Recovering from a hack

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, PhilD, fcoulter, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 33722
Joined: Sat Apr 05, 2008 9:58 pm

Recovering from a hack

Postby Webdongle » Fri Jan 20, 2017 12:55 pm

Your database is your site ... first and foremost make a backup of your database.

All the files do is put/get data to/from the database and display the data on the screen.

Cleaning the site is easy ... just delete all the folders/files. Rebuilding the site is easy ... just install a fresh Joomla to a empty database and install 3rd party extensions then edit the configuration.php.

Before you ask what other users ask. No there is no real alternative ... you need to delete all folders/files.

Here is a summary of what you need to do


  1. Run the fpa and post the results in this forum
  2. Uninstall any untrusted/unwanted 3rd party extensions and Templates https://vel.joomla.org/live-vel
  3. Delete all the files on the server
  4. Scan your computer and all computers that have server or Joomla admin access
  5. Change Passwords
  6. Install Joomla (of the same version) to a new database. Install up to date 3rd party extensions (that are not on the VEL) then edit the configuration.php to connect to the original database. Update Joomla if you have and old version
  7. Change your Joomla SU/Admin Passwords and check the users/groups/access levels are correct and not been tampered with. Update your Joomla and run the fpa again

Step #f is simply installing Joomla and 3rd party extensions to an empty database so you get fresh files. Then connect the files to the database that has your data. That gives you your site back. The rest cleans the site and helps keep it secure.

Full details http://forum.joomla.org/viewtopic.php?f=714&t=757645
Last edited by toivo on Fri Jul 07, 2017 7:13 pm, edited 1 time in total.
Reason: mod note: edited on request

itoctopus
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 4004
Joined: Mon Nov 25, 2013 4:35 pm
Location: Montreal, Canada
Contact:

Re: Recovering from a hack

Postby itoctopus » Thu Feb 02, 2017 4:30 am

@Webdongle - thank you for this guide - but there are several problems with it (and it is not the official guide as stated by you on other answers on this forum):

- It doesn't take into consideration the images folder and the media folder. These folders may contain malicious PHP files that may be copied back and that may not be caught by a PC scan.
- Some websites have custom extensions that need a lot of work to re-install on the target website. Additionally, these custom extensions may contain some malicious files.
- It assumes that the user has all of the installed extensions as packages.
- It doesn't take into consideration that the hack might be outside the public_html directory (this is especially the case on shared hosts).
- It doesn't take into consideration that the hack might be caused by a cron job (which is the hardest hack to find).
- It doesn't take into consideration the .htaccess file - which is typically copied as is from the infected website to the clean website and hacks there are typically not caught by any scanner.
- It is not as easy as it seems - in fact - large websites must avoid implementing this method. Making this method look as a very straightforward is misleading and may cause a lot of frustration for website owners/administrators.
- It doesn't take into consideration the future of the website - applying the above without further protection will probably get the website hacked the next day.

@Webdongle - your guide above is incomplete and not as easy as you make it look like - the most complete one is the official one by @mandville - which you should link to instead of linking to this.

Note to moderators: Please take note that the above guide is being promoted as the official guide - the problem is that it is missing many points from @mandville's official guide. No need, in my opinion, to have this incomplete guide (this can cause confusion especially among mainstream Joomla users) - I suggest that it gets deleted.
http://www.itoctopus.com - Joomla consulting at its finest
https://twitter.com/itoctopus - Follow us on Twitter

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 33722
Joined: Sat Apr 05, 2008 9:58 pm

Re: Recovering from a hack

Postby Webdongle » Thu Feb 02, 2017 11:58 am

It is not delete everything and start over because it retains the database. One of the easiest ways to deploy a hack file to the server is to upload a compromised image file. If you do not have the originals of all the images on your site then you need to question the validity of the images on the site and their origin.

As for the accusation that is not my method ... I never claimed it is my method and it clearly states it is a summary. It also has a link to the full official details.

The 'catch 22' is that many of the users who get hacked are to lazy to keep their software up to date. As a result those users look for a 'quick fix' and fail to clean the site properly. You only need to look at the threads in this forum to see how many users come up with excuses to avoid cleaning their site completely.

Ideally the site owner would hire a professional to monitor the security of the site. However, many users don't have the budget to do so ... therefore they need to do it themselves. The summary is intended helps those users understand the Full details and not intended as a replacement. A certain modicum of common sense is expected for the user to click the link to the "Full details".

@itoctopus
Your attack fails to take into account that:
If someone reading the summary fails to click the link to the "Full details" (and thus misses to see the answers to the objections that you have raised) then their ability to use any method is questionable.

User avatar
ribo
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3080
Joined: Sun Jan 03, 2010 8:47 pm
Contact:

Re: Recovering from a hack

Postby ribo » Thu Feb 02, 2017 4:38 pm

As i see @Webdongle is not cancel the post of @mandville . At the end writes
. Many users when they see these posts is that they don t understand how easy it is and they believe that they must create the joomla from the begin, like they did before. @Webdongle in this post point this
Your database is your site ... first and foremost make a backup of your database.
and this
Before you ask what other users ask. No there is no real alternative ... you need to delete all folders/files.
that they must delete all the files to not have hack files inside for sure and that with the original database he can recover his site. About images and media folder it s very easy for everyone to find any hacked files as he can compare these folders with the original folders and they have in most, images inside.
About a hacked extension we all understand that if it is vulnerable and not updating we must not use it. The same is and for custom extensions
chat room spontes : http://www.spontes.com

Realistix
Joomla! Apprentice
Joomla! Apprentice
Posts: 9
Joined: Sat Mar 06, 2010 10:10 am

Re: Recovering from a hack

Postby Realistix » Mon Feb 20, 2017 4:17 pm

In all honesty, the absolute best way to recover from a hack is to use myjoomla.com

Do it yourself for next to nothing, the tool is so easy to use or pay the guy to do it who will usually do it within a day. I have been using this service for almost a year now to maintain and unhack joomla websites and it is second to none.

