You are here:Home»KB»Web Design»CMS»Joomla»Dehacking a Joomla Website
Tuesday, 14 June 2016 16:29

Dehacking a Joomla Website

Written by

These are my notes on recovering your hacked Joomla website (de-hack/dehack/dehacking).

The best prevention is to have good reliable backups.

Part 1 - Am I hacked?

If you receive reports from a customer that their website is hacked you need to look at their site from your computer.

Precautions

  • Use a Sacrificial PC (a PC you dont mind wiping if it gets infected)
  • Make sure A-V is running
  • HIPS is on
  • An AD Blocker is running
  • Run your browser in Sandbox mode
  • Malwarebytes Anti-Exploit is running
  • Javascipt is disabled (to start with)
  • Adobe PDF is not installed
  • No Script Plugin is running

What should I do to check?

  • Check the obvious cPanel settings to make sure it is not them causing a website to go off
    • Is the account suspended
    • Over bandwidth quota Account
    • Over disk quota
  • Have a look around with ftp / cPanel before anything else
    • Are there random file names and unusual folders
    • Check the CGI folder and remove anything in there (should I disable CGI)
  • Check the Vulnerability Feed from Joomla
  • Check the homepage to see if it is hacked (optional)
  • Check .htaccess
  • Login to Joomla admin
  • Install RSFirewall and run system check
  • Check Website log files
    • check the raw access logs with ApacheLogViewer (or other log viewer) and check for access to dodgy files and heavy access from 1 IP etc..
    • Also try sorting by request, this will expose dodgy files and their access
    • POST should not be heavily used by remote IP address
    • Add these IPs to the htaccess IP deny rules

Part 2 - First Steps if your site is hacked

  • Disable website by .htaccess (Deny From All)
  • Change cPanel password

Part 3 (opt A) - Recover from backup

This by far is the best way to recover your joomla website.

This will replace all files and your database, so if youor backup is really old or out of date you should consider if this is the best option for you.

  • Back the virus infect website up and store
    • Why do this? This is done just in case you have missed some new content or other thing you have missed. It does not harm and this backup can be deleted later. Download this to your PC before starting.
  • Verify that the Joomla version of the infected website and the backup are the same. If they are not you will need replace the database with that out of the backup and this can lead to content loss if the backup is not new enough. If you do not want to swap the database you cannot use this method.
    • The joomla version number is stored in
      • administrator/manifests/files/joomla.xml
      • /libraries/cms/version/version.php
      • Write down the Joomla version make sure you combine the release+maintenance version to get the correct joomla version?
    • How to find which version of Joomla! I'm using? - Joomla!
  • Delete the files in public_html folder on the server
  • Upload your backup
    • Only the contents of the public_html folder, you should extract these files from the backup and re-zip ready for upload.
    • You can also upload the full backup and after extraction only move the required files into public_html if you know what you are doing
  • Extract backuped files into the public_html folder
  • Replace the database (optional)
    • only do this if the Joomla versions were not the same
  • Empty joomla cache

The site should now be running but it might not be clean, backups can still have issues. Perform the Hack Cleanup to finish.

Part 3 (opt B) - Repair Hacked Site (as is)

If you do not have any backups you will need to repair your Joomla installation using the following procedure. This is not the preferred option.

  • Backup the website
    • Why do this? This is done just in case you have missed some new content or other thing you have missed. It does not harm and this backup can be deleted later. Download this to your PC before starting.
  • Write down the Joomla version
    • The joomla version number is stored in
      • administrator/manifests/files/joomla.xml
      • /libraries/cms/version/version.php
      • Write down the Joomla version make sure you combine the release+maintenance version to get the correct joomla version?
    • How to find which version of Joomla! I'm using? - Joomla!

Full Package Joomla System Files Re-Install

This section should re-enable Joomla but malware might be present in 3rd Party Apps and in random folders all over the place and should not be counted on as fully cleaning your website.

This section will also allow you to get a list of installed extensions and their version numbers. You can get these from your database if you know what you are doing.

  • Download the full installation package for the same Joomla version from github
  • extract the zip file
  • upload all of the extracted Joomla files to the hacked website's public_html folder and replace all files
  • This should allow you to get basic access to your joomla website
  • login into the joomla website and get a list of the installed extensions and their version numbers

You can move to the 'Perfom Hack Cleanup' section if you have time contraints or are happy that the infection is not envasive, this is not recommended. You should carry on with the next section.

Full Fresh Install with 3rd Party Apps brought back in

This is a lot more thourough in cleaning you site but requires a lot more work. This assumes you have followed the section above and have a backup of the infected site and a list of extensions.

