

HISA is a stand-alone tool that provides a quick assessment of your server environment to determine if your host setup is appropriate for the Joomla! site. This is the tool to run before you start as it will save you from a lot of frustration. It focuses on a few key areas that can trip you if you aren't aware of or careful about them.

The order of this list is slightly different on the current (at the time of writing) version. Nonetheless, as part of our installation planning, we should be aware of the changes that need to be made to our host, in order to accommodate our setup and avoid the obvious security holes.

As you can see, some information has been removed. But it will be available for your use during installation. We can see what platform we are running, giving us the ability to research the vulnerabilities on the Linux Kernel 2.4.21, and determine if we are at risk. In the previous image, we can see that we're on an Intel platform (i686).

Installation Check

The first screen you will see after you run the installation check is the assessment of the health of your site. While there's not a "standard" by which you can judge your health, it's a good metric to determine if you have problems.

In the following example, we are not quite at 100%; we're sitting at 92%, and the reason can be seen in the advisory. This is a great place to determine your health.

When we scroll to the Installation Check, we can see that according to HISA we have a 92% rating. This is pretty good, but since the save_session.path is not writeable, we may experience some oddities with the administrator login. However, this is not a security risk.

Web-Server Environment

The Web-Server Environment is a vulnerable part of your site as this is where Joomla! is based. Using the following screenshot, we can determine very quickly, the critical nature of Apache and some of our other modules. We can see in the following image that we have FrontPage/5.0.2. This could leave us vulnerable (through the FrontPage extensions) and so we would want to remove this.

Here is a treasure trove of information about our environment. Again, some information has been removed from publication. (In this case, the Site IP and Server Admin e-mail). If we do a quick search for vulnerabilities in Apache 1.3.39, we will find that a fix was released in September. More information can be found at: http://httpd.apache.org/security/vulnerabilities_13.html:

Fixed in Apache httpd 1.3.39

moderate: mod_status cross-site scripting CVE-2006-5752

A flaw was found in the mod_status module. On the sites where the server-status page is publicly accessible and ExtendedStatus is enabled, this could lead to a cross-site scripting attack. Note that the server-status page is not enabled by default and it is best not to make this publicly available.

Update Released: 7th September 2007

Affects: 1.3.37, 1.3.36, 1.3.35, 1.3.34, 1.3.33, 1.3.32, 1.3.31, 1.3.29, 1.3.28, 1.3.27, 1.3.26, 1.3.24, 1.3.22, 1.3.20, 1.3.19, 1.3.17, 1.3.14, 1.3.12, 1.3.11, 1.3.9, 1.3.6, 1.3.4, 1.3.3, 1.3.2

moderate: Signals to arbitrary processes CVE-2007-3304

The Apache HTTP server did not verify that a process was an Apache child process before sending it signals. A local attacker with the ability to run scripts on the HTTP server could manipulate the scoreboard and cause arbitrary processes to be terminated which could lead to a denial of service.

Update Released: 7th September 2007

Affects: 1.3.37, 1.3.36, 1.3.35, 1.3.34, 1.3.33, 1.3.32, 1.3.31, 1.3.29, 1.3.28, 1.3.27, 1.3.26, 1.3.24, 1.3.22, 1.3.20, 1.3.19, 1.3.17, 1.3.14, 1.3.12, 1.3.11, 1.3.9, 1.3.6, 1.3.4, 1.3.3, 1.3.2, 1.3.1, 1.3.0

If we follow the first link to CVE-2006-5752, we can locate a lot of information on it. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5752

Our server is running Apache, v1.3.39 and we know that the server was restarted in late September 2007. We can deduce that our host is likely to have patched our server in late September, causing the restart of the Apache Server.

Moving further, we can check our version of MOD_SSL using the same method. Nothing came up in our search immediately, but I did find this interesting tid-bit that should convince you that security of your Joomla! site should be a real thing. The following is from a real posting on a hacker site:

Need help exploiting a cms

________________________________________________________________________

Joined: ########### Rank: ############

Posted on 22-11-07 21:59

No, i am not asking you to hack a website for me but i really need help. i have been trying to breakin to a joomla powered website, the reason i betrayal and revenge (he threw me out of biz)

i am not a total noob+ at hacking buts i dont practice hacking full time. this is my 3rd login to this website and u can know more about me in my profile.

the site is running joomla 1.3 or 1.5 Apache/1.3.39 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.30 OpenSSL/0.9.7a PHP-CGI/0.1b

X-Powered-By: PHP/4.4.4 its a cpanel install. i

The site recently moved to dedicated server (VDS?) i tried sniffing ports but nothing came up. also looked in the joomla bugtracker but couldnt find much. a simple rhs attach but the site isnt cashed (Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0) so its useless too

_____________________________________________________________________

A simple search forMOD_SSL/2.8.30 uncovered this person's angst and desire for revenge.