P.S. I'm no affiliated or linked with the company whatsoever - just a raving fan who understands the value of what it offers.

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 33722
Joined: Sat Apr 05, 2008 9:58 pm

Re: Recovering from a hack

Postby Webdongle » Mon Feb 20, 2017 9:16 pm

There are many good professional services but not all Joomla users have professional sites or can afford those services. Also many Joomla users use shared Hosting and are limited to what is allowed to be done on or to the server. The aim of this thread is to provide a summary of http://forum.joomla.org/viewtopic.php?f=714&t=757645 for the Joomla users who (for whatever reason) are unable to use professional services.

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14349
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Recovering from a hack

Postby mandville » Mon Mar 20, 2017 8:16 pm

Webdongle wrote:Your database is your site ... first and foremost make a backup of your database.

All the files do is put/get data to/from the database and display the data on the screen.

Cleaning the site is easy ... just delete all the folders/files. Rebuilding the site is easy ... just install a fresh Joomla to a empty database and install 3rd party extensions then edit the configuration.php.

Before you ask what other users ask. No there is no real alternative ... you need to delete all folders/files.

Here is a summary of what you need to do


  1. Run the fpa and post the results in this forum
  2. Uninstall any untrusted 3rd party extensions and Templates https://vel.joomla.org/live-vel
  3. Delete all the files on the server
  4. Scan your computer and all computers that have server or Joomla admin access
  5. Change Passwords
  6. Install Joomla (of the same version) to a new database. Install up to date 3rd party extensions (that are not on the VEL) then edit the configuration.php to connect to the original database. Update Joomla if you have and old version
  7. Change your Joomla SU/Admin Passwords and check the users/groups/access levels are correct and not been tampered with. Update your Joomla and run the fpa again

Step #f is simply installing Joomla and 3rd party extensions to an empty database so you get fresh files. Then connect the files to the database that has your data. That gives you your site back. The rest cleans the site and helps keep it secure.

Full details http://forum.joomla.org/viewtopic.php?f=714&t=757645
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
vrans99
Joomla! Apprentice
Joomla! Apprentice
Posts: 23
Joined: Sun Aug 01, 2010 11:24 am

Re: Recovering from a hack

Postby vrans99 » Fri Jul 07, 2017 3:58 pm

Thank you so much.
This is a great piece of information.
I did follow the steps and I have now a virus-free and fresh installation of Joomla.
Some steps are not clear if they have to be performed on cPanel or inside Joomla settings, but the results looks fine.
But I have a question:After the fresh Joomla install and changed the settings to point to the original database, I was installing only the extensions I really need (I had a bunch of extensions that I was just trying but I never uninstalled them), but now I have a long list of extensions that are showing as installed but they are not really installed.
How can I clean the db of those extensions that are not really installed? What is the safest and easiest way to do so?
Also, I found an issue trying to install PhocaMaps (it gives me an error), then I tried to "uninstall it" (because of the reference of been already installed) and I couldn't uninstall it either (or take it off the database).
Please, need your help.

User avatar
ribo
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3080
Joined: Sun Jan 03, 2010 8:47 pm
Contact:

Re: Recovering from a hack

Postby ribo » Fri Jul 07, 2017 4:11 pm

vrans99 wrote: I was installing only the extensions I really need (I had a bunch of extensions that I was just trying but I never uninstalled them), but now I have a long list of extensions that are showing as installed but they are not really installed.
How can I clean the db of those extensions that are not really installed?

If some extensions you don t need to install them and you want to clear your database from them you can get in your database and delete for example, if an extension have tables you will delete them, also you will find the extension to delete it inside to "yourprefix_extensions" and also check inside to "yourprefix_assets" if there is something to delete. Always back up before you will change something.
Note1: First you install the extension and after you point the original database

Note2: You forgot to post the FPA results in this post viewtopic.php?f=714&t=952441 to someone see your host server if there is an issue in there and to not hacked again and the reason can be the server.
chat room spontes : http://www.spontes.com

User avatar
vrans99
Joomla! Apprentice
Joomla! Apprentice
Posts: 23
Joined: Sun Aug 01, 2010 11:24 am

Re: Recovering from a hack

Postby vrans99 » Fri Jul 07, 2017 4:19 pm

Thanks for the quick response.

"Note1: First you install the extension and after you point the original database"
I did it the other way around just to try the site and check what was missing page by page. Then went to admin and install just that extension. I know it is more tedious but I want to make sure I install only what I really need.
The site has been online for over five years and it was a lot of extensions that I didn't even remember. I thought was a good time to clean that also.

"Note2: You forgot to post the FPA results here to someone see your host server if there is an issue in there and to not hacked again and the reason can be the server."
I didn't think about it. I was getting excited with the results.
I'll post it now.

