Website compromises can happen to any CMS and fixing them can be a daunting task.
Sucuri Remediation Team Lead, Ben Martin provided in this webinar a step by step guide to fixing your hacked Joomla! site.
This webinar is helpful if your website becomes compromised minimizing the attack time and stress.
Video here: https://youtu.be/3BEUQ0X9IBo
Sucuri Webinar: How to identify and clean a hacked Joomla! website
1.
2. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR
Ben Martin| @sucurisecurity #AskSucuri
WEBINAR
How to
Identify and Fix
a Hacked
Joomla Website
3. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR
Ben Martin| @sucurisecurity #AskSucuri
KRISTEN THOMAS
Community Manager
Community Engagement Team
@kdthomas327
4. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR
Ben Martin| @sucurisecurity #AskSucuri
HOUSEKEEPING ITEMS
● Poll questions on your screen
● Q&A
● Place questions in Q&A box
● Ask questions right away
● Use #AskSucuri on Twitter to engage
● Questions will be answered and delivered post-webinar
● Brief survey at the end of the presentation
● Presentation video
5. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR
Ben Martin| @sucurisecurity #AskSucuri
WEBINAR
• Remediation Team Lead at Sucuri Inc.
• Security geek, malware slayer, music
producer
BEN MARTIN
6. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR
Ben Martin| @sucurisecurity #AskSucuri
WEBINAR
Victoria, BC, Canada
7. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR
Ben Martin| @sucurisecurity #AskSucuri
WEBINAR
Ben & Security
• 6 years working in cybersecurity and IT / software
• Has cleaned thousands of websites
• Helps to identify new malware campaigns and stop hacks
• Has attended and spoken at numerous CMS events
8. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR
Ben Martin| @sucurisecurity #AskSucuri
WEBINAR
Overview of Sections
• Signs that your website has been pwned
• Find and remove the source of the infection
• What to do after a hack
9. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR
Ben Martin| @sucurisecurity #AskSucuri
WEBINAR
Have I been pwned?
Tell tale signs that your website has been compromised
10. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR
Ben Martin| @sucurisecurity #AskSucuri
WEBINAR
How can I tell if I’ve been hacked?
• #1 – Your website has been blacklisted
• Common/major vendors include Google, Yandex, Norton,
McAfee, Sophos, MalwareBytes, Sucuri...
How to tell?
• Head on over to virustotal.com and scan your
domain
• https://sitecheck.sucuri.net
• Your visitors may report security warnings
11. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR
Ben Martin| @sucurisecurity #AskSucuri
12. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR
Ben Martin| @sucurisecurity #AskSucuri
WEBINAR
How can I tell if I’ve been hacked?
• #2 – You see spam in Google search results for your
website
• Pharmaceuticals, adult content, torrent downloads, NFL
jerseys, essay writing, cat food, cheap cheap cheap, knock-
off designer goods, cheap hotels, more pharmaceuticals...
How to tell?
• ‘This site may be hacked’ in Google
• Bogus/spam content in your site description
• Search site:mywebsite.com and check results
13. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR
Ben Martin| @sucurisecurity #AskSucuri
WEBINAR
How can I tell if I’ve been hacked?
• #3 – Traffic to your website is redirected elsewhere
• Spam sites, exploit kit landing pages, adult websites,
ransomware, malicious .ru / .su domains, phishing pages,
other hacked sites
How to tell?
• When you try to access your site, you end up
elsewhere
• Your visitors may report weird behaviour of your site
• Many redirects are conditional (ie: only for mobile
devices, only for some operating systems, only with
some specific referrers, etc...)
14. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR
Ben Martin| @sucurisecurity #AskSucuri
WEBINAR
How can I tell if I’ve been hacked?
• #4 – Weird pop-ups or other strange behaviour
How to tell?
• Unexpected ads, new tabs opening up, pop-ups
and pop-unders
• Your visitors may report weird behaviour of your
site
• Sometimes only happens on certain devices or
under certain conditions
15. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR
Ben Martin| @sucurisecurity #AskSucuri
WEBINAR
How can I tell if I’ve been hacked?
s
• #5 – SiteCheck flags malware
• Head on over to https://sitecheck.sucuri.net
How to tell?