It surely sounds a lot like my configuration, doesn't it? Why did I show this to you? If you were running a version with a known vulnerability, this fellow would know and might be able to exploit you. And keeping track of this, even we could become the target for the same exploit.

Meanwhile, in HISA, we see the version of SSL running, we have the Front Page Extensions installed, and so forth. We need to have quite a bit of information at hand.

Required Settings for Joomla!

Joomla! runs best if you set up the settings! Yes. it is cliché, but it's still important. The following screen will give us a view of the critical settings. Again, we see that the Session save path is Unwriteable. This is the only item of medium concern in our install.

Recommended Settings

The items in this particular screen should be called "required" rather than recommended. The Recommended Settings shown here are important. The wrong setting of Magic Quotes, Safe Mode, and Register Globals was responsible for many problems in Joomla! sites in the past. Setting them incorrectly could allow an attacker to take advantage of the site and exploit it.

Interestingly, here the tool lists the Register Globals as Recommended rather than required. Despite your personal stance on writing a secure code, you should always set this to off in your Joomla! site. It's like gravity: "not just a good idea, but a law."

The HISA tool is of great value and should be a part of every Joomla! installation. Running this beforehand will help to make sure that you have set up the site properly.

An important note: It is advised to remove this tool as soon as you have the needed information. Since it provides a huge amount of information, it could be used to research your site for an attack. The talented folks at justjoomla.com.au have produced a more advanced suite of the tools, consisting of a component, and a module set.

An addition to this powerful combination is:

Post-Joomla! Installation Server Environment Audit:

This provides you a bevy of information about your site post-installation. It keeps your site functional and running at a peak performance, with a good tool box.

In addition to performance, should something go awry with your site, the trouble-shooting and problem resolution power that the component provides to you are beyond comparison. You can obtain diagnostic and configuration information to speed up the process of problem resolution. This information is wider and deeper than that of the HISA tool.

This tool has plans (via placeholders) to offer more functionality in the future, such as database optimization tools and more. Even today, it offers a great deal of information and helps by providing you with a good method to improve your security. Additionally, it can also provide you a template for some critical information needed for disaster recovery.

Joomla Tools Suite with Services

This is the whole enchilada (to use a very American term): It gives us the dashboard, the errors, and a full directory of information, including open ports, services running, etc.

In the following figure, our server has several services disabled from the host. POP3, HTTPS, SMTP amongst others. This, interestingly enough, shows we're not running MySQL on our box, but rather another machine in the network.

Another piece of critical information is regarding the "ports" that are open on our particular system. This is the knowledge you need because an open port is like an unlocked door. Servers are "port-scanned"—the process of looking for open ports—on such a regular basis that it's ignored by the perimeter defences in many cases. However, port-scanning is an important and powerful tool in the pre-attack scenario by hackers.

All is good! No unexpected ports. Keeping an eye on this particular metric is a very good idea.

The other submenus provide a great deal of detailed information, such as permission on various files, giving you a visual indicator of Success, Warning, Critical, and so on. This should be reviewed anytime you make a change to your site. Later in this chapter, we'll review a proactive tool, JCheck, which gives you a warning based on any change it finds.

Returning to our first screen, we learn a great deal about our site.

How's Our Health?

Great! After following some of the advice from the tool, we see that this screenshot shows us having 100% health. That means we have all the required and recommended settings set up properly.

The JTSuite indicates that we have done everything right and we can go in our current configuration. We can continue looking at our settings, but the 100% assessment rating should give you confidence that you have set up everything correctly.

However, what if something were to change? Say Register Globals is turned on?

Logging into the tool, we can see at a glance that our site is in need of some care. If you were at 100% and all the sudden you dropped to 77% and the cause was register_globals being enabled, then you know that someone or something has tampered with your site.

