Joomla update went wrong or security tips and tricks

Hello folks,

Yesterday I was going to update Joomla to 3.4.8. You all know Joomla is suffering with security problems last 3 updates. This one is mandatory and I was going to update. Here is the story.

I create snapshot (thanks goodness) first and then started an update. I was afraid that my files permissions are to high and Joomla will not be able to override update files. So I went to SSH and made all files and folders 777 just for a few moments to install update. I usually do not afraid to do that because I have very special script to get it all back. File name is joomla in usr/bin

#!/bin/bash
chown -R $1:apache ./*
find ./* -type d -exec chmod 755 {} ;
find ./* -type f -exec chmod 644 {} ;
chmod 777 ./tmp
chmod 777 ./cache
chmod 777 ./log
chmod 777 ./logs
chmod 444 .htaccess
chmod 444 ./index.php
chmod 444 ./administrator/index.php

After install I would just run joomla mint*** in the root folder of the site and it would restore all the permissions back. The mint*** is the name of the user I want files to be owned. Usually FTP user.

I have to say that update was not pretty. It created a lot of errors with SQL queries. I have to say, Joomla update system sucks. It has no intelligence whatsoever. You mess it up with one update and then it will follow you the rest of your live.

That is why we do not relay on Joomla update system fully. You can install updates of our extensions through Joomla install system, but SQL queries are not applied through Joomla update. On every build which is automated by the special script, we create current DB snapshot in JSON format and when you install Cobalt or Emerald, it use it to compare to DB on the site and it generates update queries on the fly looking into DB difference. Works as charms. But that is another story. I've analyzed install package and applied everything manually.

And suddenly I had "brown out". That is ok I think, I have UPC that will give me another 15 minutes. But I was wrong. UPS gave me only 30 seconds. So I started to wait till we have power again. I had a lunch, then I went to buy new batteries, I replaced batteries in UPS and I did this and that and did so many things, I completely lost it and forgot that I was in the middle of my website update.

When SSH my server today I had "backdoor" scripts all over. Only few hours and your site is hacked to all holes. The good thing that none of them could be ever executed because I have following in my .htaccess

<Filesmatch>
order deny,allow
deny from all
</Filesmatch>

<Filesmatch>
order deny,allow
allow from all
</Filesmatch>

That simply means that only PHP files with the name index.php may be executed. So, now you can understand why I have chmod 444 ./index.php in joomla shel script earlier. I want to make it unwritable so that no one can override it in any case.

As a result of all this mess, I had to use my snapshot to restore website and change Mysql and FTP password just in case. It might also lead to some topics lost on the forum. I apologize for it, but consequences could be much more worse.