Recovering from a hack Topic is solved

[Webdongle]

Your database is your site ... first and foremost make a backup of your database.

All the files do is put/get data to/from the database and display the data on the screen.

Cleaning the site is easy ... just delete all the folders/files. Rebuilding the site is easy ... just install a fresh Joomla to a empty database and install 3rd party extensions then edit the configuration.php.

Before you ask what other users ask. No there is no real alternative ... you need to delete all folders/files.

Here is a summary of what you need to do

1. Run the fpa and post the results in this forum
2. Uninstall any untrusted/unwanted 3rd party extensions and Templates https://vel.joomla.org/live-vel
3. Delete all the files on the server
4. Scan your computer and all computers that have server or Joomla admin access
5. Change Passwords
6. Install Joomla (of the same version) to a new database. Install up to date 3rd party extensions (that are not on the VEL) then edit the configuration.php to connect to the original database. Update Joomla if you have and old version
7. Change your Joomla SU/Admin Passwords and check the users/groups/access levels are correct and not been tampered with. Update your Joomla and run the fpa again

Step #f is simply installing Joomla and 3rd party extensions to an empty database so you get fresh files. Then connect the files to the database that has your data. That gives you your site back. The rest cleans the site and helps keep it secure.

Full details http://forum.joomla.org/viewtopic.php?f=714&t=757645

[itoctopus]

@Webdongle - thank you for this guide - but there are several problems with it (and it is not the official guide as stated by you on other answers on this forum):

- It doesn't take into consideration the images folder and the media folder. These folders may contain malicious PHP files that may be copied back and that may not be caught by a PC scan.
- Some websites have custom extensions that need a lot of work to re-install on the target website. Additionally, these custom extensions may contain some malicious files.
- It assumes that the user has all of the installed extensions as packages.
- It doesn't take into consideration that the hack might be outside the public_html directory (this is especially the case on shared hosts).
- It doesn't take into consideration that the hack might be caused by a cron job (which is the hardest hack to find).
- It doesn't take into consideration the .htaccess file - which is typically copied as is from the infected website to the clean website and hacks there are typically not caught by any scanner.
- It is not as easy as it seems - in fact - large websites must avoid implementing this method. Making this method look as a very straightforward is misleading and may cause a lot of frustration for website owners/administrators.
- It doesn't take into consideration the future of the website - applying the above without further protection will probably get the website hacked the next day.

@Webdongle - your guide above is incomplete and not as easy as you make it look like - the most complete one is the official one by @mandville - which you should link to instead of linking to this.

Note to moderators: Please take note that the above guide is being promoted as the official guide - the problem is that it is missing many points from @mandville's official guide. No need, in my opinion, to have this incomplete guide (this can cause confusion especially among mainstream Joomla users) - I suggest that it gets deleted.

[Webdongle]

It is not delete everything and start over because it retains the database. One of the easiest ways to deploy a hack file to the server is to upload a compromised image file. If you do not have the originals of all the images on your site then you need to question the validity of the images on the site and their origin.

As for the accusation that is not my method ... I never claimed it is my method and it clearly states it is a summary. It also has a link to the full official details.

The 'catch 22' is that many of the users who get hacked are to lazy to keep their software up to date. As a result those users look for a 'quick fix' and fail to clean the site properly. You only need to look at the threads in this forum to see how many users come up with excuses to avoid cleaning their site completely.

Ideally the site owner would hire a professional to monitor the security of the site. However, many users don't have the budget to do so ... therefore they need to do it themselves. The summary is intended helps those users understand the Full details and not intended as a replacement. A certain modicum of common sense is expected for the user to click the link to the "Full details".

@itoctopus
Your attack fails to take into account that:
If someone reading the summary fails to click the link to the "Full details" (and thus misses to see the answers to the objections that you have raised) then their ability to use any method is questionable.

[ribo]

As i see @Webdongle is not cancel the post of @mandville . At the end writes

Full details http://forum.joomla.org/viewtopic.php?f=714&t=757645

. Many users when they see these posts is that they don t understand how easy it is and they believe that they must create the joomla from the begin, like they did before. @Webdongle in this post point this

Your database is your site ... first and foremost make a backup of your database.

and this

Before you ask what other users ask. No there is no real alternative ... you need to delete all folders/files.

that they must delete all the files to not have hack files inside for sure and that with the original database he can recover his site. About images and media folder it s very easy for everyone to find any hacked files as he can compare these folders with the original folders and they have in most, images inside.
About a hacked extension we all understand that if it is vulnerable and not updating we must not use it. The same is and for custom extensions

[Realistix]

In all honesty, the absolute best way to recover from a hack is to use myjoomla.com

Do it yourself for next to nothing, the tool is so easy to use or pay the guy to do it who will usually do it within a day. I have been using this service for almost a year now to maintain and unhack joomla websites and it is second to none.