• It will flag malware, spam, redirects, etc
• Disclaimer: 100% accuracy is not realistic and not
guaranteed
• A remote scanner can only flag what is displayed on
the website.
• Best to monitor file system for malware and file
modifications which are included in our services
16. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR
Ben Martin| @sucurisecurity #AskSucuri
WEBINAR
How can I tell if I’ve been hacked?
• #6 – Your website looks
something like this:
How to tell?
• Pretty self-explanatory
17. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR
Ben Martin| @sucurisecurity #AskSucuri
WEBINAR
So now what do I do?
Some helpful pointers on fixing the hack
18. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR
Ben Martin| @sucurisecurity #AskSucuri
WEBINAR
Basic Overview: Only so many places to hide
Process of Elimination
• Core files
• Templates
• Extensions
• Database
• .htaccess
• Ad networks
• The server itself
19. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR
Ben Martin| @sucurisecurity #AskSucuri
WEBINAR
Tools of the trade: Add these to your tool-belt
Security and Development Tools
• Filezilla (FTP client)
• NoScript (Script blocker)
• VirtualBox (Virtualization tool)
• ublock Origin (Ad blocker)
• PHPMyAdmin or Adminer (database management)
• User Agent Switcher
• Support forums (ie: https://forum.joomla.org/)
• OSSEC HIDS (server monitoring)
• SSH / BASH connection
20. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR
Ben Martin| @sucurisecurity #AskSucuri
WEBINAR
Heads up: Back up your website first!
Modifying files/database can cause damage
if any mistakes are made
• Make a website backup before making any changes
• This includes your file structure and database
• These can be safely stored as a compressed archive (ie: ZIP or
tar.gz) somewhere, but do not store them within the public_html
directory of your web server because it is a massive security risk
21. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR
Ben Martin| @sucurisecurity #AskSucuri
WEBINAR
Step 1: Core Files
Modification of core files is a
common way to infect a
website
Check the integrity of your core files (can
compare to fresh Joomla version)
Check for recent modifications of core files
Replace core files with fresh copies (includes,
libraries, etc...)
Common culprits are index.php,
./includes/framework.php,
./includes/defines.php ...
22. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR
Ben Martin| @sucurisecurity #AskSucuri
Example file: Joomla’s Default index.php
We can see that these two files
are called directly by the main
index.php file:
./includes/defines.php
./includes/framework.php
As such they are common
targets for malware.
23. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR
Ben Martin| @sucurisecurity #AskSucuri
Example file: hacked ./includes/defines.php
24. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR
Ben Martin| @sucurisecurity #AskSucuri
Example file: hacked ./includes/framework.php
25. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR
Ben Martin| @sucurisecurity #AskSucuri
WEBINAR
Core files continued...
Joomla has three different
branches: 1.x.x, 2.x.x and 3.x.x
Support for Joomla 1.x.x ended September 2012 –
no more security patches!
Support for Joomla 2.x.x ended Dec 2014
Many website owners are stuck in 1.x.x or 2.x.x
due to custom code or particular extensions they
require
Like all software, even 3.x.x has had
security issues that required
patching!
26. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR
Ben Martin| @sucurisecurity #AskSucuri
WEBINAR
Core files continued again...
If you need some guidance on how to
update/migrate to the most recent version of
Joomla...
https://docs.joomla.org/Joomla_1.5_to_3.x_Step_by_Step_Migration
https://docs.joomla.org/Joomla_2.5_to_3.x_Step_by_Step_Migration
https://docs.joomla.org/Joomla!_CMS_versions/en
27. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR
Ben Martin| @sucurisecurity #AskSucuri
WEBINAR
How to tell which files are bad...
Here is an
example of
using diff to find
malicous files:
diff example.com Joomla 2.5.28 > diff.txt
28. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR
Ben Martin| @sucurisecurity #AskSucuri
WEBINAR
Example output:
We can see
there are some
(malicious) files
that only exist in
example.com, as
well as some
hacked content
in index.php
29. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR
Ben Martin| @sucurisecurity #AskSucuri
WEBINAR
To manually check recently modified files:
• Log into your server using an FTP client or
SSH terminal.
