1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Mambo Hacked

Discussion in 'Content Management' started by Ian, Aug 17, 2005.

  1. #1
    Well....after reading many different posts here, I used Mambo for one of my sites which got knocked out by a hacker today. I've always designed and written my old code, but had read of many who had used a CMS system, and thought I might be O.K. with using one.

    However today provided a good lesson....design my own site and not use one of those going forward I guess. They're apparently too easy to hack :(

    Ian
    SEMrush
     
    Ian, Aug 17, 2005 IP
    SEMrush
  2. Willy

    Willy Peon

    Messages:
    281
    Likes Received:
    25
    Best Answers:
    0
    Trophy Points:
    0
    #2
    Very sorry to hear that you got "0wned", Ian :(

    Which Mambo version was it that got hacked? While I'm not the greatest fan of Mambo myself (having used it and coded for it extensively in the past, before giving it up in favor of the better-designed Drupal), one must be fair: if you use any software that's plugged into the Internet, you need to keep it up-to-date with security updates. If you don't do that, you are begging to be hacked. I don't know whether that was what happened in your case, but that's the first thing that comes to mind.

    Resorting to writing everything from scratch is no guarantee it'll be more secure. For instance, while you are just one pair of eyes looking at your own code, Mambo (or any other large open-source project) has thousands constantly reviewing their code base; this would increase the chance that any vulnerabilities get caught and fixed in a timely manner.

    Then there are the general vulnerabilities that will affect everyone running PHP or making use of third-party libraries. Examples include global variable hacks in previous incarnations of PHP, and the recent XMLRPC library vulnerabilities, which affected a whole host of widely-used applications, including Mambo. Had you used the XMLRPC library in your own code, you would've been affected as well.

    Of course, there are some advantages to writing your own code: if you follow the KISS principle, it'll be simple, streamlined and optimized for its purpose, when compared to a more general-purpose application.

    But then again, unless you're very up-to-speed on how to avoid introducing PHP vulnerabilities (and it might be argued that developers in a public project are necessarily more aware of these issues than the average coder), and actually take the time to implement all necessary precautions (such as the simple example of always quoting your input parameters before passing them into an SQL statement), claiming that all shrinkwrap software is somehow inherently more unsecure than homerolled code is, well, simply not true.

    If despite the above you're really going to spend significant work hours basically recreating functionality that you could get from out-of-the-box software, at least take a look at more productive programming languages, frameworks and toolsets to cut down on the number of hours involved. For instance, whenever I need to throw together a quick "hack" (in the old-fashioned good sense) such as implement a simple 301 redirection, I'll use "raw PHP"; to put up a site quickly and easily (and without coding), I'll use Drupal, which I consider one of the best tools for the job; however, if there's going to be a good amount of coding involved, I'll base the site on the Ruby on Rails framework, which is a zillion times more productive than starting from scratch, or even writing a Drupal module, in PHP.
     
    Willy, Aug 17, 2005 IP
    Ian likes this.
  3. sadcox66

    sadcox66 Spirit Walker

    Messages:
    496
    Likes Received:
    16
    Best Answers:
    0
    Trophy Points:
    0
    #3
    I am interested in knowing how it was done and what solutions are available to protect my sites. Please PM or share links. TIA
     
    sadcox66, Aug 17, 2005 IP
  4. Ian

    Ian Well-Known Member

    Messages:
    409
    Likes Received:
    14
    Best Answers:
    0
    Trophy Points:
    125
    #4
    Thanks for the kind words Willy. It's frustrating because I have another site I wrote myself in PHP that's been going for five years now, which runs nearly one-million page views per month and 10's of thousands of unique visitors that has never had a problem. I use this CMS that gets maybe 30 uniques a day and get hit with this. It's just frustrating.

    Anyway, thanks for your advice. I'll definitely look into it.

