Recovering from a hack Topic is solved

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, fcoulter, PhilD, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
KianWilliam
Joomla! Guru
Joomla! Guru
Posts: 504
Joined: Thu Jan 12, 2017 10:13 am

Re: Recovering from a hack

Post by KianWilliam » Sat May 19, 2018 11:38 am

Suppose a site is hacked,
Akeeba back up e.g a .jpa file with kickstart.php file could return it back to its original state before being hacked,
after that just change of passwords, is this right or wrong?
Kian William

User avatar
toivo
Joomla! Master
Joomla! Master
Posts: 11242
Joined: Thu Feb 15, 2007 5:48 am
Location: Suzhou, China

Re: Recovering from a hack

Post by toivo » Sat May 19, 2018 11:58 am

Wrong. Please read the first post in this thread and also study the sticky posts in the beginning of this forum, Security in Joomla! 3.x.
Toivo Talikka, Global Moderator

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 37287
Joined: Sat Apr 05, 2008 9:58 pm

Re: Recovering from a hack

Post by Webdongle » Sat May 19, 2018 4:28 pm

@KianWilliam
Hacks are on the server a long time before they get noticed. So when you restore a backup (of a hacked server) you are restoring a hack.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

KianWilliam
Joomla! Guru
Joomla! Guru
Posts: 504
Joined: Thu Jan 12, 2017 10:13 am

Re: Recovering from a hack

Post by KianWilliam » Sun May 20, 2018 5:49 am

I understand, but suppose you have a backup before being hacked, does akeeba backup work?
most of these hack stuff are scripts injected into site's code, e.g injections via forms which runs unauthorized scripts in your site, now if we have a .jpa file before this event, why restoring to the point before being hacked can not resolve the situation?
Kian William

User avatar
sozzled
Joomla! Exemplar
Joomla! Exemplar
Posts: 7754
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia
Contact:

Re: Recovering from a hack

Post by sozzled » Sun May 20, 2018 5:56 am

KianWilliam wrote:Suppose you have a backup before being hacked, does akeeba backup work?
It's hypothetical. Suppose you don't know when the website was hacked? Suppose the hacking occurred gradually over time? Suppose the hacking was insidious/sneaky until, one day, *pow-whack-bam-zap*, your website goes off the reservation?

But, hypothetically-speaking, yeah ... it should work; it might work and, then again, it might not cure the problem and then you have to go back and re-do everything with an earlier backup (and then, perhaps, repeat the process with an even earlier backup) until you might just as well say "I should start all over again (just like everyone else was recommending that I do)." I don't know the answer in each case. I tend to go along with what experienced members of the community recommend. It's your choice: it's your website (and, thank goodness, it's not mine).
https://www.kuneze.com/blog
I need your help to help reduce spam at the Joomla forum. You can help with your ideas, questions and opinions at viewtopic.php?f=7&t=974006. Together we can make a difference :)

KianWilliam
Joomla! Guru
Joomla! Guru
Posts: 504
Joined: Thu Jan 12, 2017 10:13 am

Re: Recovering from a hack

Post by KianWilliam » Sun May 20, 2018 8:26 am

Thank you, this is all I wanted to know, now another thing stepped in my mind,
hacking makes a file being modified, in a server we can track last modified time of a file by its creator or others who are allowed, is it possible to reflect the time of file modification no matter who did it, because if that is possible, then that date or time could be used as a base to select the proper back up or .jpa file .Suppose I am the only user or admin of my files and I know the last modified time, while checking my files, I observe sth odd , an unexpected modified time and I check the file.
Files of a site are too many, but when a hacker uses a form to inject their script, there are few files to be checked from time to time, what is your idea?
Kian William

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 37287
Joined: Sat Apr 05, 2008 9:58 pm

Re: Recovering from a hack

Post by Webdongle » Sun May 20, 2018 9:18 am

KianWilliam wrote:...
hacking makes a file being modified, ...
but when a hacker uses a form to inject their script, there are few files to be checked from time to time, ..
Yes and but no because a file (or files) are also added anywhere on the server ... then the hacker has control of your server and the 'keys'. You can trace where the file(s) enter but while you check for those others are being placed back on.
Webdongle wrote:Besides which if you delete an added hack file and analyse the logs then other hack files can be added through the same vulnerability... several more can be added. If you decide to close the vulnerability first then several more hack files can be added.

