• 1

Read this first!

We do not monitor these forums. The forum is provided to exchange information and experience with other users ONLY. Forum responses are not guaranteed.

However, please submit a ticket if you have an active subscription and wish to receive support. Our ticketing system is the only way of getting in touch with RSJoomla! and receiving the official RSJoomla! Customer Support.

For more information, the Support Policy is located here.

Thank you!

TOPIC: Hacker vs RS Firewall Real time story...

Hacker vs RS Firewall Real time story... 14 years 6 months ago #8699

I everybody.
I purchase RSFirewall and I’m really happy with it.

The reason of purchase was multiple experience with injection of foreign code in an index.html in Joomla sites.
This is the index.html in the template folder.

• I install RSFirewall
• Password for backend entry = On
• Password for RSSFirewall = On
• Change the master account (ftp password) not the joomla admins but the Password that give access to the CPanel of the account
• System lockdown = On
• put the index.html as a file to be checked by RSFirewall

Grade 75

This morning an injection occur in the index.htm :evil:

• RSFirewall report the changes with the IP (thanks)
—> Action: Keep the hacked index file for record and replace it with a clean one
—> put the IP in the RSFirewallblacklist this way... 000.000.00.*
—> went to my cpanel and put that IP the same way in a Block IP list

What I will do:
Pass trough the System Check Report....
Check at all files different than the joomla 1.5.14
—>(I make some modififications myself)
—> Move the folders out of public_hyml (when I really understand how to do that....)

Thanks to RSFirewal, I collect few infos on who is doing that
—> IP whois infos and the injected code give me a website

QUESTION 1 — HOW THEY CAN DO THAT? :S

QUESTION 2 : How can you transmit these infos to autorities, can you?

QUESTION 3: Have you any suggestions?
The administrator has disabled public write access.

Re:Hacker vs RS Firewall Real time story... 14 years 6 months ago #8813

Well The Hackers seems out of the door for now.

1— I move the configuration file out of the public folder
( I’m moving log and tmp today)

2— I put the index.html in the files to verify

3— Protect the administratos/user from changes

4 — put the ip’s collected from thersfirewall logs —> xxx.xxx.xxx.* in the black list

5 — give a password to acces backend and rsfirewall

6— Put the system in lockdown

7 — keep thre php.ini created by RS in the template folder

The only thing I’m stil not sure is open_basedir.....

I’m checking all files that fail the integrity check for any injection one by one (I’modified some core files myself)

Most of them are : plugins/editors/tinymce/........ files Strange, I’m sur I didnt touch these

So Far Grade 77
The administrator has disabled public write access.
  • 1

Read this first!

We do not monitor these forums. The forum is provided to exchange information and experience with other users ONLY. Forum responses are not guaranteed.

However, please submit a ticket if you have an active subscription and wish to receive support. Our ticketing system is the only way of getting in touch with RSJoomla! and receiving the official RSJoomla! Customer Support.

For more information, the Support Policy is located here.

Thank you!