Bemani hack on website

[David Kramer]

James Kramer wrote, On 09/28/2008 11:48 AM:
> I have a Joomla site that was hacked by Bemani.   Has anyone heard of
> this or is this some great genius that can hack a nearly wide open
> site. It is running at the following address.
> http://greaterpittsburgh.us/

I have been hacked into a total of two times in the 12 or so years I've
been running a server at home.  Once was a matter of weeks before I set
up my first internet-facing server.  Remember, I'm a Software Engineer
and Pointy-Haired Boss, not a SysAdmin.  I knew not what I was doing.

The second time was when I installed TWiki (http://www.twiki.org) on my
server.  It had *horrendous* security holes (now it merely has
horrendous security holes if you don't keep it updated and don't
configure it right).  This wasn't a *real* hacking, as they were only
able to affect that site and not the rest of my box, since I had my
permissions set correctly, but it was embarrasing nonetheless.

The lesson here is that while some say Open Source Software is
inherently more secure because there are so many eyeballs on the code
(which I feel is true for *popular*, non-"cathedral" projects), they're
also very configurable, and often not well documented.  That means it's
much more important that you know what's running on your boxen, and how
it's configured.

In one job, we used to call software like that "Enough rope" (as in,
"enough rope to hang yourself by, or do something useful".

> I site was pretty wide open.  I was thinking about playing around with
> an all open source website based on Joomla that anyone can modify.
> The site is running on a virtual server.

In the security world, that's called a "honeypot".   If you don't want
it to be hacked, don't do that.  Of course, as you're running on a
virtual server, reloading shouldn't be a problem.