P.S. I'm no affiliated or linked with the company whatsoever - just a raving fan who understands the value of what it offers.

[Webdongle]

There are many good professional services but not all Joomla users have professional sites or can afford those services. Also many Joomla users use shared Hosting and are limited to what is allowed to be done on or to the server. The aim of this thread is to provide a summary of http://forum.joomla.org/viewtopic.php?f=714&t=757645 for the Joomla users who (for whatever reason) are unable to use professional services.

[mandville]

Your database is your site ... first and foremost make a backup of your database.

All the files do is put/get data to/from the database and display the data on the screen.

Cleaning the site is easy ... just delete all the folders/files. Rebuilding the site is easy ... just install a fresh Joomla to a empty database and install 3rd party extensions then edit the configuration.php.

Before you ask what other users ask. No there is no real alternative ... you need to delete all folders/files.

Here is a summary of what you need to do

1. Run the fpa and post the results in this forum
2. Uninstall any untrusted 3rd party extensions and Templates https://vel.joomla.org/live-vel
3. Delete all the files on the server
4. Scan your computer and all computers that have server or Joomla admin access
5. Change Passwords
6. Install Joomla (of the same version) to a new database. Install up to date 3rd party extensions (that are not on the VEL) then edit the configuration.php to connect to the original database. Update Joomla if you have and old version
7. Change your Joomla SU/Admin Passwords and check the users/groups/access levels are correct and not been tampered with. Update your Joomla and run the fpa again

Step #f is simply installing Joomla and 3rd party extensions to an empty database so you get fresh files. Then connect the files to the database that has your data. That gives you your site back. The rest cleans the site and helps keep it secure.

Full details http://forum.joomla.org/viewtopic.php?f=714&t=757645

[vrans99]

Thank you so much.
This is a great piece of information.
I did follow the steps and I have now a virus-free and fresh installation of Joomla.
Some steps are not clear if they have to be performed on cPanel or inside Joomla settings, but the results looks fine.
But I have a question:After the fresh Joomla install and changed the settings to point to the original database, I was installing only the extensions I really need (I had a bunch of extensions that I was just trying but I never uninstalled them), but now I have a long list of extensions that are showing as installed but they are not really installed.
How can I clean the db of those extensions that are not really installed? What is the safest and easiest way to do so?
Also, I found an issue trying to install PhocaMaps (it gives me an error), then I tried to "uninstall it" (because of the reference of been already installed) and I couldn't uninstall it either (or take it off the database).
Please, need your help.

[ribo]

I was installing only the extensions I really need (I had a bunch of extensions that I was just trying but I never uninstalled them), but now I have a long list of extensions that are showing as installed but they are not really installed.
How can I clean the db of those extensions that are not really installed?

If some extensions you don t need to install them and you want to clear your database from them you can get in your database and delete for example, if an extension have tables you will delete them, also you will find the extension to delete it inside to "yourprefix_extensions" and also check inside to "yourprefix_assets" if there is something to delete. Always back up before you will change something.
Note1: First you install the extension and after you point the original database

Note2: You forgot to post the FPA results in this post viewtopic.php?f=714&t=952441 to someone see your host server if there is an issue in there and to not hacked again and the reason can be the server.

[vrans99]

Thanks for the quick response.

"Note1: First you install the extension and after you point the original database"
I did it the other way around just to try the site and check what was missing page by page. Then went to admin and install just that extension. I know it is more tedious but I want to make sure I install only what I really need.
The site has been online for over five years and it was a lot of extensions that I didn't even remember. I thought was a good time to clean that also.

"Note2: You forgot to post the FPA results here to someone see your host server if there is an issue in there and to not hacked again and the reason can be the server."
I didn't think about it. I was getting excited with the results.
I'll post it now.