• If using SSH, you can list all files modified in the last
15 days using this command:
$ find ./ -type f -mtime -15.
• If using SFTP, review last modified date column for
all files on the server.
• Note any files that have been recently modified.
30. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR
Ben Martin| @sucurisecurity #AskSucuri
WEBINAR
Step 2: Template files
Very common place to lodge
malware
• Effective spot to place malware for nefarious purposes
• Check files on server for anything recently modified in
your template (see image --->)
• Most common culprit is index.php
• Hacked/freemium/nulled templates should be avoided
at all costs
• Try temporarily switching to a freshly downloaded
clean template to see if problem goes away
• Not sure what to do? Remove/replace ALL the template
files with fresh copies
31. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR
Ben Martin| @sucurisecurity #AskSucuri
Example file: Infected index.php template file
32. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR
Ben Martin| @sucurisecurity #AskSucuri
Example: Most
common Joomla
malware we see
today is bogus
jquery
33. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR
Ben Martin| @sucurisecurity #AskSucuri
WEBINAR
Step 3: Extensions
Bogus or hacked extensions
can be source of infection
• Check every single plugin, module,
component
• Check extension files that were recently
modified (Filezilla)
• Temporarily disable your extensions and re-
scan or re-visit your site to see if the problem
goes away
• Hacked/freemium/nulled extensions should be
avoided at all costs
• Not sure what to do? Remove/replace ALL the
extension files with fresh copies
34. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR
Ben Martin| @sucurisecurity #AskSucuri
Example: Backdoor injected into plugin file
35. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR
Ben Martin| @sucurisecurity #AskSucuri
WEBINAR
Step 4: Database
Spam, iframes, hidden div
tags...
• The database is where all the content of
your posts/pages/settings are stored
• Common place for attackers to place spam
links, particularly jos_content table
• Can add malicious iframes to posts/pages
• Try searching your database for spam terms
(viagra, cialis, cheap, etc...)
• Spam you see in Google or flagged by
sitecheck.sucuri.net is often hiding here
36. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR
Ben Martin| @sucurisecurity #AskSucuri
Example: display:none spam in database
Visitors cannot see, but search engines can
37. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR
Ben Martin| @sucurisecurity #AskSucuri
WEBINAR
Step 5: .htaccess
Can be used or abused
• Common location for malicious
redirects to be placed
• Can redirect whatever traffic you want
to wherever you want
• Can also be used to add additional
security rules to your website
• Default Joomla .htaccess is 3Kb in size
• Not a bad idea to set file as read-only
38. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR
Ben Martin| @sucurisecurity #AskSucuri
Example file:
Spammy/hacked
.htaccess
39. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR
Ben Martin| @sucurisecurity #AskSucuri
WEBINAR
Step 5: Advertising networks
Can be a source of great woe
and misfortune
• Crappy/cheap ad networks are commonly
related to malvertizing
• No server is 100% secure
• Integrating third party content is always a
risk
• Best to stick with reputable advertising
networks
• If you are using an ad network that has been
compromised, you need to disable the
network completely until the problem is
gone
40. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR
Ben Martin| @sucurisecurity #AskSucuri
Example code: Bogus/compromised ad
networks.
Code is placed at bottom of all jos_content posts and redirects
visitors to spam sites
41. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR
Ben Martin| @sucurisecurity #AskSucuri
WEBINAR
Step 6: The server itself
Not as common, but still happens
• Sometimes the server on which your website resides is
itself rooted
• Choose your hosting provider carefully
• What will your host do if your website or server is
compromised?
• VPS is a good solution for a safer, private server
• If your server is infected, it is possible to clean it but the
best option is to migrate whe website to a new server
• Do not re-use ANY passwords
• Use OSSEC HIDS for file modification warnings
42. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR
Ben Martin| @sucurisecurity #AskSucuri
WEBINAR
Step 7: Backdoors
The hardest part!