This is the information provided at a dashboard view about PHP:

The dashboard tells me in brief about my PHP environment, including one interesting statistic. You may note the Zend information in this screenshot. If you are running an encrypted component that uses Zend for encryption, you will need to know what the host supports. In our case, we are running a shared-hosting account with GoDaddy.com. We needed the latest level of Zend encryption, which according to the Joomla! forums cannot be done. However, we were able to upgrade it. We can review our Zend information as being reported via the PHP tab on our main dashboard: Click COMPONENTS | JOOMLA TOOLS SUITE | JOOMLA TOOL SUITES WITH SERVICES. Click the PHP tab on the left, scroll down, and note the Zend information.

We have a PHP environment, and it's important to know what key settings are in place.

In this case, we can see that the Register Globals, Magic Quotes, Safe mode, and more are in the preferred state. However, if we were to change something like Register Globals, the screen would change to the following screen:

The need for proper permissions on files is absolutely vital, and yet is often overlooked. Sometimes the users cast blame on the application, the host, or the phase of the moon. The Tool Suite gives us a great view of all permissions. Here is a partial view of that screen:

In addition, the good folks at justjoomla.com.au have provided us with a wonderful module that can give our end users the confidence that the site is set up for optimal security. The Joomla! assurance module displays a logo that changes according to the health of your site. Let's say your health is around ninety percent. You will see this displayed on the front of your site:

However, if your health is below ninety percent, you get a different visual clue as shown in the following screenshot:

The importance of security of sites and personal information is increasing almost hourly, as the attacks are more organized and directed. Just reading about a large retailer's incident, in which its site was penetrated, resulting in the loss of several million credit card numbers, is bad enough. Sites are being scrutinized at the highest levels. It is important to give yourself and your end users the assurance that you are doing everything you can to have a secure site. This tool is HIGHLY recommended to help you in that effort.

You can obtain the full suite of tools from www.justjoomla.com.au. It provides an impressive array of services for your Joomla! site. One of the most interesting ones is a managed service. They will take care of your site, allowing you to focus on delivery of content, goods, and services. Take some time to review their offerings, which are good.

Mr. Adam von Dongen, of http://www.joomla-addons.org, is the author of the GNU/GPL tool Joomla! Diagnostics.

This tool provides a post copy/installation test of your Joomla! site, giving a detailed report on files that are missing, corrupted, or that have errors and omissions.

Running this against a site, we discover that there is a potential problem with the installation. We see a WARNING showing that the file is corrupted or altered. In the first example, we see globals.php has been corrupted or altered. The tool is comparing a hash against that of the original. In this case, the original file had this line in it:

define( 'RG_EMULATION', 1 );

We know this is wrong, so change it to:

define( 'RG_EMULATION', 0 );

This would result in the tool kicking out the warning, but in this case it's OK.

The one that should catch our attention is the Security warning in the last line in the previous figure. It says File does not contain a _VALID_MOS. Read more.

Clicking the Read more takes us to Joomla-addons.org, explaining that the file in question is missing the ever-so-critical code to prevent terrible things.

Every included file in Joomla should contain the following line of code:

defined ( '_VALID_MOS' ) or die( 'Restricted access' );

Having this list handy enables us to address extensions that put us at risk.

Recently, I moved a site from test/dev to production. It demonstrated an odd error: When editing the content from the front, the content would lock and stay locked. Even after clicking the CHECK IN button, it would not release the code.

It turns out that during the transfer, a couple of files did not make it across. Though seemingly small, it had a huge effect.

Once again, Joomla! Diagnostics comes to the rescue. Running this tool against the transferred site will yield the missing files, enabling the developer to quickly replace them.

In this case, the innocuous htaccess.txt file is missing. Again, we know this is OK, because the security step of renaming it to .htaccess was done during development. However, if it were a real threat, we would know it by reviewing this.

Adam von Dongen, of http://www.joomla-addons.org, has done a terrific job with this GNU/GPL tool, in addition to hosting offerings, Bandhosting.nl is a must-bookmark site.

The third tool we should make a part of our security arsenal is JCheck from http://www.ravenswoodit.co.uk. It is a must-have commercial extension for the security of your site. The extension comes with excellent technical support, is easy to install, and costs as much as a designer cup of coffee. Ask yourself what is the security of your site worth?

The following information gleaned from the previously mentioned site speaks volumes about JCheck:

For those who remember last year's "summer of hacking" when a lot of Joomla! and Mambo websites were attacked, JCheck will bring a peace of mind because if the worst happens, you will be alerted right away, hopefully even before your customers notice anything.

