Home Hack Recovery My Joomla site was hacked! How to Clean a Site

My Joomla site was hacked! How to Clean a Site

77
0

Something is wrong with your Joomla website. Perhaps you’re seeing a white screen, a dark backdrop with the hacker’s or his country’s flag, strange links/advertisements in the bottom part, or your site is redirecting to another site (not yours). You might get a notification from your host support that you have infected files if you’re lucky. The unfortunate fact of hosting a website on a CMS is that it can be hacked at any time. We understand how stressful it is for both you and your customer. A true nightmare.

There are a number of practical steps you may take to solve the problem and prevent it from happening again after it has occurred.
What should you do if your CMS site has been hacked and you’re not sure what to do?

How to Restore a Joomla Website That Has Been Hacked

Step 1: Make a full backup of site

Make a backup, even if there is questionable code inside – any copy is valuable. Make a backup of your website’s database as well. You should have a complete copy of this file on your computer’s hard disc. This is the most important step to do.

Step 2: Scan your website

We strongly advise you to examine your website using the following internet tools:

  • https://www.virustotal.com
    https://app.webinspector.com
    http://www.quttera.com
    https://sitecheck.sucuri.net
    http://www.isithacked.com

Replace YouSite.com with your own site’s address at the following URL.

http://www.google.com/safebrowsing/diagnostic?site=http://YourSite.com

A word of caution! Because none of those online scanners can scan the entire folder/file structure of CMS, they will not always display a warning notice. If you answered yes, you can be 99 percent certain that something is amiss with the website and that something “bad” is hiding. It also suggests that this site’s injury occurred a few days, weeks, or months ago.

This step is even more important : scan all files from current website copy(backup) using a anti-malware tools (PC/Mac/Linux) :

  • Malwarebytes Anti-Malware (Free)
  • ClamAV (Free)

and your already installed antivirus as well.

Delete the files not only locally but also on the hosting server, especially if a computer tool finds something.

CPanel Virus Scanner

Running a cPanel virus scanner is always beneficial and suggested; it can even be done as a preliminary check. Hosting cPanel’s virus scanner looks for viruses, trojan horses, malware, and other dangers. Use the “Scan Public Web Space” option, which analyses your account’s public html directory for infected web site files. If the directory has a large number of files, the scan may take a long time to complete (usually 3-10 minutes).

If the virus scan uncovers any affected files, you can choose how to handle them:

  • When this option is selected, the virus scanner removes the file’s malicious material.
  • When you choose this option, the virus scanner will move the file to the quarantine directory.
  • When you choose this option, the virus scanner will remove the infected file. It means you’ll have to upload a new one from a clean package later.
  • Ignore: When you select this option, the virus scanner ignores the infected file.

Finally, request that your host analyse your site for any more compromised files. Many hosts will supply a list of files, but few will provide you much guidance on how to fix the problem. Remove any and all infected files. If you’re unsure whether or not this Joomla core file is required. Simply open it and compare it to a fresh Joomla installation or a Joomla Extension package. If you’re not sure, delete it nonetheless; all Joomla core files can be readily replaced.

Step 3: Turn off site

Offline Method

For each guest who comes, you must enable offline mode. This can be done both from the backend and via FTP in Joomla. We recommend that you utilise the second technique. Open the configuration.php file in the root Joomla folder with an HTML editor and make the following change:

FROM: public $offline = ‘0’;

TO: public $offline = ‘1’;

BTW, inside offline message, you can update a tiny piece of text, perhaps add a phone number for the company and a fuller description of the company – but only for a limited time.

IP Block

The other, and probably better, solution is to disable your site and only allow access from your own IP addresses. This manner, all visitors to your site will be quarantined, and hackers will be unable to edit your files or Joomla! database. Furthermore, search engines (such as Google and Bing) may ban your site and display warning letters – so avoid it if you still have the option. The simplest solution is to change your.htaccess file to just allow access from your own IP address. Use the two lines of code below:

deny from all
allow from YOUR_IP_ADDRESS

* Replace YOUR_IP_ADDRESS with your own IP address, for example use: www.whatismyip.com site.

Step 4: Manual Scan via FTP

This is a difficult task, and your success may be contingent on your prior experience, meticulousness, and precision.

First, look for php files in the /tmp, /cache, and /images folders with subfolders. Without a doubt, delete the files that were discovered.