Analogy ... You get home to find a window broken open. While you fix it he burglar hides in the attic and then opens another window. You catch him, remove him and shut the window. While you shut the window ... another burglar (who got in through it) copies your keys and throws them out of the window to an accomplice. While you are getting rid of that burglar and shutting yet another window ... the accomplice unlocks the doors and changes the locks so they can be opened with other keys as well. While all that is happening ... the thieves now have access to your other houses (i.e. sites). So you now have the same problem multiplied by the number of houses you have access to.

An experienced server admin can deal with that but an inexperienced user is likely not to be able to clean a site by cherry picking. If your monitoring service notifies you of a hack then you are best advised to delete all your files or get an expert to clean it. If you don't then you ignoring your lack of "experience in managing a server" (by insisting your method will fix things) is irresponsible
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

KianWilliam
Joomla! Guru
Joomla! Guru
Posts: 504
Joined: Thu Jan 12, 2017 10:13 am

Re: Recovering from a hack

Post by KianWilliam » Sun May 20, 2018 11:34 am

Up until now, have we developed an extension in Joomla to do all these things in a hacked site just by uploading and running it in front and backend files? an extension to remove unwanted scripts and after that gives the option to user to change keys so that the hacker could not use it again? because I believe those scripts have some sort of flags that proves its types to be different from our regular coding.
Kian William

User avatar
fcoulter
Joomla! Ace
Joomla! Ace
Posts: 1685
Joined: Thu Sep 13, 2007 11:39 am
Location: UK
Contact:

Re: Recovering from a hack

Post by fcoulter » Sun May 20, 2018 11:44 am

No, and I don't believe that such a thing is possible.

Code: Select all

because I believe those scripts have some sort of flags that proves its types to be different from our regular coding.
No there is nothing that automatically distinguishes malicious code from normal code. In the past it would sometimes be obfuscated using things like base64 encoding, but I think that the creators of malware have realised that this makes it more obvious, because it can be scanned for.

But I have seen examples recently where malicious code looks very much like normal code, there would be nothing that automatically tells you it is malicious.
http://www.spiralscripts.co.uk for Joomla! extensions
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"

KianWilliam
Joomla! Guru
Joomla! Guru
Posts: 504
Joined: Thu Jan 12, 2017 10:13 am

Re: Recovering from a hack

Post by KianWilliam » Sun May 20, 2018 3:10 pm

Alright,
Kian William

User avatar
fcoulter
Joomla! Ace
Joomla! Ace
Posts: 1685
Joined: Thu Sep 13, 2007 11:39 am
Location: UK
Contact:

Re: Recovering from a hack

Post by fcoulter » Sun May 20, 2018 6:24 pm

There are some projects that attempt to do this sort of thing:-

https://github.com/rastating/joomlavs

and

https://github.com/btoplak/Joomla-Anti- ... pt--JAMSS-

They are both very good projects, but I think that they are not a complete solution. The thing is that they can only scan for known malware patterns. But some malware authors are clever people, and if they know what sort of coding patterns are being scanned for they can change the patterns.

The only way to know for sure whether a piece of code is malware is to analyze what it actually does, which a simple scanner is never going to be able to do for you. Considering that a typical site is probably going to contain thousands of files that is not very practical.

This is why I think that they only sure way to recover from a hack is to follow Webdongle's original instructions.
http://www.spiralscripts.co.uk for Joomla! extensions
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"

User avatar
brian
Joomla! Master
Joomla! Master
Posts: 11760
Joined: Fri Aug 12, 2005 7:19 am
Location: Leeds, UK
Contact:

Re: Recovering from a hack

Post by brian » Tue Sep 25, 2018 5:11 pm

The second one of those might have been good when it was written but as it hasnt been touched for 4 years I certainly wouldnt waste any time using it
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 37287
Joined: Sat Apr 05, 2008 9:58 pm

Re: Recovering from a hack

Post by Webdongle » Tue Sep 25, 2018 5:34 pm

Deleting all the folders/files is the only feasible option unless the site admin is experienced. Rebuilding the site (once the security issues have been addressed) is done in 2 easy steps.
1. Use a new Joomla install to create fresh up to date Joomla and 3rd party files.
2. Upload images, Template overrides etc.

Method
1. Install the latest Joomla to a new database. Install your 3rd party extensions. Edit the configuration.php to connect to the original database.
2. Upload images, Template overrides etc.

The new database is now redundant and can be deleted,
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein


Locked

Return to “Security in Joomla! 3.x”