  • Delete the files in public_html folder on the server
  • Extract the backup you just made on to your PC (of the infected site)
  • Scan the files in the public_html files for virus and remove them if found.
  • Upload the Full Joomla installation package to the public_html folder on the server
  • carefully check the /images/ folder and once you are happy that it is clean upload this to public_html on the server
  • There might be 3rd party apps that have user files that need uploading (ie in the media folder), unless you know what needs uploading and have check for virus or dogy files DO NOT UPLOAD, you can always do this later. Most user stuff will be in the /images/ folder
  • Download all of the extensions you need and make sure they are the correct version
  • check the  configuration.php from the download infected backup and make sure it is clean from virus or dodgy code and then if all clear upload it to the website server
  • Login to joomla. You migth get some erros but ignore these unless you cannot login (that will need to be dealt seperately)
  • install all of the extensions you have downloaded. this will re-install all of these extensions with fresh files.
  • Check all of the extensions are working correctly (i.e. there are no missing images). If there are missing images check in your infected backup for them, clean the related files and folders and then upload them to the correct location on the server.
  • Check joomla is running normally

The site should now be running but it might not clean yet. Perform the Hack Cleanup to finish.

Part 4 - Post Hack Cleanup

These instructions should be done for all versions of recovery and help prevent getting re-infected and remove any straggling malware or unwanted behaviour.

Users and Passwords

  • Remove any erroneous user accounts. Delete any users that should not be in the Joomla user manager.
  • Change passwords (and prefixes) for the following in order and all of them:
    • cPanel (if not already)
    • MySQL Database
    • MySQL Database Prefix
    • RSFirewall
    • Joomla Users - Reset them all
      • if you have users do a bulk reset once you have changed the admin password
  • Edit configuration.php via cpanel and change MySQL database password
  • Check the administrator folder is protected by .htaccess authentication (Batcode). If it isn't, add this feature
  • Enable 2nd Factor Authentication in Joomla (I have not tried this yet)
  • The potential login procedure would follow
    1. URL with Token
    2. Batcode
    3. RSFirewall
    4. Joomla Login
    5. 2nd Factor Authentication

RSFirewall

If already installed upgrade it if it is not the latest version.

  • Install RSFirewall if not present (with hashes and GeoIP)
    • Upload New Hashes (if not present)
    • Install GeoIP to block by country? (if not present)
  • Configure RSFirewall settings  (as per skeleton notes)
    • Upload Skeleton Config - Which includes:
      • Block all China and Russia
      • Active file scanner
      • Enable admin password protection
      • High and critical emails sent to joomla@example.com
      • Disable Joomla Installer
      • Prevent New Admins from being created
      • convert all emails to images (i have not used this yet)
      • Filter File Uploads
      • Automatic Blacklisting set to 10
      • etc...
  • Scan / System check and follow all recommendations (apart from php.ini)
    • Remove any malware files it finds by keeping the list on screen and then use a ftp browser and remove all infractions
    • Temp Files
      • Empty temp files (except index.html if doing manually)
      • The temp folder should be /home/{account}/tmp-joomla if not already
      • Don’tdelete /home/{account}/publid_html/tmp it will just come back with a system upgrade or get flagged by the RSFirewall as missing.
  • Database Check (PHPMyAdmin and RSFirewall)

Upgrade Joomla and Extensions

Backup again before doing this sections for safety.

  • Re-install/Upgrade all extensions
  • Re-install/Upgrade template (Joomlashine allows you to scan files for modifications)
  • Remove JSecure lite (if present)
  • Install SH404SEF (optional)
  • Upgrade Joomla

Joomla Settings

  • Add captcha to all forms
  • Empty joomla cache
  • Add 5G firewall

Final Operations

  • Empty Temp files again
  • Run RSFirewall System check
  • Create a backup from the live webserver and save it to your PC
  • Extract the public_html (your could do the whole cPanel archive) and scan for virus
  • If the scan(s) come back clear you are done. If any virus is found you need to remove them and upload the cleaned files
  • remove any .htaccess restrictions
  • Delete the root .htaccess and robots.txt files and replace with the Skeleton ones or use the latest Joomla ones from the upgrade
  • Done

Part 5 - cPanel Additional

I use cPanel for hosting so this is what I do but you can easily translate these in to any other hosting platform

  • Set email quotas within the disk quota of the account ie the website + email quota is below the account limit 100mb mail boxes is good.
  • Purge the default mailbox (probably via webmail or ftp)
    • load horde, right click on the inbox and select empty - this will remove all emails
  • Set Default Email address to "Discard the email while your server processes it by SMTP time with an error message."
  • Country restrict the site via .htaccess (in the short term)
  • Enable SPF and DKIM
  • Get the server PHP version upgraded if needed
  • Server AV scan when replacing the .htaccess you must bear in mind multiple domains , if you delte these rewrites this could cause a connection reset error. Restore the htaccess file from the viri website buyt make surte yoou clean it. This might want to be earlier in these instructions

Misc

Password Checklist

When fixing multiple websites you need to record the username and passwords. I use a text file with the following in:

Read 1094 times Last modified on Monday, 23 January 2017 09:06
Published in Joomla
back to top