Thanks

[vrans99]

Trying to reinstall Joomla without losing the content

Joomla! Instance :: Joomla! 3.6.2-Stable (Noether) 4-August-2016
Joomla! Platform :: Joomla Platform 13.1.0-Stable (Curiosity) 24-Apr-2013
Joomla! Configured :: Yes | Read-Only (444) | Owner: --protected-- . (uid: 1/gid: 1) | Group: --protected-- (gid: 1) | Valid For: 3.6
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 1 | .htaccess/web.config: Yes | GZip: 0 | Cache: 1 | CacheTime: 15 | CacheHandler: file | CachePlatformPrefix: N/A | FTP Layer: 0 | Proxy: N/A | LiveSite: | Session lifetime: 30 | Session handler: database | Shared sessions: N/A | SSL: 0 | FrontEdit: N/A | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.32-673.26.1.lve1.4.25.el6.x86_64 | Technology: x86_64 | Web Server: Apache | Encoding: gzip, deflate | Doc Root: --protected-- | System TMP Writable: Yes

PHP Configuration :: Version: 7.0.20 | PHP API: litespeed | Session Path Writable: No | Display Errors: 1 | Error Reporting: | Log Errors To: | Last Known Error: | Register Globals: | Magic Quotes: | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 2M | Max. POST Size: 8M | Max. Input Time: -1 | Max. Execution Time: 30 | Memory Limit: 128M

MySQL Configuration :: Version: 5.5.54-38.7-log (Client:5.5.54-38.7) | Host: --protected-- (--protected--) | Collation: latin1_swedish_ci (Character Set: latin1) | Database Size: 7.34 MiB | #of Tables:  126

PHP Extensions :: Core (7.0.20) | date (7.0.20) | libxml (7.0.20) | openssl (7.0.20) | pcre (7.0.20) | sqlite3 (0.7-dev) | zlib (7.0.20) | bz2 (7.0.20) | calendar (7.0.20) | ctype (7.0.20) | curl (7.0.20) | hash (1.0) | filter (7.0.20) | ftp (7.0.20) | gettext (7.0.20) | gmp (7.0.20) | SPL (7.0.20) | iconv (7.0.20) | pcntl (7.0.20) | readline (7.0.20) | Reflection (7.0.20) | session (7.0.20) | standard (7.0.20) | shmop (7.0.20) | SimpleXML (7.0.20) | mbstring (7.0.20) | tokenizer (7.0.20) | xml (7.0.20) | litespeed () | bcmath (7.0.20) | dom (20031129) | gd (7.0.20) | json (1.4.0) | propro (2.0.1) | raphf (2.0.0) | http (3.0.1) | imagick (3.4.3RC4) | imap (7.0.20) | exif (1.4 $Id: 8bdc0c8f27c2c9dd1f7551f1f9fe3ab57a06a4b1 $) | mcrypt (7.0.20) | mysqli (7.0.20) | PDO (7.0.20) | pdo_mysql (7.0.20) | pdo_sqlite (7.0.20) | Phar (2.0.2) | posix (7.0.20) | soap (7.0.20) | sockets (7.0.20) | wddx (7.0.20) | xmlreader (7.0.20) | xmlrpc (7.0.20) | xmlwriter (7.0.20) | xsl (7.0.20) | zip (1.13.5) | ionCube Loader () | Zend Engine (3.0.0) |
Potential Missing Extensions :: mysql | suhosin |

Switch User Environment (Experimental) :: PHP CGI: No | Server SU: No | PHP SU: No | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No

Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

Elevated Permissions (First 10) ::

Database statistics :: Uptime: 1015081 | Threads: 12 | Questions: 681531844 | Slow queries: 2163 | Opens: 6479651 | Flush tables: 1 | Open tables: 16384 | Queries per second avg: 671.406 |

