This is my first time to realize how important to keep a website secure. Actually, it is my second time as my another WordPress website got hacked several months ago, and I posted an article “5 Steps to Clean Hacked WordPress Website” to share how I clean my WordPress website from hacking. But this time, the job is much tougher. Joomla is more complicated than WordPress (of course more powerful). Therefore, clean a hacked Joomla website become a very annoying job.
How to Clean Hacked Joomla Website
Before I start to clean my hacked Joomla website, I am going to see the access logs first. From the access logs, I try to find some clues to figure out what happened in the last few days before my website got hacked. In the log files, I try to find some suspicious access, especially those “POST” type access.
“POST” is one type of HTTP request. Usually it means someone try to submit data to your website. Besides “POST” HTTP request, “GET” is another common HTTP request. But “GET” HTTP request usually retrieves data from your website. Therefore, “POST” is more suspicious than “GET”. From my website access log, I find something like this:
198.71.226.38 – – [22/Oct/2016:19:40:06 -0600] “POST /libraries/fof/utils/installscript/installscript.php HTTP/1.1” 302 40653 “-” “Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0”
217.67.30.192 – – [22/Oct/2016:19:40:10 -0600] “POST /modules/mod_random_image/tmpl/default.php HTTP/1.1” 302 40694 “-” “Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0”
52.51.197.170 – – [22/Oct/2016:19:40:14 -0600] “POST /libraries/fof/utils/filescheck/press.php HTTP/1.1” 302 40559 “-” “Mozilla/5.0 (X11; Linux x86_64; rv:29.0) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26”
50.62.161.42 – – [22/Oct/2016:19:40:18 -0600] “POST /components/com_content/models/featured.php HTTP/1.1” 302 40716 “-” “Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0”
184.168.224.130 – – [22/Oct/2016:19:40:20 -0600] “POST /layouts/joomla/searchtools/default/bar.php HTTP/1.1” 302 40642 “-” “Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0”
97.74.215.52 – – [22/Oct/2016:19:40:21 -0600] “POST /administrator/templates/system/images/gallery46.php HTTP/1.1” 302 40641 “-” “Mozilla/5.0 (X11; Linux x86_64; rv:29.0) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26”
208.109.181.92 – – [22/Oct/2016:19:40:23 -0600] “POST /layouts/joomla/quickicons/dump.php HTTP/1.1” 302 40792 “-” “Mozilla/5.0 (X11; U; Linux i686; en-US) U2/1.0.0 UCBrowser/9.3.1.344”
23.234.27.171 – – [22/Oct/2016:19:40:29 -0600] “POST /administrator/components/com_newsfeeds/helpers/newsfeeds.php HTTP/1.1” 302 40752 “-” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36”
50.62.160.91 – – [22/Oct/2016:19:40:30 -0600] “POST /administrator/templates/isis/img/css.php HTTP/1.1” 302 40600 “-” “Mozilla/5.0 (X11; U; Linux i686; en-US) U2/1.0.0 UCBrowser/9.3.1.344”
From above access logs records, I get what I want to know. Above behaviors are very suspicious and it is highly possible that all above files are hacked.
Find Suspicious Files in Joomla Website
Reading access logs is one way to know where your website is hacked and how hackers continue to walk in your website. But it is not complete. First, let’s see how a hacked file looks like. I will choose an example file from above access logs. Let’s see what I find in installscript.php.
$GLOBALS['u44d84f2'];global$u44d84f2;$u44d84f2=$GLOBALS;${"\x47\x4c\x4fB\x41\x4c\x53"}['sd4129']="\x24\x71\x27\x5f\x2a\x54\x57\x5e\x3e\x5b\x29\x3a\x6e\x67\x32\x70\x41\x56\x52\x25\x2c\x62\x48\x2d\x7e\x4e\x65\x75\x44\x6b\x40\x22\x45\x26\x28\x59\x6c\x20\x55\xd\x68\x47\x46\x72\x30\x4f\x7b\x42\x4d\x49\x79\x7c\x74\x3b\x6f\x9\x4c\x3c\x3f\x50\x23\x7d\x4b\x58\x60\x66\x33\x31\x64\x3d\x4a\x6a\x2b\x38\x5d\x2e\x53\x39\x43\x5c\x63\xa\x5a\x77\x61\x2f\x6d\x76\x7a\x37\x36\x73\x51\x69\x21\x78\x34\x35";
installscript.php is a normal Joomla core file. But comparing with original file, above code is added by hackers. In another suspicious files found in access logs, I can find the same type of hacking code.
Restore Clean Joomla System Files
When I confirm the hacked files which I find in access logs, I compare these files with original Joomla files. I will replace all hacked files or delete them if the files do not appear in official Joomla package. If there are too many files are hacked, the best way to clean them away is reinstalling your website with a clean Joomla package. After this steps, your website is almost clean but not absolutely safe yet.
Backdoor in Joomla Website
After restoring clean Joomla system files, your website become 90% clean. Hackers are very smart and they will try to hide some backdoor in the website. Usually, the backdoor will be hidden in files or folders which we cannot restore from Joomla system files. These files could be in uploading folder, image folder, or even in the database. If we cannot find them, our website will never be safe. Here are several ways to find the backdoor. For example, search possible phrases such as “$GLOBALS” or “eval” in all files in your website. If you know PHP programming, you will know why to search these phrases. This job will take time and we have to be patient to search all files.
Change Password and Delete Unknown Account
After we finish all tough jobs to make our website clean, here are some simple jobs we have to do. For example, check all user account in our website. If it is possible, I recommend to change password of all accounts. If there are too many accounts, it is necessary to change all administrators password and delete all unnecessary administrators account. Actually here is a reason why I suggest to change password to be the last step. As some hackers will hide code in Joomla core files which can get your password. So after making the files clean, then changing the password will be your website much safer.