If we suddenly can't login in our Joomla administrator or visit our site and see a strange page, then we got hacked! There are some great tools out there but the most important one of all is BACKUP.
There is a new service out there that can help you clean up hacked Joomla sites. It is called Securejoomla and you get 1 free audit that you can try for free.
Recently I had two of my Joomla 1.5 websites hacked with SQL injection. One of them was the most up to date Joomla 1.5.26 with four 3rd party extensions. Even if we upgrade regularly it won’t hold hackers at bay.
Realizing our website has been compromised
Most of the time it will be fairly obvious when something is wrong with our website. The most common attacks consist of:
- SQL injection, where hackers are able to submit a database SQL command which is executed by a web application, exposing the back-end database (i.e. Changing our admin username and password),
- Changing our .htaccess file and redirecting users to another page,
- Uploading malicious code or files to the web server and hide them among the existing files or code.
After getting hacked we don’t have many options
The most reliable advice I can give when a website gets compromised is, revert to a backup that’s clean. If there would be an extension to check our files and report any malicious code, that would be great. Check the Joomla documentation page titled You have been hacked/defaced? is also a great resource.
We are not entirely lost though. Follow the points bellow and we should be up and running in a couple of minutes.
- We have to put the website offline with htaccess
- Change all of your admin, ftp, mysql and hosting passwords
- Download server logs from cPanel
- Run the Joomla Forum Post Assistant and Security script
- Changing the login info in the database if we can’t login to Joomla administrator anymore
- Run the virus scanner in cPanel
- Update Joomla and all components, modules and plugins
- Use Akeeba Backup, Akeeba Admin Tools Professional and Akeeba SiteDiff
- Setup Akeeba Admin Tools Professional to prevent further exploits
We have to put the website offline with htaccess
First we need to put our website offline with the recommended .htaccess method in our cpanel account. Under Security we have an option to password protect the folder on our server. Protect the whole root folder of our website. Now every visitor coming to the site will be prompted with the login form.
2. Change all of your admin, ftp, mysql and hosting passwords
If the hacker got through then we can suspect that all of our passwords are compromised and should change them immediately. Don’t forget to update the Joomla
configuration.php file with the new values.
3. Download server logs from cPanel
If the logs were not enabled then we’re out of luck. Enabling them now would be a smart idea. For the ones that do have them, open them in a text editor and try to find any irregularities. We should be very proficient with reading logs and know what to look for. Look for words “update”, “insert”, “replace” - indicating an SQL attack. If we find calls on php files other then index.php it can be an indication of hackers using 3rd party extensions to break through.
4. Run the Joomla Forum Post Assistant and Security script
Runing the forum post assistant and security tool is easy and quick. It’s a php file called fpa-en.php. We upload it to the root of our website with through FTP and then run it with the following http request:
The script will run and provide a generated report of our settings on the server. We have an option to post the info to the Joomla security forum, which is a good place to ask for help. In the report we should take a closer look at the section for elevated permissions.
5. Changing the login info in the database if we can’t login to Joomla administrator anymore
If we can’t login to the Joomla backend, our password was probably changed. The easiest and quickest way is to log into cpanel and launch phpMyAdmin. Select the database that we use and look up the table jos_users (jos_ is the default table prefix, which we shouldn’t be using. Changing it is easy with Akeeba Admin Tools). After selecting the table we click on Browse on the top left and should now get the login details of our users and admins.
Most of the time the username, email or password will be changed so we can’t login. Click on the edit icon (pencil) and change the username and email. For the password use one of the following MD5 encrypted numbers:
secret = d2064d358136996bd22421584a7cb33e:trd7TvKHx6dMeoMmBVxYmg0vuXEA4199
After replacing the old password we should now be able to login with the password secret.
6. Run the virus scanner in cPanel
Having access again is great but we still have to find out if there are any malicious files on our server. Running cPanel virus scanner is helpful and recommended.
7. Update Joomla and all components, modules and plugins
We have to update our Joomla website to the latest available version. With Joomla 2.5 and above we have one click updates, for Joomla 1.5 we can use one click update inside Akeeba Admin Tools.
After updating Joomla we have to take care of all the components, modules and plugins. Delete the ones that we don’t use and update all the rest to the latest available version.
8. Use Akeeba Backup, Akeeba Admin Tools Professional and Akeeba SiteDiff
I mentioned above that the only real solution is a clean backup, I wasn’t kidding! If we don’t have Akeeba Backup set up, then we have to trust the host to provide the files. Most of the hosts make daily and weekly backups, which sometimes is not enough, especially if new users signed up in between the backups.
Setting up Akeeba Backup is easy and free! We can download a client to a computer, or a Remote CLI file to the server. The best thing is, we can have a list of all our Joomla websites and with a click of a button make backups and download them to the desired destination.
If we have akeeba backups from previous days we can compare them with the Akeeba SiteDiff tool, which unfortunately runs only on windows machines.
Akeeba SiteDiff is a desktop application for Windows™ XP or later which can be used to compare two ZIP or JPA backup archives produced by Akeeba Backup, producing a list of modified, added, deleted and immutable backups. This allows you to easily analyze your sites for potential breaches.fromwww.akeebabackup.com
Admin Tools Professional on the other hand runs inside Joomla. The free version is also available but comes with a lot less tools.
Running PHP File Change Scanner in Admin Tools PRO gives us a list of files that might be threatening. The list contains some info about the file location and threatening value. All of the files are not necessarily hacks, so we have to know what we are looking for. If we ran the scanner before the hacking occurred we could run it again and see the files that changed from the previous run. That is the true power of the scanner.
9. Setup Akeeba Admin Tools Professional to prevent further exploits
It makes sense to take some time to configure the component correctly. It’s a powerful tool that can help us make our Joomla website more secure in the future. We should be using the master password, close the administrator section with a password and create a secure .htaccess file. It’s not a small task and not meant for beginners. Obviously reading the documentation first is a great idea.
It’s really hard to fix a website after getting hacked. Sometimes hackers hide the files deep down in our file structure so it’s hard to find them.
Either way the simplest and bullet proof solution is restoring the website from a clean backup and then immediately going through the above list of changing the passwords and updating components.
I would also recommend reading the article from on the Akeeba website titled Unhacking Your Site.