Components :: SITE :: WF_POPUPS_WINDOW_TITLE (2.5.31) 1 | WF_POPUPS_JCEMEDIABOX_TITLE (2.5.31) 1 | K2 Links for JCE Link (2.2) 1 | WF_LINKS_JOOMLALINKS_TITLE (2.5.31) 1 | WF_LINK_SEARCH_TITLE (2.5.31) 1 | WF_AGGREGATOR_[youtube]_TITLE (2.5.31) 1 | WF_AGGREGATOR_DAILYMOTION_TITL (2.5.31) 1 | WF_AGGREGATOR_VINE_TITLE (2.5.31) 1 | WF_AGGREGATOR_VIMEO_TITLE (2.5.31) 1 | WF_MEDIAPLAYER_JCEPLAYER_TITLE (2.5.31) 1 | WF_FILESYSTEM_JOOMLA_TITLE (2.5.31) 1 | WF_HR_TITLE (2.5.31) 1 | WF_LAYER_TITLE (2.5.31) 1 | WF_CLEANUP_TITLE (2.5.31) 1 | WF_SOURCE_TITLE (2.5.31) 1 | WF_IMGMANAGER_TITLE (2.5.31) 1 | WF_CONTEXTMENU_TITLE (2.5.31) 1 | WF_AUTOSAVE_TITLE (2.5.31) 1 | WF_NONBREAKING_TITLE (2.5.31) 1 | WF_STYLESELECT_TITLE (2.5.31) 1 | WF_MEDIA_TITLE (2.5.31) 1 | WF_TEXTCASE_TITLE (2.5.31) 1 | WF_PREVIEW_TITLE (2.5.31) 1 | WF_INLINEPOPUPS_TITLE (2.5.31) 1 | WF_KITCHENSINK_TITLE (2.5.31) 1 | WF_PRINT_TITLE (2.5.31) 1 | WF_FONTCOLOR_TITLE (2.5.31) 1 | WF_LISTS_TITLE (2.5.31) 1 | WF_STYLE_TITLE (2.5.31) 1 | WF_FONTSELECT_TITLE (2.5.31) 1 | WF_FULLSCREEN_TITLE (2.5.31) 1 | WF_LINK_TITLE (2.5.31) 1 | WF_CHARMAP_TITLE (2.5.31) 1 | WF_SPELLCHECKER_TITLE (2.5.31) 1 | WF_ARTICLE_TITLE (2.5.31) 1 | WF_ANCHOR_TITLE (2.5.31) 1 | WF_XHTMLXTRAS_TITLE (2.5.31) 1 | WF_DIRECTIONALITY_TITLE (2.5.31) 1 | WF_TABLE_TITLE (2.5.31) 1 | WF_VISUALBLOCKS_TITLE (2.5.31) 1 | WF_FORMATSELECT_TITLE (2.5.31) 1 | WF_VISUALCHARS_TITLE (2.5.31) 1 | WF_FONTSIZESELECT_TITLE (2.5.31) 1 | WF_CLIPBOARD_TITLE (2.5.31) 1 | WF_SEARCHREPLACE_TITLE (2.5.31) 1 | WF_BROWSER_TITLE (2.5.31) 1 | com_wrapper (3.0.0) 1 | com_mailto (3.0.0) 1 |
Components :: ADMIN :: com_categories (3.0.0) 1 | com_modules (3.0.0) 1 | com_cache (3.0.0) 1 | JCE (2.5.31) 1 | Unknown (-) 1 | com_joomlaupdate (3.6.1) 1 | com_search (3.0.0) 1 | com_newsfeeds (3.0.0) 1 | com_content (3.0.0) 1 | com_languages (3.0.0) 1 | com_phocamaps (3.0.0 Beta) 1 | JEvents (3.1.6) 1 | com_menus (3.0.0) 1 | com_contenthistory (3.2.0) 1 | com_login (3.0.0) 1 | COM_MIJOSEF (1.3.4) 1 | Banners (1.3.0) 1 | Mail To (1.3.0) 1 | Content (1.3.0) 1 | MijoSEF (1.3.0) 1 | Users (1.3.0) 1 | Web Links (1.3.0) 1 | Search (1.3.0) 1 | Wrapper (1.3.0) 1 | News Feeds (1.3.0) 1 | Tags (1.3.0) 1 | Contact (1.3.0) 1 | com_mp_sliding (2.0.0) 1 | com_media (3.0.0) 1 | Freestyle Testimonials: Testim (1.11.8.1718) 1 | COM_FST (1.13.2) 1 | com_templates (3.0.0) 1 | com_postinstall (3.2.0) 1 | com_config (3.0.0) 1 | com_messages (3.0.0) 1 | com_tags (3.1.0) 1 | com_users (3.0.0) 1 | com_finder (3.0.0) 1 | com_cpanel (3.0.0) 1 | com_checkin (3.0.0) 1 | com_weblinks (3.5.0) 1 | com_banners (3.0.0) 1 | com_plugins (3.0.0) 1 | com_redirect (3.0.0) 1 | com_ajax (3.2.0) 1 | com_installer (3.0.0) 1 | com_admin (3.0.0) 1 | Akeeba (5.2.4) 1 | Admintools (4.0.2) 1 |