Malicious files might hide deep within the directory structure and appear to be legal. The majority of the time, hackers create extra files that look similar to the popular core file name and are simple to overlook, such as:

  • Adm1n.php
  • admin2.php
  • contacts.php
  • cron.css
  • css.php
  • do.php
  • hell0.php
  • solo.php
  • x.php
  • test.php or test.html or tests.php
  • uploadtest.html etc.

If you will find them you can delete them even without checking code inside.

Second, look for files that include base64 (a hacker’s favourite), but keep in mind that base64 and eval codes are also utilised in a number of harmless plugins and components. The backdoor file is always the first thing that smart hackers post. Even if you identify and remove the exploited extension, they will be able to regain access. Use UnPHP (PHP Decoder), a free online service for analysing obfuscated and malicious PHP code, if you find susicius-looking code inside files. Simple obfuscation methods such as eval(), gzinflate(), str rot13(), str replace(), and base64 decode are supported (). Even if the entire code is not revealed, it is still beneficial.

Remember that PHP functions like substr eval gzinflate, base64 decode, and preg replace, as well as all related regular expressions, routinely “mask” malicious code.

Use a computer application that allows you to search for a term in a file, so you can locate things like this that are usually hidden by hackers:

base64_decode(

or

 if (md5($_POST

or

$password=@$_REQUEST['password']

or

$action=@$_REQUEST['action']

or

preg_replace("/.*/e"

In most cases, new files will have fresh file data, thus you may find them by looking at the recent few days/hours of uploads – not by you or a team member.

If you’re not sure whether the code you find inside a file is suspicious or not, use Jotti’s malware scanner (virusscan.jotti.org/en-US/scan-file). It’s a free tool that enables you scan suspicious files with many anti-virus programmes. It comes with a number of built-in language translators, so double-check and switch before using.

Do not overlook the text in the default template’s.htaccess file or index.php, which may include a redirection script to another page or a hidden advertisement.

Also, picture files with a jpg or gif extension may include concealed code; these are fraudulent images.

Because there are so many possibilities, this search/scan procedure could take up to 2 hours. Rep the previous procedure until the hack code is no longer visible.

Step 5: Change passwords

Change all passwords right away, especially your Joomla Super User account and any other accounts with administrative access to the site. Change the MySQL password for your website database and the FTP password, if it was used in Joomla, from the hosting panel. The updated (new) database password (usually MySQL) must also be placed into the configuration.php file, as follows:

public $password = ‘NEW-MYSQLi-PASSWORD’;

Step 6: Update & uninstall

Check that all of your plugins, modules, components, and Joomla are up to date. If you’re not sure, check the version number in Extension Manager against the information on the developer’s website. Hackers are more likely to target older versions than newer versions. Even if an extermination is disabled, its files may still provide unauthorised access to your website. Remove everything you don’t use (uninstall it), or at the very least maintain it up to date. Each time you instal Joomla 3.x Update Package.zip from Joomla.org, we strongly advise you to do so. You can also use this programme to replace files that are contaminated or damaged. In most circumstances, this step can help you regain your site.

Step 7: Clam Down Google & Clients

If Google’s robot was faster than you and identified your site as contaminated in our search results to safeguard other users (Google’s blacklist), we would remove it from our search results. It indicates a lack of traffic and a loss of confidence. Even after cleaning, this status may take a few days (week), which is why you must take further actions to unlock it faster:

  • Check for malicious files, code, and content on your website.
  • Activate your website (in Global Configuration).
  • Click Request a review in Google Webmaster Tools after opening the Security Issues Report. If you haven’t already, add your website.
  • In addition, you can use Google Webmaster Tool and URL Removal Tool to request that any URLs created by the hacker be removed.

Google’s computers will check your website for malware or harmful software once you clean it and request a review. Google will remove the warning from your website if none is discovered. However, it could take up to 48 hours.

Unhacking your site can also be found at https://www.akeebabackup.com/documentation/walkthroughs/unhacking-your-site.html.

Conclusion

It’s quite difficult to restore a compromised website. Hackers can bury their code deep into a file(s) or database structure, making it harder to locate. Consider deleting your content entirely and replacing it with your last known good backup (once you’ve checked to make sure it’s clean and devoid of hacked content) if you have a fresh backup of your CMS (files basically). Yes, before restoring the site from a backup, you must erase everything (mainly files). The /image folder is safe to keep.

Keeping everything up-to-date is one of the best ways to prevent hackers from accessing your website through outdated plugin, component, and module files.

And now for the final word. Sorry for the inconvenience, but we have to give you the truth. It’s impossible to make your website hack-proof 100 percent of the time.