Recovering from a hack Topic is solved
Moderators: mandville, General Support Moderators
Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
-
- Joomla! Guru
- Posts: 561
- Joined: Thu Jan 12, 2017 10:13 am
Re: Recovering from a hack
Suppose a site is hacked,
Akeeba back up e.g a .jpa file with kickstart.php file could return it back to its original state before being hacked,
after that just change of passwords, is this right or wrong?
Kian William
Akeeba back up e.g a .jpa file with kickstart.php file could return it back to its original state before being hacked,
after that just change of passwords, is this right or wrong?
Kian William
- toivo
- Joomla! Master
- Posts: 17431
- Joined: Thu Feb 15, 2007 5:48 am
- Location: Sydney, Australia
Re: Recovering from a hack
Wrong. Please read the first post in this thread and also study the sticky posts in the beginning of this forum, Security in Joomla! 3.x.
Toivo Talikka, Global Moderator
- Webdongle
- Joomla! Master
- Posts: 44083
- Joined: Sat Apr 05, 2008 9:58 pm
Re: Recovering from a hack
@KianWilliam
Hacks are on the server a long time before they get noticed. So when you restore a backup (of a hacked server) you are restoring a hack.
Hacks are on the server a long time before they get noticed. So when you restore a backup (of a hacked server) you are restoring a hack.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
-
- Joomla! Guru
- Posts: 561
- Joined: Thu Jan 12, 2017 10:13 am
Re: Recovering from a hack
I understand, but suppose you have a backup before being hacked, does akeeba backup work?
most of these hack stuff are scripts injected into site's code, e.g injections via forms which runs unauthorized scripts in your site, now if we have a .jpa file before this event, why restoring to the point before being hacked can not resolve the situation?
Kian William
most of these hack stuff are scripts injected into site's code, e.g injections via forms which runs unauthorized scripts in your site, now if we have a .jpa file before this event, why restoring to the point before being hacked can not resolve the situation?
Kian William
-
- I've been banned!
- Posts: 13639
- Joined: Sun Jul 05, 2009 3:30 am
- Location: Canberra, Australia
Re: Recovering from a hack
It's hypothetical. Suppose you don't know when the website was hacked? Suppose the hacking occurred gradually over time? Suppose the hacking was insidious/sneaky until, one day, *pow-whack-bam-zap*, your website goes off the reservation?KianWilliam wrote:Suppose you have a backup before being hacked, does akeeba backup work?
But, hypothetically-speaking, yeah ... it should work; it might work and, then again, it might not cure the problem and then you have to go back and re-do everything with an earlier backup (and then, perhaps, repeat the process with an even earlier backup) until you might just as well say "I should start all over again (just like everyone else was recommending that I do)." I don't know the answer in each case. I tend to go along with what experienced members of the community recommend. It's your choice: it's your website (and, thank goodness, it's not mine).
-
- Joomla! Guru
- Posts: 561
- Joined: Thu Jan 12, 2017 10:13 am
Re: Recovering from a hack
Thank you, this is all I wanted to know, now another thing stepped in my mind,
hacking makes a file being modified, in a server we can track last modified time of a file by its creator or others who are allowed, is it possible to reflect the time of file modification no matter who did it, because if that is possible, then that date or time could be used as a base to select the proper back up or .jpa file .Suppose I am the only user or admin of my files and I know the last modified time, while checking my files, I observe sth odd , an unexpected modified time and I check the file.
Files of a site are too many, but when a hacker uses a form to inject their script, there are few files to be checked from time to time, what is your idea?
Kian William
hacking makes a file being modified, in a server we can track last modified time of a file by its creator or others who are allowed, is it possible to reflect the time of file modification no matter who did it, because if that is possible, then that date or time could be used as a base to select the proper back up or .jpa file .Suppose I am the only user or admin of my files and I know the last modified time, while checking my files, I observe sth odd , an unexpected modified time and I check the file.
Files of a site are too many, but when a hacker uses a form to inject their script, there are few files to be checked from time to time, what is your idea?
Kian William
- Webdongle
- Joomla! Master
- Posts: 44083
- Joined: Sat Apr 05, 2008 9:58 pm
Re: Recovering from a hack
Yes and but no because a file (or files) are also added anywhere on the server ... then the hacker has control of your server and the 'keys'. You can trace where the file(s) enter but while you check for those others are being placed back on.KianWilliam wrote:...
hacking makes a file being modified, ...
but when a hacker uses a form to inject their script, there are few files to be checked from time to time, ..
Webdongle wrote:Besides which if you delete an added hack file and analyse the logs then other hack files can be added through the same vulnerability... several more can be added. If you decide to close the vulnerability first then several more hack files can be added.