Modules :: SITE :: mod_tags_popular (3.1.0) 1 | mod_feed (3.0.0) 1 | JEvents Latest Events (3.1.6) 1 | Vinaora Nivo Slider (3.1.0) 1 | mod_users_latest (3.0.0) 1 | mod_finder (3.0.0) 1 | JEvents Legend (3.1.6) 1 | mod_tags_similar (3.1.0) 1 | mod_wrapper (3.0.0) 1 | mod_whosonline (3.0.0) 1 | mod_stats (3.0.0) 1 | mod_menu (3.0.0) 1 | mod_login (3.0.0) 1 | MyPuzzle Sliding Puzzle (2.0.0) 1 | mod_languages (3.5.0) 1 | Freestyle Testimonials: Testim (1.12.3) 1 | mod_custom (3.0.0) 1 | Rapid Contact (1.2) 1 | mod_articles_categories (3.0.0) 1 | mod_banners (3.0.0) 1 | JEvents View Switcher (3.1.6) 1 | mod_articles_news (3.0.0) 1 | Maximenu CK (8.1.9) 1 | mod_footer (3.0.0) 1 | mod_random_image (3.0.0) 1 | mod_weblinks (3.5.0) 1 | mod_breadcrumbs (3.0.0) 1 | mod_search (3.0.0) 1 | JEvents Filter (3.1.6) 1 | mod_syndicate (3.0.0) 1 | mod_articles_category (3.0.0) 1 | mod_articles_latest (3.0.0) 1 | mod_articles_archive (3.0.0) 1 | mod_articles_popular (3.0.0) 1 | JEvents Calendar (3.1.6) 1 | mod_related_items (3.0.0) 1 |
Modules :: ADMIN :: mod_feed (3.0.0) 1 | mod_toolbar (3.0.0) 1 | mod_stats_admin (3.0.0) 1 | mod_status (3.0.0) 1 | MijoSEF - Quick Icons (1.3.0) 1 | mod_multilangstatus (3.0.0) 1 | mod_menu (3.0.0) 1 | mod_login (3.0.0) 1 | mod_custom (3.0.0) 1 | mod_title (3.0.0) 1 | mod_version (3.0.0) 1 | mod_submenu (3.0.0) 1 | mod_latest (3.0.0) 1 | mod_popular (3.0.0) 1 | mod_quickicon (3.0.0) 1 | mod_logged (3.0.0) 1 |

Plugins :: SITE :: plg_authentication_cookie (3.0.0) 1 | plg_authentication_ldap (3.0.0) 0 | plg_authentication_joomla (3.0.0) 1 | plg_authentication_gmail (3.0.0) 0 | plg_system_highlight (3.0.0) 1 | plg_system_sliders (6.2.2) 1 | plg_system_log (3.0.0) 1 | plg_system_regularlabs (16.10.20385) 1 | plg_system_stats (3.5.0) 1 | System - MijoSEF (1.3.0) 1 | plg_system_logout (3.0.0) 1 | plg_system_sef (3.0.0) 1 | System - MijoSEF Meta Manager (1.3.0) 1 | plg_system_jce (2.5.31) 1 | plg_system_remember (3.0.0) 1 | PLG_SYSTEM_BACKUPONUPDATE_TITL (3.7) 1 | plg_system_p3p (3.0.0) 1 | System - Asynchronous Google A (2.5.6) 1 | System - Admin Tools (4.0.2) 1 | plg_system_cache (3.0.0) 0 | plg_system_debug (3.0.0) 1 | plg_system_languagecode (3.0.0) 0 | PLG_SYSTEM_AKEEBAUPDATECHECK_T (1.1) 1 | System - CSSConfig (0.2.0) 1 | plg_system_updatenotification (3.5.0) 1 | plg_system_redirect (3.0.0) 0 | plg_system_languagefilter (3.0.0) 0 | plg_finder_newsfeeds (3.0.0) 1 | plg_finder_jevents (3.1.5) 0 | plg_finder_categories (3.0.0) 1 | plg_finder_content (3.0.0) 1 | plg_finder_tags (3.0.0) 1 | plg_finder_weblinks (3.5.0) 1 | plg_finder_contacts (3.0.0) 1 | plg_quickicon_akeebabackup (1.0) 0 | plg_quickicon_joomlaupdate (3.0.0) 0 | plg_quickicon_extensionupdate (3.0.0) 1 | plg_quickicon_jcefilebrowser (2.5.31) 1 | plg_extension_joomla (3.0.0) 1 | plg_editors_tinymce (4.4.0) 1 | plg_editors_jce (2.5.31) 1 | plg_editors_codemirror (5.17.0) 1 | plg_twofactorauth_totp (3.2.0) 0 | plg_twofactorauth_yubikey (3.2.0) 0 | Search - JEvents (3.1.5) 1 | plg_search_newsfeeds (3.0.0) 1 | plg_search_categories (3.0.0) 1 | plg_search_content (3.0.0) 1 | plg_search_tags (3.0.0) 0 | plg_search_weblinks (3.5.0) 1 | plg_search_contacts (3.0.0) 1 | plg_user_contactcreator (3.0.0) 0 | plg_user_joomla (3.0.0) 1 | plg_user_profile (3.0.0) 0 | PLG_JMONITORING_AKEEBABACKUP_T (1.0) 1 | plg_captcha_recaptcha (3.4.0) 1 | plg_content_finder (3.0.0) 0 | plg_content_vote (3.0.0) 1 | Content - Pure CSS tooltip (10.0.1) 1 | plg_content_jce (2.5.31) 1 | plg_content_joomla (3.0.0) 1 | plg_content_emailcloak (3.0.0) 1 | plg_content_pagebreak (3.0.0) 1 | plg_content_loadmodule (3.0.0) 1 | plg_content_pagenavigation (3.0.0) 1 | plg_editors-xtd_sliders (6.2.2) 1 | plg_editors-xtd_readmore (3.0.0) 1 | plg_editors-xtd_image (3.0.0) 1 | plg_editors-xtd_pagebreak (3.0.0) 1 | plg_editors-xtd_article (3.0.0) 1 | plg_editors-xtd_module (3.5.0) 1 | plg_installer_packageinstaller (3.6.0) 1 | plg_installer_jce (2.5.31) 1 | PLG_INSTALLER_URLINSTALLER (3.6.0) 1 | PLG_INSTALLER_FOLDERINSTALLER (3.6.0) 1 | plg_installer_webinstaller (1.1.0) 1 |

