Recovering from a hack Topic is solved

[KianWilliam]

Suppose a site is hacked,
Akeeba back up e.g a .jpa file with kickstart.php file could return it back to its original state before being hacked,
after that just change of passwords, is this right or wrong?
Kian William

[toivo]

Wrong. Please read the first post in this thread and also study the sticky posts in the beginning of this forum, Security in Joomla! 3.x.

[Webdongle]

@KianWilliam
Hacks are on the server a long time before they get noticed. So when you restore a backup (of a hacked server) you are restoring a hack.

[KianWilliam]

I understand, but suppose you have a backup before being hacked, does akeeba backup work?
most of these hack stuff are scripts injected into site's code, e.g injections via forms which runs unauthorized scripts in your site, now if we have a .jpa file before this event, why restoring to the point before being hacked can not resolve the situation?
Kian William

[sozzled]

Suppose you have a backup before being hacked, does akeeba backup work?

It's hypothetical. Suppose you don't know when the website was hacked? Suppose the hacking occurred gradually over time? Suppose the hacking was insidious/sneaky until, one day, *pow-whack-bam-zap*, your website goes off the reservation?

But, hypothetically-speaking, yeah ... it should work; it might work and, then again, it might not cure the problem and then you have to go back and re-do everything with an earlier backup (and then, perhaps, repeat the process with an even earlier backup) until you might just as well say "I should start all over again (just like everyone else was recommending that I do)." I don't know the answer in each case. I tend to go along with what experienced members of the community recommend. It's your choice: it's your website (and, thank goodness, it's not mine).

[KianWilliam]

Thank you, this is all I wanted to know, now another thing stepped in my mind,
hacking makes a file being modified, in a server we can track last modified time of a file by its creator or others who are allowed, is it possible to reflect the time of file modification no matter who did it, because if that is possible, then that date or time could be used as a base to select the proper back up or .jpa file .Suppose I am the only user or admin of my files and I know the last modified time, while checking my files, I observe sth odd , an unexpected modified time and I check the file.
Files of a site are too many, but when a hacker uses a form to inject their script, there are few files to be checked from time to time, what is your idea?
Kian William

[Webdongle]

...
hacking makes a file being modified, ...
but when a hacker uses a form to inject their script, there are few files to be checked from time to time, ..

Yes and but no because a file (or files) are also added anywhere on the server ... then the hacker has control of your server and the 'keys'. You can trace where the file(s) enter but while you check for those others are being placed back on.

Besides which if you delete an added hack file and analyse the logs then other hack files can be added through the same vulnerability... several more can be added. If you decide to close the vulnerability first then several more hack files can be added.

Analogy ... You get home to find a window broken open. While you fix it he burglar hides in the attic and then opens another window. You catch him, remove him and shut the window. While you shut the window ... another burglar (who got in through it) copies your keys and throws them out of the window to an accomplice. While you are getting rid of that burglar and shutting yet another window ... the accomplice unlocks the doors and changes the locks so they can be opened with other keys as well. While all that is happening ... the thieves now have access to your other houses (i.e. sites). So you now have the same problem multiplied by the number of houses you have access to.

An experienced server admin can deal with that but an inexperienced user is likely not to be able to clean a site by cherry picking. If your monitoring service notifies you of a hack then you are best advised to delete all your files or get an expert to clean it. If you don't then you ignoring your lack of "experience in managing a server" (by insisting your method will fix things) is irresponsible

[KianWilliam]

Up until now, have we developed an extension in Joomla to do all these things in a hacked site just by uploading and running it in front and backend files? an extension to remove unwanted scripts and after that gives the option to user to change keys so that the hacker could not use it again? because I believe those scripts have some sort of flags that proves its types to be different from our regular coding.
Kian William

[fcoulter]

No, and I don't believe that such a thing is possible.

Code: Select all

because I believe those scripts have some sort of flags that proves its types to be different from our regular coding.

No there is nothing that automatically distinguishes malicious code from normal code. In the past it would sometimes be obfuscated using things like base64 encoding, but I think that the creators of malware have realised that this makes it more obvious, because it can be scanned for.

But I have seen examples recently where malicious code looks very much like normal code, there would be nothing that automatically tells you it is malicious.

[KianWilliam]

Alright,
Kian William

[fcoulter]

There are some projects that attempt to do this sort of thing:-

https://github.com/rastating/joomlavs

and

https://github.com/btoplak/Joomla-Anti- ... pt--JAMSS-

They are both very good projects, but I think that they are not a complete solution. The thing is that they can only scan for known malware patterns. But some malware authors are clever people, and if they know what sort of coding patterns are being scanned for they can change the patterns.

The only way to know for sure whether a piece of code is malware is to analyze what it actually does, which a simple scanner is never going to be able to do for you. Considering that a typical site is probably going to contain thousands of files that is not very practical.

This is why I think that they only sure way to recover from a hack is to follow Webdongle's original instructions.

[brian]

The second one of those might have been good when it was written but as it hasnt been touched for 4 years I certainly wouldnt waste any time using it

[Webdongle]

Deleting all the folders/files is the only feasible option unless the site admin is experienced. Rebuilding the site (once the security issues have been addressed) is done in 2 easy steps.
1. Use a new Joomla install to create fresh up to date Joomla and 3rd party files.
2. Upload images, Template overrides etc.

Method
1. Install the latest Joomla to a new database. Install your 3rd party extensions. Edit the configuration.php to connect to the original database.
2. Upload images, Template overrides etc.

The new database is now redundant and can be deleted,