JCheck is a multiplatform security tool, which allows automated file integrity checking or host-based intrusion detection on Joomla!, Mambo, or any other system that supports PHP.

It creates an encoded database, which is used to verify the integrity of files on your website. Any change to the files will be flagged for attention by the administrator. This enables easy detection of hacking attempts, and allows prompt action to prevent further damage.

JCheck can be configured in many ways to eliminate false positives, and minimize the effort required by the site owners. Alerts can be sent by email or logged to a log file to be monitored by other tools.

JCheck can be configured to run at periods specified by the administrator.

It can be used as a stand-alone application running through cron for the most effective protection, security, and flexibility. It can also be installed and used as a Joomla! or Mambo module, where the module acts as a bridge to the JCheck application.

JCheck provides a proactive system to alert us to changes. When it is first run and installed, it examines in detail the files on your site. Webmasters can exclude the portions of the site that may be subject to frequent changes, to avoid "false-positives".

Here is a sample output you receive from JCheck when something has changed:

Additions since the last run

Added:/home/public_html/administrator/ov56__JOBID1_20071128_125600.sql.gz

Type : file

Permissions : -rw-r--r--

Date Modified : Nov 28 2007 12:56:01

Date Changed : Nov 28 2007 12:56:01

Owner : 32401

Group : 902

Size : 70268

MD5 key : ccfe5703a71ab8ccaa6049bf83382a53

Added:/home/ov56/public_html/administrator/components/com_jts

The file that is changed or added to our site is a backup file being generated from our backup tool. It has been given an MD5 hash, and this hash will be compared with the next run to ensure that nothing has changed.

JCheck can be configured to run as frequently as hourly, alerting you to alterations. While this won't stop an attack on your site, it will minimize downtime by alerting you to potential changes.

Publishing the module gives us another security logo, telling our users we are on top of our game.

JCheck is a copyrighted commercial software. The core library is encrypted. The supplied Joomla! or Mambo module is open-source software, and is released under the LGPL license. You can obtain this and other great products at: http://www.ravenswoodit.co.uk.

NMAP—Network Mapping Tool from insecure.org

If you are managing your own hardware, such as your own physical installation, gateways, firewalls, and so on, then you will need Nmap to ensure that you have configured your system hardware properly.

Nmap is available from insecure.org under GNU/GPL, and offers a veritable host of features that would cost you a lot if you bought them from a commercial vendor.

Here is the description according to insecure.org:

Nmap (Network Mapper) is an open-source tool for network exploration and security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. While Nmap is commonly used for security audits, many systems and network administrators find it useful for routine tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.

Running this tool against the server shows several open ports. The 3306/tcp port is wide open for MySQL. A quick search for "vulnerability port 3306" turns up quite a bit of interesting information. There are several exploits available to attack this open port. Typically, you would want to put your MySQL server behind a Demilitarized Zone or DMZ. This will protect it and you won't have to open a port to it. By opening a port such as this, we may not be vulnerable, but we will be leaking information, though minimum. This gives a clever hacker research information to enumerate and map our network, whereas in the example that follows we don't give out that information, nor expose our servers. We access them through a client interface, handling the gory details of hand-off in the background. Note that in both screenshots, the critical information such as IP address, server location/name, etc. have been removed.

Here is a scan on a different host. This shows only the fewest open ports necessary and is clearly a much more secure host.

Why concern ourselves with this? First, we do not need to remotely access our databases. This is best handled through your administration tools, such as phpMyAdmin located on the box (physically), or through your host's interface. Second, in 2005 a Windows-based "bot" attack was using port 3306 (and others) to create zombies on the Internet.

If an attacker were interested in testing your server for vulnerability, and discovered that you had this port open, he/she might use information, such as this, found on www.sans.org.

Other tools at an attacker's disposal would allow him or her to learn what version of MySQL you are running and launch an attack on you. For instance, if the attackers were able to get the versioning information—say through one of the diagnostic tools—and they learned that the server with an port open is running MySQL 4.0.23, then they would know how to launch an attack.

To be fair, if we set up our MySQL to speak only to "trusted hosts", then that would lower our attack surface a bit, but why take the chance?