Templates :: SITE :: beez3 (3.1.0) 1 | ABC_Academy1 (3.22) 1 | protostar (1.0) 1 | ABC_Academy (3.20) 1 |
Templates :: ADMIN :: isis (1.0) 1 | hathor (3.0.0) 1 |

[ribo]

Session Path Writable: No . This must be Yes
Max. Upload Size: 2M | Max. POST Size: 8M . These values can be 30M for both (Max. Upload Size: 30M | Max. POST Size: 30M)
Please tell to your host to fix all these and after post the fpa results to confirm that they fixed these.
Generally your joomla was hacked because your joomla was out of date and maybe and some extensions too. So in the future don t forget to update in time your joomla, your extensions, your templates, your libraries.

[vrans99]

The site was hacked before a couple of times, but I never did such a clean install like this time after I found this great instructions.
You suggested to "check inside to "yourprefix_assets" if there is something to delete". Do you mean that I will find all the folders or files list that were related to the extension that I want to clear from db?

[ribo]

You suggested to "check inside to "yourprefix_assets" if there is something to delete". Do you mean that I will find all the folders or files list that were related to the extension that I want to clear from db?

Not the folders or the files, as these are not in database but in your root folder. But every install creates many things in database. So for example in "yourprefix_assets" can be something from a component that you installed before and now you don t want it. If it is difficult for you better to don t do it as this can do a more experienced user in mysql and databases.

[Webdongle]

Thank you so much.
This is a great piece of information.
I did follow the steps and I have now a virus-free and fresh installation of Joomla.

Am glad that it helped.

...
But I have a question:After the fresh Joomla install and changed the settings to point to the original database, I was installing only the extensions I really need (I had a bunch of extensions that I was just trying but I never uninstalled them), but now I have a long list of extensions that are showing as installed but they are not really installed....

Have asked the mods to edit
Uninstall any untrusted 3rd party extensions and Templates https://vel.joomla.org/live-vel
to
Uninstall any untrusted/unwanted 3rd party extensions and Templates https://vel.joomla.org/live-vel

In the mean time you could (after making a backup) reinstall the unwanted 3rd party extensions then unistall them. Be aware that some 3rd party extensions do not uninstall completely so you would still need to make sure that they haven't left Tables in the database.

[totalhealth]

Here's my 2bits. I thought I had recovered from a hack. I was running third party malware detection scripts on my website on a regular basis and there were no alerts. I saw that gravity scan was finally available for joomla sites so I ran that scan. I got a couple of warnings and a recommendation to install the plugin so they could do a deep scan. I did. Holy crap. over 2,500 infected pages and scripts. and a bastard of a malware called SAPE. I went through each folder on the site that was pointed out by gravity scan and I manually edited/deleted scripts. It took hours. But that SAPE malware was seriously embedded. If I changed it in any way, renamed it, or deleted it the site would go down. It had hooks into the template and SH404SEF. It almost looked like it was part of the template from the start. So I recommend to all of you peeps. Install the gravityscan plugin and do the deep scan of your site/database. I googled SAPE and I could not find any reference to it outside of a Russian hacking site so the must mean it still hasn't been discovered by people...besides me that is.

[DavidBoggitt]

I just ran gravity scan on a website and it seems to find lots of "Potentially malicious file detected in your Joomla installation." which are apparently php files in my tmp folder.