Thanks

User avatar
vrans99
Joomla! Apprentice
Joomla! Apprentice
Posts: 23
Joined: Sun Aug 01, 2010 11:24 am

Re: Recovering from a hack

Postby vrans99 » Fri Jul 07, 2017 4:25 pm

Problem Description :: Forum Post Assistant (v1.3.1) : 6th July 2017 wrote:Trying to reinstall Joomla without losing the content
Forum Post Assistant (v1.3.1) : 6th July 2017 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 3.6.2-Stable (Noether) 4-August-2016
Joomla! Platform :: Joomla Platform 13.1.0-Stable (Curiosity) 24-Apr-2013
Joomla! Configured :: Yes | Read-Only (444) | Owner: --protected-- . (uid: 1/gid: 1) | Group: --protected-- (gid: 1) | Valid For: 3.6
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 1 | .htaccess/web.config: Yes | GZip: 0 | Cache: 1 | CacheTime: 15 | CacheHandler: file | CachePlatformPrefix: N/A | FTP Layer: 0 | Proxy: N/A | LiveSite: | Session lifetime: 30 | Session handler: database | Shared sessions: N/A | SSL: 0 | FrontEdit: N/A | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.32-673.26.1.lve1.4.25.el6.x86_64 | Technology: x86_64 | Web Server: Apache | Encoding: gzip, deflate | Doc Root: --protected-- | System TMP Writable: Yes

PHP Configuration :: Version: 7.0.20 | PHP API: litespeed | Session Path Writable: No | Display Errors: 1 | Error Reporting: | Log Errors To: | Last Known Error: | Register Globals: | Magic Quotes: | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 2M | Max. POST Size: 8M | Max. Input Time: -1 | Max. Execution Time: 30 | Memory Limit: 128M

MySQL Configuration :: Version: 5.5.54-38.7-log (Client:5.5.54-38.7) | Host: --protected-- (--protected--) | Collation: latin1_swedish_ci (Character Set: latin1) | Database Size: 7.34 MiB | #of Tables:  126
Detailed Environment :: wrote:PHP Extensions :: Core (7.0.20) | date (7.0.20) | libxml (7.0.20) | openssl (7.0.20) | pcre (7.0.20) | sqlite3 (0.7-dev) | zlib (7.0.20) | bz2 (7.0.20) | calendar (7.0.20) | ctype (7.0.20) | curl (7.0.20) | hash (1.0) | filter (7.0.20) | ftp (7.0.20) | gettext (7.0.20) | gmp (7.0.20) | SPL (7.0.20) | iconv (7.0.20) | pcntl (7.0.20) | readline (7.0.20) | Reflection (7.0.20) | session (7.0.20) | standard (7.0.20) | shmop (7.0.20) | SimpleXML (7.0.20) | mbstring (7.0.20) | tokenizer (7.0.20) | xml (7.0.20) | litespeed () | bcmath (7.0.20) | dom (20031129) | gd (7.0.20) | json (1.4.0) | propro (2.0.1) | raphf (2.0.0) | http (3.0.1) | imagick (3.4.3RC4) | imap (7.0.20) | exif (1.4 $Id: 8bdc0c8f27c2c9dd1f7551f1f9fe3ab57a06a4b1 $) | mcrypt (7.0.20) | mysqli (7.0.20) | PDO (7.0.20) | pdo_mysql (7.0.20) | pdo_sqlite (7.0.20) | Phar (2.0.2) | posix (7.0.20) | soap (7.0.20) | sockets (7.0.20) | wddx (7.0.20) | xmlreader (7.0.20) | xmlrpc (7.0.20) | xmlwriter (7.0.20) | xsl (7.0.20) | zip (1.13.5) | ionCube Loader () | Zend Engine (3.0.0) |
Potential Missing Extensions :: mysql | suhosin |

Switch User Environment (Experimental) :: PHP CGI: No | Server SU: No | PHP SU: No | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No
Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