Analogy ... You get home to find a window broken open. While you fix it he burglar hides in the attic and then opens another window. You catch him, remove him and shut the window. While you shut the window ... another burglar (who got in through it) copies your keys and throws them out of the window to an accomplice. While you are getting rid of that burglar and shutting yet another window ... the accomplice unlocks the doors and changes the locks so they can be opened with other keys as well. While all that is happening ... the thieves now have access to your other houses (i.e. sites). So you now have the same problem multiplied by the number of houses you have access to.
An experienced server admin can deal with that but an inexperienced user is likely not to be able to clean a site by cherry picking. If your monitoring service notifies you of a hack then you are best advised to delete all your files or get an expert to clean it. If you don't then you ignoring your lack of "experience in managing a server" (by insisting your method will fix things) is irresponsible
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
-
- Joomla! Guru
- Posts: 561
- Joined: Thu Jan 12, 2017 10:13 am
Re: Recovering from a hack
Up until now, have we developed an extension in Joomla to do all these things in a hacked site just by uploading and running it in front and backend files? an extension to remove unwanted scripts and after that gives the option to user to change keys so that the hacker could not use it again? because I believe those scripts have some sort of flags that proves its types to be different from our regular coding.
Kian William
Kian William
- fcoulter
- Joomla! Ace
- Posts: 1685
- Joined: Thu Sep 13, 2007 11:39 am
- Location: UK
- Contact:
Re: Recovering from a hack
No, and I don't believe that such a thing is possible.
No there is nothing that automatically distinguishes malicious code from normal code. In the past it would sometimes be obfuscated using things like base64 encoding, but I think that the creators of malware have realised that this makes it more obvious, because it can be scanned for.
But I have seen examples recently where malicious code looks very much like normal code, there would be nothing that automatically tells you it is malicious.
Code: Select all
because I believe those scripts have some sort of flags that proves its types to be different from our regular coding.
But I have seen examples recently where malicious code looks very much like normal code, there would be nothing that automatically tells you it is malicious.
http://www.spiralscripts.co.uk for Joomla! extensions
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"
-
- Joomla! Guru
- Posts: 561
- Joined: Thu Jan 12, 2017 10:13 am
Re: Recovering from a hack
Alright,
Kian William
Kian William
- fcoulter
- Joomla! Ace
- Posts: 1685
- Joined: Thu Sep 13, 2007 11:39 am
- Location: UK
- Contact:
Re: Recovering from a hack
There are some projects that attempt to do this sort of thing:-
https://github.com/rastating/joomlavs
and
https://github.com/btoplak/Joomla-Anti- ... pt--JAMSS-
They are both very good projects, but I think that they are not a complete solution. The thing is that they can only scan for known malware patterns. But some malware authors are clever people, and if they know what sort of coding patterns are being scanned for they can change the patterns.
The only way to know for sure whether a piece of code is malware is to analyze what it actually does, which a simple scanner is never going to be able to do for you. Considering that a typical site is probably going to contain thousands of files that is not very practical.
This is why I think that they only sure way to recover from a hack is to follow Webdongle's original instructions.
https://github.com/rastating/joomlavs
and
https://github.com/btoplak/Joomla-Anti- ... pt--JAMSS-
They are both very good projects, but I think that they are not a complete solution. The thing is that they can only scan for known malware patterns. But some malware authors are clever people, and if they know what sort of coding patterns are being scanned for they can change the patterns.
The only way to know for sure whether a piece of code is malware is to analyze what it actually does, which a simple scanner is never going to be able to do for you. Considering that a typical site is probably going to contain thousands of files that is not very practical.
This is why I think that they only sure way to recover from a hack is to follow Webdongle's original instructions.
http://www.spiralscripts.co.uk for Joomla! extensions
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"
- brian
- Joomla! Master
- Posts: 12787
- Joined: Fri Aug 12, 2005 7:19 am
- Location: Leeds, UK
- Contact:
Re: Recovering from a hack
The second one of those might have been good when it was written but as it hasnt been touched for 4 years I certainly wouldnt waste any time using it
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/
- Webdongle
- Joomla! Master
- Posts: 44083
- Joined: Sat Apr 05, 2008 9:58 pm
Re: Recovering from a hack
Deleting all the folders/files is the only feasible option unless the site admin is experienced. Rebuilding the site (once the security issues have been addressed) is done in 2 easy steps.
1. Use a new Joomla install to create fresh up to date Joomla and 3rd party files.
2. Upload images, Template overrides etc.
Method
1. Install the latest Joomla to a new database. Install your 3rd party extensions. Edit the configuration.php to connect to the original database.
2. Upload images, Template overrides etc.
The new database is now redundant and can be deleted,
1. Use a new Joomla install to create fresh up to date Joomla and 3rd party files.
2. Upload images, Template overrides etc.
Method
1. Install the latest Joomla to a new database. Install your 3rd party extensions. Edit the configuration.php to connect to the original database.
2. Upload images, Template overrides etc.
The new database is now redundant and can be deleted,
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".