However, ftp-ing into the site shows nothing in that folder apart from index.html

[mandville]

I find that the plauding of gravity as the only one to detect this hack as far fetched as google testifies.
For a massive first post singing praises then it reads like spam
Especially when the only credentials of the team is word _fence

[fcoulter]

I googled SAPE and I could not find any reference to it outside of a Russian hacking site so the must mean it still hasn't been discovered by people...besides me that is.

Funny, I Googled SAPE Malware and found lots of entries dating to 2015, it seems a lot of people have discoved it after all.

I agree with Mandville, this sounds like a spammy advert for this particular scanner.

[DavidBoggitt]

All these php files the scan has apparently found simply don't exist. I've ensured that SmartFTP is showing hidden files - these files just aren't there.

I also implicitly trust Phil Taylor's myJoomla far more, which has found nothing untoward with a scan..!

[JAVesey]

I also implicitly trust Phil Taylor's myJoomla far more..

Absolutely right! Joomla-specific audits from a truly credible provider

[Webdongle]

... But that SAPE malware was seriously embedded. If I changed it in any way, renamed it, or deleted it the site would go down. It had hooks into the template and SH404SEF. It almost looked like it was part of the template from the start. ....

That's why steps b & c in the instructions ... to remove the malware and prevent it from spreading. Step #f rebuilds your site and the rest helps prevent your site from being hacked again.

@DavidBoggitt and @JAVesey
100% agree Phil Taylor provides an excellent and trustworthy professional service. The summary in the OP is for those who can not afford a professional service and wish to clean their site(s) themselves.

[vincenzore1981]

Hi everyone, this is my first post!

A few months ago I had to restore a client's site from a hack and followed this guide.

Before you ask what other users ask. No there is no real alternative ... you need to delete all folders/files.

But I think I have found an alternative for the future to be faster.

In practice, there is a service that monitors the website files for changes and warns you if any of the hosting files is being modified.

This makes it easier to know which files are compromised, altered, etc.

By checking which files have been modified, just restore the compromised ones from a clean Joomla installation.
Knowing when they have been modified you can look in access_log at that time to understand what vulnerability was used. In this way you can remove the vulnerable extension or notify the vulnerability to the developer.

Did you use any of these services? What do you think?

[Webdongle]

...
But I think I have found an alternative for the future to be faster.

In practice, there is a service that monitors the website files for changes and warns you if any of the hosting files is being modified.

This makes it easier to know which files are compromised, altered, etc.
...

But it doesn't tell you what they added to the server.

...
By checking which files have been modified, just restore the compromised ones from a clean Joomla installation.
Knowing when they have been modified you can look in access_log at that time to understand what vulnerability was used. In this way you can remove the vulnerable extension or notify the vulnerability to the developer....

But the hack files are still on the server.

I will not tell you exactly how it is done but it goes basically like

• Hacker finds a weakness and uses it to upload files
• The hacker uses those files to control your server and site
• The hacker posts (on hack forums) the weakness and what files they have uploaded

If the monitoring system tells you of the newly created files then great. But if chasing those files while other hackers are adding theirs or chasing those files while the hackers use them to access other things on your server ... is quicker than deleting everything ... is moot. Yes it is quicker to replace one file than replace all the files but deleting all the files is a faster way (for the average user) to prevent more permanent damage.

There are many tools and strategies available to experienced users but the OP was not aimed at those users. It is intended for the average user who does not have enough experience to use the alternative tools and strategies effectively.

So Before you ask what other users ask. No there is no real alternative ... you need to delete all folders/files. is correct and accurate for the users the it is intended for. Because the users that need to ask how to recover their site (or server) from a hack don't have the experience to use the other tools or strategies effectively. Therefore "there is no real alternative" for them.


Did you use any of these services? What do you think? Do you have the experience (of server management, server security and hacking) to know how to use them effectively? would you recommend them to users that aren't experienced enough to understand how many ways there to hack and how the hacks actually work?

[vincenzore1981]

But it doesn't tell you what they added to the server.
...
If the monitoring system tells you of the newly created files then great.

Yes I get notified when someone uploads/deletes/modifies a file or folder on the website.
To be clearer, the service warns me of any modification (new, delete, edit) to the website filesystem.

So if a hacker upload a shell or a backdoor I'll be alerted by email and I can delete the uploaded file and look at the access_log to see what happened.

Yes it is quicker to replace one file than replace all the files but deleting all the files is a faster way (for the average user) to prevent more permanent damage.

You're right, but still have to decide which pictures files to hold and which files to delete is still a slow process. You can not delete all the files in the directory "images". Decide which image can be a malicious file and which does not become a complicated and long process.

Did you use any of these services? What do you think?