Elevated Permissions (First 10) ::
Database Information :: wrote:Database statistics :: Uptime: 1015081 | Threads: 12 | Questions: 681531844 | Slow queries: 2163 | Opens: 6479651 | Flush tables: 1 | Open tables: 16384 | Queries per second avg: 671.406 |
Extensions Discovered :: wrote:Components :: SITE :: WF_POPUPS_WINDOW_TITLE (2.5.31) 1 | WF_POPUPS_JCEMEDIABOX_TITLE (2.5.31) 1 | K2 Links for JCE Link (2.2) 1 | WF_LINKS_JOOMLALINKS_TITLE (2.5.31) 1 | WF_LINK_SEARCH_TITLE (2.5.31) 1 | [youtube] (2.5.31) 1 | WF_AGGREGATOR_DAILYMOTION_TITL (2.5.31) 1 | WF_AGGREGATOR_VINE_TITLE (2.5.31) 1 | WF_AGGREGATOR_VIMEO_TITLE (2.5.31) 1 | WF_MEDIAPLAYER_JCEPLAYER_TITLE (2.5.31) 1 | WF_FILESYSTEM_JOOMLA_TITLE (2.5.31) 1 | WF_HR_TITLE (2.5.31) 1 | WF_LAYER_TITLE (2.5.31) 1 | WF_CLEANUP_TITLE (2.5.31) 1 | WF_SOURCE_TITLE (2.5.31) 1 | WF_IMGMANAGER_TITLE (2.5.31) 1 | WF_CONTEXTMENU_TITLE (2.5.31) 1 | WF_AUTOSAVE_TITLE (2.5.31) 1 | WF_NONBREAKING_TITLE (2.5.31) 1 | WF_STYLESELECT_TITLE (2.5.31) 1 | WF_MEDIA_TITLE (2.5.31) 1 | WF_TEXTCASE_TITLE (2.5.31) 1 | WF_PREVIEW_TITLE (2.5.31) 1 | WF_INLINEPOPUPS_TITLE (2.5.31) 1 | [Do not buy our kitchens!] (2.5.31) 1 | WF_PRINT_TITLE (2.5.31) 1 | WF_FONTCOLOR_TITLE (2.5.31) 1 | WF_LISTS_TITLE (2.5.31) 1 | WF_STYLE_TITLE (2.5.31) 1 | WF_FONTSELECT_TITLE (2.5.31) 1 | WF_FULLSCREEN_TITLE (2.5.31) 1 | WF_LINK_TITLE (2.5.31) 1 | WF_CHARMAP_TITLE (2.5.31) 1 | WF_SPELLCHECKER_TITLE (2.5.31) 1 | WF_ARTICLE_TITLE (2.5.31) 1 | WF_ANCHOR_TITLE (2.5.31) 1 | WF_XHTMLXTRAS_TITLE (2.5.31) 1 | WF_DIRECTIONALITY_TITLE (2.5.31) 1 | WF_TABLE_TITLE (2.5.31) 1 | WF_VISUALBLOCKS_TITLE (2.5.31) 1 | WF_FORMATSELECT_TITLE (2.5.31) 1 | WF_VISUALCHARS_TITLE (2.5.31) 1 | WF_FONTSIZESELECT_TITLE (2.5.31) 1 | WF_CLIPBOARD_TITLE (2.5.31) 1 | WF_SEARCHREPLACE_TITLE (2.5.31) 1 | WF_BROWSER_TITLE (2.5.31) 1 | com_wrapper (3.0.0) 1 | com_mailto (3.0.0) 1 |
Components :: ADMIN :: com_categories (3.0.0) 1 | com_modules (3.0.0) 1 | com_cache (3.0.0) 1 | JCE (2.5.31) 1 | Unknown (-) 1 | com_joomlaupdate (3.6.1) 1 | com_search (3.0.0) 1 | com_newsfeeds (3.0.0) 1 | com_content (3.0.0) 1 | com_languages (3.0.0) 1 | com_phocamaps (3.0.0 Beta) 1 | JEvents (3.1.6) 1 | com_menus (3.0.0) 1 | com_contenthistory (3.2.0) 1 | com_login (3.0.0) 1 | COM_MIJOSEF (1.3.4) 1 | Banners (1.3.0) 1 | Mail To (1.3.0) 1 | Content (1.3.0) 1 | MijoSEF (1.3.0) 1 | Users (1.3.0) 1 | Web Links (1.3.0) 1 | Search (1.3.0) 1 | Wrapper (1.3.0) 1 | News Feeds (1.3.0) 1 | Tags (1.3.0) 1 | Contact (1.3.0) 1 | com_mp_sliding (2.0.0) 1 | com_media (3.0.0) 1 | Freestyle Testimonials: Testim (1.11.8.1718) 1 | COM_FST (1.13.2) 1 | com_templates (3.0.0) 1 | com_postinstall (3.2.0) 1 | com_config (3.0.0) 1 | com_messages (3.0.0) 1 | com_tags (3.1.0) 1 | com_users (3.0.0) 1 | com_finder (3.0.0) 1 | com_cpanel (3.0.0) 1 | com_checkin (3.0.0) 1 | com_weblinks (3.5.0) 1 | com_banners (3.0.0) 1 | com_plugins (3.0.0) 1 | com_redirect (3.0.0) 1 | com_ajax (3.2.0) 1 | com_installer (3.0.0) 1 | com_admin (3.0.0) 1 | Akeeba (5.2.4) 1 | Admintools (4.0.2) 1 |

Modules :: SITE :: mod_tags_popular (3.1.0) 1 | mod_feed (3.0.0) 1 | JEvents Latest Events (3.1.6) 1 | Vinaora Nivo Slider (3.1.0) 1 | mod_users_latest (3.0.0) 1 | mod_finder (3.0.0) 1 | JEvents Legend (3.1.6) 1 | mod_tags_similar (3.1.0) 1 | mod_wrapper (3.0.0) 1 | mod_whosonline (3.0.0) 1 | mod_stats (3.0.0) 1 | mod_menu (3.0.0) 1 | mod_login (3.0.0) 1 | MyPuzzle Sliding Puzzle (2.0.0) 1 | mod_languages (3.5.0) 1 | Freestyle Testimonials: Testim (1.12.3) 1 | mod_custom (3.0.0) 1 | Rapid Contact (1.2) 1 | mod_articles_categories (3.0.0) 1 | mod_banners (3.0.0) 1 | JEvents View Switcher (3.1.6) 1 | mod_articles_news (3.0.0) 1 | Maximenu CK (8.1.9) 1 | mod_footer (3.0.0) 1 | mod_random_image (3.0.0) 1 | mod_weblinks (3.5.0) 1 | mod_breadcrumbs (3.0.0) 1 | mod_search (3.0.0) 1 | JEvents Filter (3.1.6) 1 | mod_syndicate (3.0.0) 1 | mod_articles_category (3.0.0) 1 | mod_articles_latest (3.0.0) 1 | mod_articles_archive (3.0.0) 1 | mod_articles_popular (3.0.0) 1 | JEvents Calendar (3.1.6) 1 | mod_related_items (3.0.0) 1 |
Modules :: ADMIN :: mod_feed (3.0.0) 1 | mod_toolbar (3.0.0) 1 | mod_stats_admin (3.0.0) 1 | mod_status (3.0.0) 1 | MijoSEF - Quick Icons (1.3.0) 1 | mod_multilangstatus (3.0.0) 1 | mod_menu (3.0.0) 1 | mod_login (3.0.0) 1 | mod_custom (3.0.0) 1 | mod_title (3.0.0) 1 | mod_version (3.0.0) 1 | mod_submenu (3.0.0) 1 | mod_latest (3.0.0) 1 | mod_popular (3.0.0) 1 | mod_quickicon (3.0.0) 1 | mod_logged (3.0.0) 1 |

