To directly answer the question, I don't know what 'script' the doc was talking about.
While there is much good reading on the official Joomla wiki about security etc., not all of it is up to date or may be missing something such as what you found. You should be following the checklist mandville posted and I will explain why in a minute. I have posted essentially the same thing here at the bottom of this post for convenience.
First. Security is an always changing target. As such, the documentation has to change along with the times. Yes, there is much other documentation with pointers and suggestions to follow that can be found on the Joomla wiki as wel as elsewhere (much of which is essentially copied from the official Joomla wiki docs). The quality of this documentation as it relates to security is varied from up to date and maintained, to extremely out of date or wrong.
The security moderators and a select few other very knowledgeable people have created documentation specifically dealing with site hacks, how to efficiently recover from the hacks and how to prevent site hacks from reoccurring. The information is a collection of current best practices and procedures and is what we generally use day to day to clean, fix, and prevent hacked sites. The information provided is generally under the control of the security moderators and a select few other forum members and is kept up to date with the latest recommended security practices and security information. This documentation essentially consists of three main things:
1. the FPA script. This script is to provide both the script user and the helpful people on the security forum with detailed information about the site in question. The script can save hours of work and many times we can use the posted results to point to an area of the site to focus on first.
2. The security checklist 7. This wiki document contains the essential requirements to clean, repair, and help prevent the hacking from reoccurring. The document also contains some helpful one line scripts; one of which will detect if any file changes on a site for any reason, and by anyone.
3. The VEL or V
ist is a listing of extensions and the version(s) for Joomla that were found to be insecure and could result in a hacker using them to enter and hack your site. Mandville does an excellent job of keeping the listing up to date and this list is always changing. Used together with the FPA you can quickly determine if an extension version your using is on the listing. Any extension version you are using that is found out of date or appears on the list should be updated using the latest release from the developer. If there is no later release, then the extension should be uninstalled from the site.
That covers the three main documents and sources of information. There is one more under control of the security moderators and that is the "Before You Post" forum sticky viewtopic.php?f=621&t=582854
is for the 2.5 forum. The security mods and others will many times point to this checklist or provide a copy within an answer. The "Before you post" sticky also contains some additional pointers that may be missed when reading the checklist 7. While what is sometimes posted varies somewhat (both between security mods and the forum sticky) the essential information to follow is always contained within what is posted. This is what I am posting below.
It is suggested to do all of the following. Failure to follow the suggestions below may leave your site vulnerable to being hacked again in the future.You must state what version of Joomla you were using when when the site became hacked. This can make a difference as to how we approach your individual situation.
[ ] Run the Forum Post Assistant / FPA
Instructions available here
and are also included in the download package.
[ ] Ensure you have the latest version of Joomla
. Delete all files in your Joomla installation, saving a copy of the configuration.php file.
Replace the deleted files with fresh copies of a current full version of Joomla (minus the installation directory), and fresh copies of extensions and templates used. Upload the copy of your configuration file. Only by replacing all files in the installation (including extensions and templates) can you be sure to remove the backdoors inserted and hidden in files and directories
More detail can be found in the security Checklist 7 link below.
[ ] Review Vulnerable Extensions List
[ ] Review and action Security Checklist 7
to make sure you've gone through all of the steps.
[ ] Scan all machines with FTP, Joomla super admin, and Joomla admin access for malware, virus, trojans, spyware, etc.
[ ] Change all passwords and if possible user names for the website host control panel and your Joomla site.
[ ] Use proper permissions on files and directories. They should never be 777
, ideal is 644 and 755 and 444 for the configuration.php file.
[ ] Check your htaccess for for any odd code (i.e. code which is not in the standard htaccess supplied as part of the Joomla installation).
[ ] Check the crontab or Task Scheduler for unexpected jobs/tasks.
[ ] Ensure you do not have anonymous ftp enabledNote: The forum post tool will work with 1.0.x, J1.6.x, J1.7.x, 2.5.x versions of Joomla.