    Ian
     
    Ian, Aug 17, 2005 IP
  5. john_loch

    john_loch Rodent Slayer

    Messages:
    1,294
    Likes Received:
    66
    Best Answers:
    0
    Trophy Points:
    138
    #5
    Ian,

    I'd like to know how it happened as well.
    I trust that at the very least, you've sought the advice of those involved with the project. If not you should. Whatever has happened, it's important to determine whether it impacts all or exclusively you.

    I operate a number of Mambo sites, all of which are customized up the wazoo. I'd certainly like to know if any new vulnerabilities have emerged.

    Cheers, (and don't be afraid to state that you were in error if that's the case - it's how we learn).

    JL
     
    john_loch, Aug 17, 2005 IP
    Ian likes this.
  6. sarahk

    sarahk iTamer Staff

    Messages:
    25,780
    Likes Received:
    3,652
    Best Answers:
    103
    Trophy Points:
    665
    #6
    Hi Ian

    Just to reiterate what John has said. Please let the guys over at http://forum.mamboserver.com know so they can help fix up your site (perhaps) and fix up their system if the vulnerability hasn't already been fixed. No one likes to see anyone get hacked, but more so when it's a system that one both uses and recommends.

    Sarah
     
    sarahk, Aug 18, 2005 IP
    Ian likes this.
  7. SERPalert

    SERPalert Guest

    Messages:
    1,003
    Likes Received:
    66
    Best Answers:
    0
    Trophy Points:
    0
    #7
    And also a million hackers looking over it.

    Opensource, good and bad.
     
    SERPalert, Aug 18, 2005 IP
  8. Ian

    Ian Well-Known Member

    Messages:
    409
    Likes Received:
    14
    Best Answers:
    0
    Trophy Points:
    125
    #8
    It looks like they altered just the index files on the main page and the template folder. The databases and the remaining content were untouched.

    I re-uploaed the two files and also made the files unwriteable, as they are editable in the administration area and were CHMOD to 777.

    It seems to be a quick fix and so far seem to be O.K. I'll check in over in the Mambo folders and see if I can get some advice there.

    Thanks for all the support guys, I appreciate it!

    Ian
     
    Ian, Aug 18, 2005 IP
  9. GeorgeB.

    GeorgeB. Notable Member

    Messages:
    5,696
    Likes Received:
    288
    Best Answers:
    0
    Trophy Points:
    280
    #9
    Exactly the point I was going to make...

    Open source solutions are inherently more insecure by default. Why? hackers are lazy :D

    Open source solutions (ESPECIALLY mass distributed ones) get attacked more because they are so open to the public that everyone knows their inner workings. Down to the smallest little function and query.

    Compare that to your own coded solution which hackers have no insight into whatsoever. So of course they attack the one that tehy can research more in depth. It's a no brainer. PLUS once they discover an exploit they share it with friends!

    As long as you use good coding practices (or hire someone that does) and stress the importance of security in your code (client and server side form checking, referrer checking, SQL injection countermeasures, etc.) you're already 10 times more secure than using an open source solution.

    Even in non open source software that's mass distributed there is more risk. Why do you think Windows applications get attacked far more than Mac? It's not necessarily less secure than Mac. It's the bigger target and there are more people working to exploit it than there are Mac!
     
    GeorgeB., Aug 18, 2005 IP
    SERPalert likes this.
  10. greentwinkie

    greentwinkie Peon

    Messages:
    20
    Likes Received:
    2
    Best Answers:
    0
    Trophy Points:
    0
    #10
    Ian, what version of Mambo are you using? Does it have the latest updates?

    This worries me as I have Mambo on a couple of my sites and although they are not high-up in the SERP's I could always be next :(!
     
    greentwinkie, Aug 18, 2005 IP
  11. 802networks

    802networks Guest

    Messages:
    132
    Likes Received:
    5
    Best Answers:
    0
    Trophy Points:
    0
    #11
    I don't think I would completely give up on the benefits of CMS because of a few hackers. I think as long as you keep backing up your data at least weekly (including your SQL databases) and do whatever updates are made available, it's worth the risk.

    I've had websites with 100% static HTML pages hacked as well. Welcome to the digital age.
     
    802networks, Aug 18, 2005 IP