Restoring a compromised site, help appreciated

[trev1972]

Hi all

A couple of years ago i inherited a joomla site (1.5), a consultant wrote it, im IT manager, but dont have much experience with web work so we had our website outsourced

Its sat there fine for 2 years...and i know i should have migrated to a newer version

While on holiday in turkey our site got hacked somehow, infecting customers apparently and google has flagged it as malware

As i was abroad i got our ISP to block the site till i got home - but i was hoping someone can confirm my plan for restoration is right, i really do not know joomla well.

I have backups of all the files, and 2 database backups (im not sure why i have 2 databases even, one is huge, one small)

The backups were done using our isps file and database backup options, luckily im very thorough with backups

I was planning to do the following

1) VIA ftp.. Wipe every file (from root) to start fresh

2) on the backup files edit htaccess to restrict access to just my ip address (stop us being rehacked before i fix the vulnerability)

3) restore files to host and restore database using my isps 'restore database and restore files' option

4) Update security etc using guides on here

5) Unrestrict ip address access so site is accessable by all


does this sound correct?

Will restoring database and files actually recreate the working joomla site??

I have no real experience as i was not involved with the site..and the site creator no longer works in web design

Thanks

[mandville]

[ ] Download and RUN the Forum Post Assistant / FPA Instructions available here and are also included in the download package. Post the generated results in your security/been hacked topic. Use these links to download the FPA:
Download .tar.gz version or Download the .zip version NOTE: Do not download the FPA from any other website or links found on the Internet.

[ ] Ensure you have the latest version of Joomla for your version of Joomla. Delete all files in your Joomla installation, saving a copy of the configuration.php file.

[ ] Review Vulnerable Extensions List to make sure any 3rd party extensions versions used appear on the vulnerable list.

[ ] Review and action Security Checklist 7 Make sure you've gone through all of the steps.

[ ] Scan all machines with FTP, Joomla super admin, and Joomla admin access for malware, virus, trojans, spyware, etc. Checklist 7 contains a list or recommended scanners.

[ ] Change all passwords and if possible user names for the website host control panel. Change the Joomla database user name and password.

[ ] Use proper permissions on files and directories. They should never be 777, ideal is 644 for files and 755 for directories. The configuration file can be set to 444 which is read only.

[ ] Check your htaccess for for any odd code (i.e. code which is not in the standard htaccess supplied as part of the Joomla installation).

[ ] Check the crontab or Task Scheduler for unexpected jobs/tasks.

[ ] Ensure you do not have anonymous ftp enabled.

[ ] Verify individually that any non-Joomla file such as but not limited to that will be placed back on the website such as images, pdf files, files for download, and other documents and files are valid and are supposed to be part of your website.

[ ] Replace the deleted files with fresh copies of a current full version of Joomla (minus the installation directory) you downloaded earlier. Install freshly downloaded copies of any extensions and templates used on the site. If the Joomla database user name and password were changed earlier, then make the necessary changes to the configuration.php file and upload a copy to the website. Upload any non-Joomla files that are necessary for your website. Only by replacing all files in the installation (including extensions and templates) can you be sure to remove the backdoors inserted and hidden in various files and directories More detailed information can be found in the Security Checklist 7 document.