Plugins :: SITE :: plg_authentication_cookie (3.0.0) 1 | plg_authentication_ldap (3.0.0) 0 | plg_authentication_joomla (3.0.0) 1 | plg_authentication_gmail (3.0.0) 0 | plg_system_highlight (3.0.0) 1 | plg_system_sliders (6.2.2) 1 | plg_system_log (3.0.0) 1 | plg_system_regularlabs (16.10.20385) 1 | plg_system_stats (3.5.0) 1 | System - MijoSEF (1.3.0) 1 | plg_system_logout (3.0.0) 1 | plg_system_sef (3.0.0) 1 | System - MijoSEF Meta Manager (1.3.0) 1 | plg_system_jce (2.5.31) 1 | plg_system_remember (3.0.0) 1 | PLG_SYSTEM_BACKUPONUPDATE_TITL (3.7) 1 | plg_system_p3p (3.0.0) 1 | System - Asynchronous Google A (2.5.6) 1 | System - Admin Tools (4.0.2) 1 | plg_system_cache (3.0.0) 0 | plg_system_debug (3.0.0) 1 | plg_system_languagecode (3.0.0) 0 | PLG_SYSTEM_AKEEBAUPDATECHECK_T (1.1) 1 | System - CSSConfig (0.2.0) 1 | plg_system_updatenotification (3.5.0) 1 | plg_system_redirect (3.0.0) 0 | plg_system_languagefilter (3.0.0) 0 | plg_finder_newsfeeds (3.0.0) 1 | plg_finder_jevents (3.1.5) 0 | plg_finder_categories (3.0.0) 1 | plg_finder_content (3.0.0) 1 | plg_finder_tags (3.0.0) 1 | plg_finder_weblinks (3.5.0) 1 | plg_finder_contacts (3.0.0) 1 | plg_quickicon_akeebabackup (1.0) 0 | plg_quickicon_joomlaupdate (3.0.0) 0 | plg_quickicon_extensionupdate (3.0.0) 1 | plg_quickicon_jcefilebrowser (2.5.31) 1 | plg_extension_joomla (3.0.0) 1 | plg_editors_tinymce (4.4.0) 1 | plg_editors_jce (2.5.31) 1 | plg_editors_codemirror (5.17.0) 1 | plg_twofactorauth_totp (3.2.0) 0 | plg_twofactorauth_yubikey (3.2.0) 0 | Search - JEvents (3.1.5) 1 | plg_search_newsfeeds (3.0.0) 1 | plg_search_categories (3.0.0) 1 | plg_search_content (3.0.0) 1 | plg_search_tags (3.0.0) 0 | plg_search_weblinks (3.5.0) 1 | plg_search_contacts (3.0.0) 1 | plg_user_contactcreator (3.0.0) 0 | plg_user_joomla (3.0.0) 1 | plg_user_profile (3.0.0) 0 | PLG_JMONITORING_AKEEBABACKUP_T (1.0) 1 | plg_captcha_recaptcha (3.4.0) 1 | plg_content_finder (3.0.0) 0 | plg_content_vote (3.0.0) 1 | Content - Pure CSS tooltip (10.0.1) 1 | plg_content_jce (2.5.31) 1 | plg_content_joomla (3.0.0) 1 | plg_content_emailcloak (3.0.0) 1 | plg_content_pagebreak (3.0.0) 1 | plg_content_loadmodule (3.0.0) 1 | plg_content_pagenavigation (3.0.0) 1 | plg_editors-xtd_sliders (6.2.2) 1 | plg_editors-xtd_readmore (3.0.0) 1 | plg_editors-xtd_image (3.0.0) 1 | plg_editors-xtd_pagebreak (3.0.0) 1 | plg_editors-xtd_article (3.0.0) 1 | plg_editors-xtd_module (3.5.0) 1 | plg_installer_packageinstaller (3.6.0) 1 | plg_installer_jce (2.5.31) 1 | PLG_INSTALLER_URLINSTALLER (3.6.0) 1 | PLG_INSTALLER_FOLDERINSTALLER (3.6.0) 1 | plg_installer_webinstaller (1.1.0) 1 |
Templates Discovered :: wrote:Templates :: SITE :: beez3 (3.1.0) 1 | ABC_Academy1 (3.22) 1 | protostar (1.0) 1 | ABC_Academy (3.20) 1 |
Templates :: ADMIN :: isis (1.0) 1 | hathor (3.0.0) 1 |

User avatar
ribo
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3080
Joined: Sun Jan 03, 2010 8:47 pm
Contact:

Re: Recovering from a hack

Postby ribo » Fri Jul 07, 2017 4:47 pm

Session Path Writable: No . This must be Yes
Max. Upload Size: 2M | Max. POST Size: 8M . These values can be 30M for both (Max. Upload Size: 30M | Max. POST Size: 30M)
Please tell to your host to fix all these and after post the fpa results to confirm that they fixed these.
Generally your joomla was hacked because your joomla was out of date and maybe and some extensions too. So in the future don t forget to update in time your joomla, your extensions, your templates, your libraries.
chat room spontes : http://www.spontes.com

User avatar
vrans99
Joomla! Apprentice
Joomla! Apprentice
Posts: 23
Joined: Sun Aug 01, 2010 11:24 am

Re: Recovering from a hack

Postby vrans99 » Fri Jul 07, 2017 4:54 pm

The site was hacked before a couple of times, but I never did such a clean install like this time after I found this great instructions.
You suggested to "check inside to "yourprefix_assets" if there is something to delete". Do you mean that I will find all the folders or files list that were related to the extension that I want to clear from db?
Last edited by vrans99 on Fri Jul 07, 2017 5:30 pm, edited 1 time in total.

User avatar
ribo
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3080
Joined: Sun Jan 03, 2010 8:47 pm
Contact:

Re: Recovering from a hack

Postby ribo » Fri Jul 07, 2017 5:18 pm

vrans99 wrote:You suggested to "check inside to "yourprefix_assets" if there is something to delete". Do you mean that I will find all the folders or files list that were related to the extension that I want to clear from db?

Not the folders or the files, as these are not in database but in your root folder. But every install creates many things in database. So for example in "yourprefix_assets" can be something from a component that you installed before and now you don t want it. If it is difficult for you better to don t do it as this can do a more experienced user in mysql and databases.
chat room spontes : http://www.spontes.com

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 33722
Joined: Sat Apr 05, 2008 9:58 pm

Re: Recovering from a hack

Postby Webdongle » Fri Jul 07, 2017 6:02 pm

vrans99 wrote:Thank you so much.
This is a great piece of information.
I did follow the steps and I have now a virus-free and fresh installation of Joomla.
Am glad that it helped.



vrans99 wrote:...
But I have a question:After the fresh Joomla install and changed the settings to point to the original database, I was installing only the extensions I really need (I had a bunch of extensions that I was just trying but I never uninstalled them), but now I have a long list of extensions that are showing as installed but they are not really installed....

Have asked the mods to edit
Uninstall any untrusted 3rd party extensions and Templates https://vel.joomla.org/live-vel
to
Uninstall any untrusted/unwanted 3rd party extensions and Templates https://vel.joomla.org/live-vel

In the mean time you could (after making a backup) reinstall the unwanted 3rd party extensions then unistall them. Be aware that some 3rd party extensions do not uninstall completely so you would still need to make sure that they haven't left Tables in the database.

totalhealth
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Thu Oct 22, 2015 6:38 pm

Re: Recovering from a hack

Postby totalhealth » Sat Aug 19, 2017 1:21 am

Here's my 2bits. I thought I had recovered from a hack. I was running third party malware detection scripts on my website on a regular basis and there were no alerts. I saw that gravity scan was finally available for joomla sites so I ran that scan. I got a couple of warnings and a recommendation to install the plugin so they could do a deep scan. I did. Holy crap. over 2,500 infected pages and scripts. and a bastard of a malware called SAPE. I went through each folder on the site that was pointed out by gravity scan and I manually edited/deleted scripts. It took hours. But that SAPE malware was seriously embedded. If I changed it in any way, renamed it, or deleted it the site would go down. It had hooks into the template and SH404SEF. It almost looked like it was part of the template from the start. So I recommend to all of you peeps. Install the gravityscan plugin and do the deep scan of your site/database. I googled SAPE and I could not find any reference to it outside of a Russian hacking site so the must mean it still hasn't been discovered by people...besides me that is.

DavidBoggitt
Joomla! Guru
Joomla! Guru
Posts: 762
Joined: Wed Jan 09, 2008 9:16 pm
Contact:

Re: Recovering from a hack

Postby DavidBoggitt » Sat Aug 19, 2017 9:08 am

I just ran gravity scan on a website and it seems to find lots of "Potentially malicious file detected in your Joomla installation." which are apparently php files in my tmp folder.

However, ftp-ing into the site shows nothing in that folder apart from index.html
My website: http://www.davidboggitt.com/
Love and hate both devastate you, but at least love takes you to dinner first.

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14349
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Recovering from a hack

Postby mandville » Sat Aug 19, 2017 10:09 am

I find that the plauding of gravity as the only one to detect this hack as far fetched as google testifies.
For a massive first post singing praises then it reads like spam
Especially when the only credentials of the team is word _fence
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
fcoulter
Joomla! Ace
Joomla! Ace
Posts: 1372
Joined: Thu Sep 13, 2007 11:39 am
Location: UK
Contact:

Re: Recovering from a hack

Postby fcoulter » Sat Aug 19, 2017 10:27 am

I googled SAPE and I could not find any reference to it outside of a Russian hacking site so the must mean it still hasn't been discovered by people...besides me that is.


Funny, I Googled SAPE Malware and found lots of entries dating to 2015, it seems a lot of people have discoved it after all.