While this chapter was being written, insecure.org released a new graphical version of Nmap. This GUI offers the new user to Nmap the ability to run scans with an easy-to-use point and click interface. The following is an image of the GUI interface:

Wireshark

Another useful tool is the packet sniffer. This is a tool that allows you to monitor all in-bound and out-bound traffic on your network. This can serve two purposes: First, it ensures that your personal network is not doing something that it shouldn't. Secondly, it allows you to monitor your web server for attempted attacks.

I recently used this tool for a customer in an audit. We discovered that their site had been penetrated by a cracker from China. And he/she was attempting to gain further access.

Using this tool, the packets going to and from the server were monitored. There were several suspicious packets in the internal IPC$ share (a Windows internal share). They were not sharing this box with anyone. Further analysis led to the examination of the server logs, thus exposing the break-in. This was quickly dealt with, but may have continued if this tool had not been deployed.

The following list of features of this tool is from the website www.wireshark.org:

This tool was released under the GNU/GPL license, and is considered the de facto and sometimes the de jure network protocol analyzer for IT shops across the world.

The following screenshots are broken up into parts for ease in publishing this book. Let's examine them now:

The first column on the left is the packet sequence as it arrived in the network card. The second one is Time. The third and fourth are SOURCE IP and DESITINATION IP.

As we move to the right of our screen, we'll see this data, which includes the Protocol in use and also information about the packet:

Here, we note the protocol on the wire, and other information pertinent to this.

If we select a specific packet, we'll see a lot of information about it.

We can drill into each of the above and learn more about the contents of the packet. If an evil cracker is able to insert a sniffer into your network, he or she can learn the passwords very quickly. This tool watches your network for problems, for example configuration issues, and such other things.

And lastly, the data that is contained in the packet allows us to see what is being transmitted.

As there are several other things that Wireshark can do, I suggest you download it and learn all you can about this tool. It will enable you to keep a close watch on all your network activities.

Metasploit—The Penetration Testers Tool Set

Metasploit is a complete set of tools running on the Metasploit Framework that has been developed for the purpose of security using penetration testing. The Metasploit Framework or MSF allows for discovery of vulnerabilities, proper disclosure to the vendor or developer of the problem application, analysis of your code or website, and development of new exploits.

When we launch MSF we see the following control panel, which will guide us through the various functions:

As the site administrator, you may wish to run this against your own site to determine if you have any unknown vulnerabilities.

To do so, we select Exploits from the MSF menu bar. After the selection, we get the following screenshot:

The Search box enables the tester to search for exploits by platform, code, or use. For instance, if you were to choose PHP in the search box, it would yield several exploits. As you scroll down, you would find this interesting exploit:

Do you know if your site suffers from this?

Once this exploit is successfully run, MSF will offer you a command shell to interact with it, enabling you to put a payload into the website. There are several payloads available and, of course, you could write your own.

To find payloads, click the PAYLOAD button on the console, search out what you wanted, and then go about generating the code.

This time Linux was chosen as the target and the exploit payload of Add User. If the exploit were successful, injecting this payload would add a user to the system without anyone's knowledge.

Once all the parameters are added, the code generated by MSF looks as follows:

# linux/x86/adduser - 1024 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# NOP gen: x86/opty2
# USER=JohnDoe, SHELL=/bin/sh, PASS=Password
"\xb2\xba\x86\xe3\x3c\x75\x35\x7b\x0b\xd4\xb9\x32\xf5\x90" +
"\x67\x47\xbb\x97\x74\x48\x1c\x83\xe2\x12\xeb\x76\x4e\x99" +
.
.
.
"\xfa\xf1\x14\x74\xf8\xa9\x29\x09\x6a\x4b\xea\xc7\xea\x4b" +
"\x0a\xd8"

Most of the code in the example has been removed; however, you can see the power of MSF. You may be running your Joomla! site on a Windows platform, and thus you may think that this excludes you from the exploit. A quick search for other exploits displays the following screenshot:

This, like the Linux payload, will attempt to add a user to the administration group. This payload can be inserted by exploiting a hole in Windows, and the surrounding NetBIOS and shares that may be present on the target system. If an attacker can gain access to your server, he or she can escalate the account, or add it directly to the admin group through various means, thus taking over your box and your website.

Nessus Vulnerability Scanner

The next in our suite of tools is a great product from Tenable Network Security, Inc. The tool known as Nessus is released as a free, open-source vulnerability scanner. They offer paid support in addition to the normal (and abundant) documentation. You may visit their website (http://www.nessus.org/nessus/):