I recently had to open a port in an older Sonicwall Firewall to allow outside access to a companies security camera system. I found this video that was extremely helpful.
His instructions are very logical and straight forward.
I hope this helps someone else out there…
Here is a list of “Tools of the Trade” according to Ben Martin at Sucuri Security.
I hope this helps someone else out there…
I learned since Joomla 1.5 that updating is a must. Make a backup and install the update. You never know unless you try.
Today I saw an article that gives a great reason for updating to 3.8….answer is security.
For eight years, hackers have been able to exploit this password-stealing flaw in Joomla
I hope this helps someone else out there…
We have a static HTML site built in 2013 that we maintain. We got a notification from Godaddy that there were malicious files in the website. I started to remove them, but wanted to see what was in them. When I opened one of the files that was 3 level into the website it was extremely complicated. It looks like part of many arrays and just pulling parts of multiple arrays. I believe the end goal is to assemble the final script. It looks like this.
Another interesting thing about this attack is the date of the file. It is from 2013. I had made a complete back of the site on 2/15/2016, but the bad files were from 2013. None of the bad files were in my back in 2016.
Nothing was solved. I removed the old files and updated the .htaccess file. I found it interesting how the date could be manipulated.
I hope this helps someone one else out there….
If often get asked why someone would attack a website. It is often for financial gain. If the attacker can get a hold of your credentials then they can impersonate you on-line. Meaning if they get your bank credentials they will have access to your bank. If they get your Apple ID credentials then the can access you Apple account and buy stuff.
I got an email from Apple today to login to my account.
In this image you can see that when I put my cursor over the hyperlink in the email it is going to “natuursteendoker.be/zooology.php”. I see attacked websites with strange named PHP files with redirects in them. This can easily redirect a user to site ready to deliver a malicious payload or virus. Could be a key tracker that phones home with each key stroke or screen captures every 5 seconds.
I hope this helps someone else out there….
To get to a customer’s site I Googled it and discovered the User name and Password reset pages are being indexed by Google. They show up as some of the top results.
I quickly came across the following article that lead me to the work on the Robots.txt file and disallowing these pages.
https://forum.joomla.org/viewtopic.php?t=903096
For my site I had to add the following:
Disallow: /component/users/
Then go to Google Webmaster Tools and and Fetch the site. This will inform Google you want your site crawled again.
I hope this helps someone else out there…
Follow up…
I stumbled on this article which further refines the access.
https://moz.com/community/q/robots-txt-how-to-exclude-sub-directories-correctly
His technique:
allow: /directory/$
disallow: /directory/*
Which allows this URL:
http://www.mysite.com/directory/
But doesn’t allow the following one:
http://www.mysite.com/directory/sub-directory2/…
We recently installed a Barracuda firewall and accidentally left “Proxy” on. This caused our IP to used as a spam relay which got our IP put on a blacklist. A trace route from our server to mtb.com showed the packets getting to MTB.com and stopping. We assumed it was MTB.com blocking the ip.
MTB said they get their blacklist for outside sources. They directed me to the following site were I was able to submit a request to get the IP off of the blacklist.
http://www.brightcloud.com/tools/url-ip-lookup.php
I could see that the IP was showing as suspect. I clicked on the “IP Reputation” and submitted the IP for review. I knew the proxy issue was resolved the IP should be cleared. This didn’t resolve the issue.
I discovered Barracuda has their own IP blocked. This showed our IP as not having a “poor” reputation.
http://www.barracudacentral.org/lookups/lookup-reputation
Do more searching brought me to this page.
https://www.whatismyip.com/blacklist-check/?iref=ip-lookup
There were two sites that had our IP listed. When I tried to go to mailhosts.org I get an error saying that domain is available. Blacklisted with no way to get it removed.
Looking into alternative fixes.
I hope this helps someone else out there…
Clients site got the following message when users got to the site.
My journey started with the host which was wrong. It was all google this time. Here are the steps to get google to review your site and take it off the blacklist.
I hope this helps someone else out there…
Had a customer call in because he was on the LA Times website and clicked on a link that caused his browser to pop-up a Microsoft warning. The warning said he was infected and needed to pay. He hit control-alt-delete and closed chrome. He restarted his machine and called us.
I opened Chrome and looked at the start page. It was set to “http://www.google.com/ig/redirectdomain?brand=TSND&bmod=TSND”. When I put that URL into another browser it took me to just Google. I figured the rest was unecessary and reset his home page to just be “http://www.google.com”.
I downloaded a rootkit scan tool from Bleeping Computer and ran a quick scan. We also use Vipre Anit-virus. I updated the difinitions and ran a full deep scan with Vipre. Nothing else was wrong.
I hope this helps someone else out there…
Wordfence people published this article warning of an highly effective phishing attack on Gmail accounts.
Wide Impact: Highly Effective Gmail Phishing Technique Being Exploited
I hope this helps someone else out there…