I agree with Mandville, this sounds like a spammy advert for this particular scanner.
http://www.spiralscripts.co.uk for Joomla! extensions
http://www.fionacoulter.com/blog my personal website
Security Forum moderator
VEL team member
"Wearing my tin foil hat with pride"

DavidBoggitt
Joomla! Guru
Joomla! Guru
Posts: 762
Joined: Wed Jan 09, 2008 9:16 pm
Contact:

Re: Recovering from a hack

Postby DavidBoggitt » Sat Aug 19, 2017 10:37 am

All these php files the scan has apparently found simply don't exist. I've ensured that SmartFTP is showing hidden files - these files just aren't there.

I also implicitly trust Phil Taylor's myJoomla far more, which has found nothing untoward with a scan..!
My website: http://www.davidboggitt.com/
Love and hate both devastate you, but at least love takes you to dinner first.

User avatar
JAVesey
Joomla! Ace
Joomla! Ace
Posts: 1416
Joined: Tue May 14, 2013 1:21 pm
Location: Cardiff, Wales, UK
Contact:

Re: Recovering from a hack

Postby JAVesey » Sat Aug 19, 2017 10:48 am

DavidBoggitt wrote:I also implicitly trust Phil Taylor's myJoomla far more..
Absolutely right! Joomla-specific audits from a truly credible provider :)
John V
Cardiff, Wales, UK
Website: http://www.llanmon.org.uk (Joomla 3.8.3)

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 33722
Joined: Sat Apr 05, 2008 9:58 pm

Re: Recovering from a hack

Postby Webdongle » Sat Aug 19, 2017 1:50 pm

totalhealth wrote:... But that SAPE malware was seriously embedded. If I changed it in any way, renamed it, or deleted it the site would go down. It had hooks into the template and SH404SEF. It almost looked like it was part of the template from the start. ....
That's why steps b & c in the instructions ... to remove the malware and prevent it from spreading. Step #f rebuilds your site and the rest helps prevent your site from being hacked again.

@DavidBoggitt and @JAVesey
100% agree Phil Taylor provides an excellent and trustworthy professional service. The summary in the OP is for those who can not afford a professional service and wish to clean their site(s) themselves.

vincenzore1981
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Sun Nov 12, 2017 8:58 am

Re: Recovering from a hack

Postby vincenzore1981 » Sun Nov 12, 2017 9:26 am

Hi everyone, this is my first post!

A few months ago I had to restore a client's site from a hack and followed this guide.

Webdongle wrote:Before you ask what other users ask. No there is no real alternative ... you need to delete all folders/files.


But I think I have found an alternative for the future to be faster.

In practice, there is a service that monitors the website files for changes and warns you if any of the hosting files is being modified.

This makes it easier to know which files are compromised, altered, etc.

By checking which files have been modified, just restore the compromised ones from a clean Joomla installation.
Knowing when they have been modified you can look in access_log at that time to understand what vulnerability was used. In this way you can remove the vulnerable extension or notify the vulnerability to the developer.

Did you use any of these services? What do you think?

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 33722
Joined: Sat Apr 05, 2008 9:58 pm

Re: Recovering from a hack

Postby Webdongle » Sun Nov 12, 2017 10:28 am

vincenzore1981 wrote:...
But I think I have found an alternative for the future to be faster.

In practice, there is a service that monitors the website files for changes and warns you if any of the hosting files is being modified.

This makes it easier to know which files are compromised, altered, etc.
...
But it doesn't tell you what they added to the server.





vincenzore1981 wrote:...
By checking which files have been modified, just restore the compromised ones from a clean Joomla installation.
Knowing when they have been modified you can look in access_log at that time to understand what vulnerability was used. In this way you can remove the vulnerable extension or notify the vulnerability to the developer....
But the hack files are still on the server.

I will not tell you exactly how it is done but it goes basically like
  • Hacker finds a weakness and uses it to upload files
  • The hacker uses those files to control your server and site
  • The hacker posts (on hack forums) the weakness and what files they have uploaded
If the monitoring system tells you of the newly created files then great. But if chasing those files while other hackers are adding theirs or chasing those files while the hackers use them to access other things on your server ... is quicker than deleting everything ... is moot. Yes it is quicker to replace one file than replace all the files but deleting all the files is a faster way (for the average user) to prevent more permanent damage.

There are many tools and strategies available to experienced users but the OP was not aimed at those users. It is intended for the average user who does not have enough experience to use the alternative tools and strategies effectively.

So Before you ask what other users ask. No there is no real alternative ... you need to delete all folders/files. is correct and accurate for the users the it is intended for. Because the users that need to ask how to recover their site (or server) from a hack don't have the experience to use the other tools or strategies effectively. Therefore "there is no real alternative" for them.


Did you use any of these services? What do you think? Do you have the experience (of server management, server security and hacking) to know how to use them effectively? would you recommend them to users that aren't experienced enough to understand how many ways there to hack and how the hacks actually work?

vincenzore1981
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Sun Nov 12, 2017 8:58 am

Re: Recovering from a hack

Postby vincenzore1981 » Sun Nov 12, 2017 2:59 pm

Webdongle wrote:But it doesn't tell you what they added to the server.
...
If the monitoring system tells you of the newly created files then great.


Yes I get notified when someone uploads/deletes/modifies a file or folder on the website.
To be clearer, the service warns me of any modification (new, delete, edit) to the website filesystem.

So if a hacker upload a shell or a backdoor I'll be alerted by email and I can delete the uploaded file and look at the access_log to see what happened.

