In most cases a simple trick will do the job to protect you against these attacks. Most of these anyway are carried out using some automated scripts, ant there are plenty of vulnerable sites to be hunted down, so isn't very likely to be directly targeted. Most of hacks done today are random attacks, using well known vulnerabilities, presuming that lazy webmasters are using default settings for their sites.

One of these defaults is the "jos_" prefix. So these SQL injection type of attacks are using this presumption, the attacking code is containing this in most of the cases.

Changing your prefix can stop most of these attacks with minimal effort.

How can you do this?

At the install time, it's a breeze. Regardless of the exact version of Joomla, you have the option at the install time to opt for something else, like the default "jos_" prefix. On Joomla 1.0.* version this is obviously shown, with Joomla 1.5.* it's a bit trickier, is buried one click deeper than the default install screen, on the page where you should provide the other database settings, under the Advanced Settings link. Change it!

What about existing installs or installs done by automated scripts, like the largely popular Fantastico?

It's a bit trickier, but worth the effort. You need at least 2 extra tools for that: your preferred FTP client and access to your database.

The recommended steps are as follows:

1. back up everything!
2. export your database - make a SQL dump of it.
3. with your favorite plain text editor - no, don't use Word or something similar, you will ruin the file - go and replace all occurrences of string "jos_ with something you prefer, like "mypref_". But, keep it short. Nothing really limits you there, but a prefix of 3 letters and an underscore is usually enough to make your install different.
   
4. reimport the data in your database. (it's wise to keep the tables with the old "jos_" prefix at least until you're  absolutely sure than everything works)
5. grab your FTP client, retrieve the configuration.php, locate the line:

   		$mosConfig_dbprefix = 'jos_';      (for Joomla 1.0.* sites) or
   	

   		var $dbprefix = 'jos_';                (for Joomla 1.5.* family)	
   	

   and change it to match your preference. Of course, back it up first.
6. reupload the changed configuration file.
7. test the result.

If you followed closely the above steps the site should work. Of course, this is not the only way to do it, you can google on and you will find lot of good tips and tutorials on the subject. You can even find out a Joomla component which can do it for you. My favorite one unfortunately does not support Joomla 1.5, but I'm sure you can find something which match your level of knowledge and expertise.

What the potential problems are? Phew... there are some. The most important is, that some poorly written code for Joomla presumes that you use the default setting - and the "jos_" prefix is hardcoded. What you can do? First advice: drop them. They are obviously a risk, if the coder has done this mistake, he may done other mistakes too, so you are at hackers mercy. But if you want them, and the code is not encrypted - Zend encoded for example - , then you can search and replace every occurrence of the "jos_" prefix and replace it with the generic "#__" string, which will be replaced at the time the code is parsed with the correct prefix. This may (remember - I said "may") fix the component. But with so many extensions out there you may find a great replacement, and that's wiser.

You are out of luck if you are falling in a more rare situation: you use an integration/bridge with some non-Joomla script (forums are the most likely such scripts) which is working on the same presumption. Contact the author of the bridge/integration, chances are that he can help you on make his piece of code usable on your setup.

If you're done with, enjoy your new setup. You can have a bit more peace of mind. But don't sleep on your ears - hackers are out there, and theyare reading too this tip .

---

Add this page to your favorite Social Bookmarking websites