Yes I use one of them. But I think I can't share the link to respect the forum policy.

What I can say is that there are many tools like OSSEC intrusion detection system or Tripwire that do the same but require you to have root access to the server where your website is hosted.

Also for me these tools are too complicated to configure and install.

With the service I found instead, you load on your site a simple php agent that is periodically interrogated to obtain a snapshot of the files on your web space (file names, their size and last modified date). This data is then compared with the previous snapshot and you get notified when files are added, deleted or modified.

I prefer this type of service compared to OSSEC/tripwire tools because it does not require any installation and also work on inexpensive hosting without SSH access and without cron jobs.

Do you have the experience (of server management, server security and hacking) to know how to use them effectively? would you recommend them to users that aren't experienced enough to understand how many ways there to hack and how the hacks actually work?

I have chosen this service because I do not have a lot of experience in managing a server. So I think if it was useful to me it could be for other Joomla users as well.

[Webdongle]

Yes I get notified when someone uploads/deletes/modifies a file or folder on the website.
To be clearer, the service warns me of any modification (new, delete, edit) to the website filesystem.

So if a hacker upload a shell or a backdoor I'll be alerted by email and I can delete the uploaded file and look at the access_log to see what happened.

but you don't (by your own admission) have the the experience

I have chosen this service because I do not have a lot of experience in managing a server.

Besides which if you delete an added hack file and analyse the logs then other hack files can be added through the same vulnerability... several more can be added. If you decide to close the vulnerability first then several more hack files can be added.

Analogy ... You get home to find a window broken open. While you fix it he burglar hides in the attic and then opens another window. You catch him, remove him and shut the window. While you shut the window ... another burglar (who got in through it) copies your keys and throws them out of the window to an accomplice. While you are getting rid of that burglar and shutting yet another window ... the accomplice unlocks the doors and changes the locks so they can be opened with other keys as well. While all that is happening ... the thieves now have access to your other houses (i.e. sites). So you now have the same problem multiplied by the number of houses you have access to.

An experienced server admin can deal with that but an inexperienced user is likely not to be able to clean a site by cherry picking. If your monitoring service notifies you of a hack then you are best advised to delete all your files or get an expert to clean it. If you don't then you ignoring your lack of "experience in managing a server" (by insisting your method will fix things) is irresponsible.

[vincenzore1981]

Besides which if you delete an added hack file and analyse the logs then other hack files can be added through the same vulnerability... several more can be added. If you decide to close the vulnerability first then several more hack files can be added.

Yes, but anyway I would be warned of each of them. So all of your elucubrations lose their meaning.

Also since I am notified immediately when the site is compromised, I can see what the latest GET and POST requests were (from access_log), and then find what vulnerability was exploited.

With your method, instead, you will see that it has been violated only after days (maybe after Google has already labeled your site as malicious), you would erase everything and reinstall without correcting the vulnerability. So you cared for the symptom without treating the cause.

[ redacted ]

[Webdongle]

...
Yes, but anyway I would be warned of each of them. So all of your elucubrations lose their meaning.....

Not true because you don't understand enough to act effectively on the notifications. Even if you did the users that this thread is designed for wouldn't. So because of (your well intentioned but misinformed) posts ... it becomes necessary to elaborate on why you are wrong in your assumptions. There is a huge difference between monitoring a site and eradicating a hack that you've been notified about.

...
Also since I am notified immediately when the site is compromised, I can see what the latest GET and POST requests were (from access_log), and then find what vulnerability was exploited....

It's not as simple or as easy as you try to make it sound. Understanding the system logs takes more skill than many users have.

...
With your method, instead, you will see that it has been violated only after days (maybe after Google has already labeled your site as malicious),...

It is not my method it is a summary of the official method.
It is not suggested as a monitoring service it is a method to eradicate a hack.

... you would erase everything and reinstall without correcting the vulnerability. So you cared for the symptom without treating the cause.....

Another inaccurate statement by you. What you are doing is lumping monitoring a server with fixing and cleaning it. You appear to be under the impression that being notified of a hack makes it easier to eradicate it. But you then 'recommend cherry picking the hack files.

[mtech0101]

I am following all of the steps outlined in "How to recover from a hack" and the one question that I have is: You mentioned to install the same version of Joomla that you had, but the version that I had was 3.8.4 yet on the Joomla site only 3.8.5 is available. Would using the 3.8.5 version cause issues once I later try to point to the original database?

[toivo]

[quote=""mtech0101"]the version that I had was 3.8.4 yet on the Joomla site only 3.8.5 is available[/quote]You can download all the 3.x versions from here: https://downloads.joomla.org/cms/joomla3