Webdongle wrote:Yes it is quicker to replace one file than replace all the files but deleting all the files is a faster way (for the average user) to prevent more permanent damage.


You're right, but still have to decide which pictures files to hold and which files to delete is still a slow process. You can not delete all the files in the directory "images". Decide which image can be a malicious file and which does not become a complicated and long process.

Webdongle wrote:Did you use any of these services? What do you think?


Yes I use one of them. But I think I can't share the link to respect the forum policy.

What I can say is that there are many tools like OSSEC intrusion detection system or Tripwire that do the same but require you to have root access to the server where your website is hosted.

Also for me these tools are too complicated to configure and install.

With the service I found instead, you load on your site a simple php agent that is periodically interrogated to obtain a snapshot of the files on your web space (file names, their size and last modified date). This data is then compared with the previous snapshot and you get notified when files are added, deleted or modified.

I prefer this type of service compared to OSSEC/tripwire tools because it does not require any installation and also work on inexpensive hosting without SSH access and without cron jobs.

Webdongle wrote:Do you have the experience (of server management, server security and hacking) to know how to use them effectively? would you recommend them to users that aren't experienced enough to understand how many ways there to hack and how the hacks actually work?


I have chosen this service because I do not have a lot of experience in managing a server. So I think if it was useful to me it could be for other Joomla users as well.

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 33722
Joined: Sat Apr 05, 2008 9:58 pm

Re: Recovering from a hack

Postby Webdongle » Sun Nov 12, 2017 6:36 pm

Yes I get notified when someone uploads/deletes/modifies a file or folder on the website.
To be clearer, the service warns me of any modification (new, delete, edit) to the website filesystem.

So if a hacker upload a shell or a backdoor I'll be alerted by email and I can delete the uploaded file and look at the access_log to see what happened.
but you don't (by your own admission) have the the experience
I have chosen this service because I do not have a lot of experience in managing a server.


Besides which if you delete an added hack file and analyse the logs then other hack files can be added through the same vulnerability... several more can be added. If you decide to close the vulnerability first then several more hack files can be added.

Analogy ... You get home to find a window broken open. While you fix it he burglar hides in the attic and then opens another window. You catch him, remove him and shut the window. While you shut the window ... another burglar (who got in through it) copies your keys and throws them out of the window to an accomplice. While you are getting rid of that burglar and shutting yet another window ... the accomplice unlocks the doors and changes the locks so they can be opened with other keys as well. While all that is happening ... the thieves now have access to your other houses (i.e. sites). So you now have the same problem multiplied by the number of houses you have access to.

An experienced server admin can deal with that but an inexperienced user is likely not to be able to clean a site by cherry picking. If your monitoring service notifies you of a hack then you are best advised to delete all your files or get an expert to clean it. If you don't then you ignoring your lack of "experience in managing a server" (by insisting your method will fix things) is irresponsible.

vincenzore1981
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Sun Nov 12, 2017 8:58 am

Re: Recovering from a hack

Postby vincenzore1981 » Mon Nov 13, 2017 3:56 pm

Webdongle wrote:Besides which if you delete an added hack file and analyse the logs then other hack files can be added through the same vulnerability... several more can be added. If you decide to close the vulnerability first then several more hack files can be added.


Yes, but anyway I would be warned of each of them. So all of your elucubrations lose their meaning.

Also since I am notified immediately when the site is compromised, I can see what the latest GET and POST requests were (from access_log), and then find what vulnerability was exploited.

With your method, instead, you will see that it has been violated only after days (maybe after Google has already labeled your site as malicious), you would erase everything and reinstall without correcting the vulnerability. So you cared for the symptom without treating the cause.

[ redacted ]
Last edited by toivo on Tue Nov 14, 2017 6:55 am, edited 1 time in total.
Reason: mod note: self promotion redacted

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 33722
Joined: Sat Apr 05, 2008 9:58 pm

Re: Recovering from a hack

Postby Webdongle » Mon Nov 13, 2017 5:25 pm

vincenzore1981 wrote:...
Yes, but anyway I would be warned of each of them. So all of your elucubrations lose their meaning.....
Not true because you don't understand enough to act effectively on the notifications. Even if you did the users that this thread is designed for wouldn't. So because of (your well intentioned but misinformed) posts ... it becomes necessary to elaborate on why you are wrong in your assumptions. There is a huge difference between monitoring a site and eradicating a hack that you've been notified about.





vincenzore1981 wrote:...
Also since I am notified immediately when the site is compromised, I can see what the latest GET and POST requests were (from access_log), and then find what vulnerability was exploited....
It's not as simple or as easy as you try to make it sound. Understanding the system logs takes more skill than many users have.




vincenzore1981 wrote:...
With your method, instead, you will see that it has been violated only after days (maybe after Google has already labeled your site as malicious),...
It is not my method it is a summary of the official method.
It is not suggested as a monitoring service it is a method to eradicate a hack.



vincenzore1981 wrote:... you would erase everything and reinstall without correcting the vulnerability. So you cared for the symptom without treating the cause.....
Another inaccurate statement by you. What you are doing is lumping monitoring a server with fixing and cleaning it. You appear to be under the impression that being notified of a hack makes it easier to eradicate it. But you then 'recommend cherry picking the hack files.


Return to “Security in Joomla! 3.x”

Who is online

Users browsing this forum: No registered users and 5 guests