Before you post - read and action this
Posted: Sat Sep 29, 2012 12:49 am
Before you post your security/been hacked topic, it is suggested to do all of the following. Failure to follow the suggestions below may leave your site vulnerable to being hacked again in the future.
You must state what version of Joomla you were using when when the site first became hacked. This can make a difference as to how we approach your individual situation.
[ ] Download and RUN the Forum Post Assistant / FPA Instructions - extract the file FPA First Time User.pdf from the /Documentation folder in that file. The instructions are contained in the PDF document.. Post the generated results in your security/been hacked topic. Use these links to download the FPA:
https://forumpostassistant.github.io/docs/ NOTE: Do not download the FPA from any other website or links found on the Internet.
[ ] Ensure you have the latest version of Joomla for your version of Joomla. Delete all files in your Joomla installation, saving a copy of the configuration.php file.
[ ] Review Vulnerable Extensions List to make sure any 3rd party extensions versions used appear on the vulnerable list.
[ ] Review and action Security Checklist 7 Make sure you've gone through all of the steps.
[ ] Scan all machines with FTP, Joomla super admin, and Joomla admin access for malware, virus, trojans, spyware, etc. Checklist 7 contains a list or recommended scanners.
[ ] Change all passwords and if possible user names for the website host control panel. Change the Joomla database user name and password.
[ ] Use proper permissions on files and directories. They should never be 777, ideal is 644 for files and 755 for directories. The configuration file can be set to 444 which is read only.
[ ] Check your htaccess for for any odd code (i.e. code which is not in the standard htaccess supplied as part of the Joomla installation).
[ ] Check the crontab or Task Scheduler for unexpected jobs/tasks.
[ ] Ensure you do not have anonymous ftp enabled.
[ ] Verify individually that any non-Joomla file such as but not limited to that will be placed back on the website such as images, pdf files, files for download, and other documents and files are valid and are supposed to be part of your website.
[ ] Replace the deleted files by
[*]Create a new database and install without sample data to it(make sure it the same version as previous site).
[*]Install the 3rd party extensions(including any custom template) to the new Joomla. (That insures you have the files in place for the 3rd party extensions)
[*] Edit the configuration.php file of the new Joomla to connect to your original database.
 In Joomla's User manager verify that all the users in Super User and Administrator (as well as any custom User Group with Admin access) are valid.
 Make a backup and update to the current full version of Joomla
Only by deleting all files from the server and replacing them with the files in the installation (including extensions and templates) can you be sure to remove any backdoors inserted and hidden in various files and directories.
More detailed information can be found in the Security Checklist 7 document.
Paid security cleanup services can be found at http://resources.joomla.org/
Note: The forum post tool will work with all versions of Joomla. The FPA is written and maintained by the Joomla Security forum moderators.