Mambo Hacked

Well....after reading many different posts here, I used Mambo for one of my sites which got knocked out by a hacker today. I've always designed and written my old code, but had read of many who had used a CMS system, and thought I might be O.K. with using one.

However today provided a good lesson....design my own site and not use one of those going forward I guess. They're apparently too easy to hack

Ian

 

Very sorry to hear that you got "0wned", Ian

Which Mambo version was it that got hacked? While I'm not the greatest fan of Mambo myself (having used it and coded for it extensively in the past, before giving it up in favor of the better-designed Drupal), one must be fair: if you use any software that's plugged into the Internet, you need to keep it up-to-date with security updates. If you don't do that, you are begging to be hacked. I don't know whether that was what happened in your case, but that's the first thing that comes to mind.

Resorting to writing everything from scratch is no guarantee it'll be more secure. For instance, while you are just one pair of eyes looking at your own code, Mambo (or any other large open-source project) has thousands constantly reviewing their code base; this would increase the chance that any vulnerabilities get caught and fixed in a timely manner.

Then there are the general vulnerabilities that will affect everyone running PHP or making use of third-party libraries. Examples include global variable hacks in previous incarnations of PHP, and the recent XMLRPC library vulnerabilities, which affected a whole host of widely-used applications, including Mambo. Had you used the XMLRPC library in your own code, you would've been affected as well.

Of course, there are some advantages to writing your own code: if you follow the KISS principle, it'll be simple, streamlined and optimized for its purpose, when compared to a more general-purpose application.

But then again, unless you're very up-to-speed on how to avoid introducing PHP vulnerabilities (and it might be argued that developers in a public project are necessarily more aware of these issues than the average coder), and actually take the time to implement all necessary precautions (such as the simple example of always quoting your input parameters before passing them into an SQL statement), claiming that all shrinkwrap software is somehow inherently more unsecure than homerolled code is, well, simply not true.

If despite the above you're really going to spend significant work hours basically recreating functionality that you could get from out-of-the-box software, at least take a look at more productive programming languages, frameworks and toolsets to cut down on the number of hours involved. For instance, whenever I need to throw together a quick "hack" (in the old-fashioned good sense) such as implement a simple 301 redirection, I'll use "raw PHP"; to put up a site quickly and easily (and without coding), I'll use Drupal, which I consider one of the best tools for the job; however, if there's going to be a good amount of coding involved, I'll base the site on the Ruby on Rails framework, which is a zillion times more productive than starting from scratch, or even writing a Drupal module, in PHP.

 

I am interested in knowing how it was done and what solutions are available to protect my sites. Please PM or share links. TIA

 

Thanks for the kind words Willy. It's frustrating because I have another site I wrote myself in PHP that's been going for five years now, which runs nearly one-million page views per month and 10's of thousands of unique visitors that has never had a problem. I use this CMS that gets maybe 30 uniques a day and get hit with this. It's just frustrating.

Anyway, thanks for your advice. I'll definitely look into it.

Ian

 

Ian,

I'd like to know how it happened as well.
I trust that at the very least, you've sought the advice of those involved with the project. If not you should. Whatever has happened, it's important to determine whether it impacts all or exclusively you.

I operate a number of Mambo sites, all of which are customized up the wazoo. I'd certainly like to know if any new vulnerabilities have emerged.

Cheers, (and don't be afraid to state that you were in error if that's the case - it's how we learn).

JL

 

And also a million hackers looking over it.

Opensource, good and bad.

 

It looks like they altered just the index files on the main page and the template folder. The databases and the remaining content were untouched.

I re-uploaed the two files and also made the files unwriteable, as they are editable in the administration area and were CHMOD to 777.

It seems to be a quick fix and so far seem to be O.K. I'll check in over in the Mambo folders and see if I can get some advice there.

Thanks for all the support guys, I appreciate it!

Ian

 

Exactly the point I was going to make...

Open source solutions are inherently more insecure by default. Why? hackers are lazy

Open source solutions (ESPECIALLY mass distributed ones) get attacked more because they are so open to the public that everyone knows their inner workings. Down to the smallest little function and query.

Compare that to your own coded solution which hackers have no insight into whatsoever. So of course they attack the one that tehy can research more in depth. It's a no brainer. PLUS once they discover an exploit they share it with friends!

As long as you use good coding practices (or hire someone that does) and stress the importance of security in your code (client and server side form checking, referrer checking, SQL injection countermeasures, etc.) you're already 10 times more secure than using an open source solution.

Even in non open source software that's mass distributed there is more risk. Why do you think Windows applications get attacked far more than Mac? It's not necessarily less secure than Mac. It's the bigger target and there are more people working to exploit it than there are Mac!

 

Ian, what version of Mambo are you using? Does it have the latest updates?

This worries me as I have Mambo on a couple of my sites and although they are not high-up in the SERP's I could always be next !

 

I don't think I would completely give up on the benefits of CMS because of a few hackers. I think as long as you keep backing up your data at least weekly (including your SQL databases) and do whatever updates are made available, it's worth the risk.

I've had websites with 100% static HTML pages hacked as well. Welcome to the digital age.