• If backdoors are inserted on your site the
attackers will still have access, even if you delete
the other malware
• Backdoors are always coupled with main payload
• New backdoors written all the time, lots of variety
• Check which files were recently modified on your
server
• Check logs to see any strange files being
accessed directly (especially from weird IP’s)
43. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR
Ben Martin| @sucurisecurity #AskSucuri
WEBINAR
Step 7: Backdoors
Backdoors commonly include the following
PHP functions:
• eval
• base64
• str_rot13
• gzuncompress
• gzinflate
• exec
• create_function
• curl_exec
• location.href
• system
• assert
• stripslashes
• preg_replace (with /e/)
• move_uploaded_file
• strrev
• file_get_contents
• encodeuri
• wget
44. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR
Ben Martin| @sucurisecurity #AskSucuri
Example file: Backdoor lodged in
./libraries/joomla/factory.php
45. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR
Ben Martin| @sucurisecurity #AskSucuri
WEBINAR
Pro Tip: Some More Helpful Resources
Can help to determine problem:
• https://sitecheck.sucuri.net
●
Website malware scanner
• http://unmaskparasites.com
●
Website malware scanner
• https://aw-snap.info
●
Can find redirects, spam, malvertizing
• https://www.webpagetest.org
●
See what’s loading on your website/server
• https://portswigger.net/burp
●
A more advanced web application tool
• http://ddecode.com and https://unphp.net
●
Useful for decoding malware and obfuscated code
46. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR
Ben Martin| @sucurisecurity #AskSucuri
WEBINAR
The malware is gone, now what?
Gotta’ protect those Interwebs
47. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR
Ben Martin| @sucurisecurity #AskSucuri
WEBINAR
Remember: They will be back
• Much like an e-mail account targeted
by spammers, you can’t just hope the
problem will go away
• When attackers identify
vulnerable/easy site to hack, they will
keep hacking it over and over
• Attackers know that root problems
are rarely addressed
• Need to take proactive steps to
prevent re-infection
48. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR
Ben Martin| @sucurisecurity #AskSucuri
WEBINAR
Step 1: Update all the things!
Out of date software is the leading
cause of infection
• Update Joomla to latest version, all extensions, templates
• If you are using 1.x or 2.x migrate to 3.x as soon as
possible
• Make sure your server is up to date (cPanel, apache, etc...)
• Basic and proactive website maintenance is first line of
defense
• This is a constant process, never let your guard down
49. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR
Ben Martin| @sucurisecurity #AskSucuri
WEBINAR
Step 2: Change all the passwords!
Easy to guess/crappy/compromised
passwords is #2 reason for website
compromise
• Change all admin passwords to your site
• That includes admin panel, FTP/SFTP, cPanel, hosting,
database, basically everything
• Consider using password manager like LastPass
• The harder it is for you to type/remember the harder it
will be to brute force
50. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR
Ben Martin| @sucurisecurity #AskSucuri
WEBINAR
Step 3: Review who has access!
Have as few administrator
users as absolutely necessary
• This applies to everything from admin panel, FTP, any
other connection mechanism
• The more admin accounts you have the more likely it is
that something will go wrong
• Ensure that all passwords are strong and complex
• Perform admin work from admin account, and have
separate account for blog posting etc.
51. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR
Ben Martin| @sucurisecurity #AskSucuri
Example: Malicious super administrator
52. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR
Ben Martin| @sucurisecurity #AskSucuri
WEBINAR
Step 4: Clean your kitchen!
Decrease the attack surface
• Remove unused extensions and templates from the
server
• Remove any old versions of your website, dev sites and
backups of your website from your server and store
them somewhere else
• Remove unnecessary administrator accounts
• Exercise ‘least privilege’ only grant minimum privileges
necessary for people to perform work
53. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR
Ben Martin| @sucurisecurity #AskSucuri
WEBINAR
Step 5: Scan your box!
If your laptop/workstation is
pwned, that could be the source
of the attack
• Regularly scan your computer for
viruses/malware
• Use a good, reputable anti-malware program
• Don’t administer your website from a public
computer
• Use encrypted protocols such as SFTP when
accessing your website (encryption is your
friend...)
54. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR
Ben Martin| @sucurisecurity #AskSucuri
WEBINAR
Step 6: Backups regimen!
A clean, functional backup is your
best friend on a rainy day
• Perform regular backups of your website
• DO NOT store your backups ON YOUR PRODUCTION
SERVER
• Backups should be stored off-site
• There are many online services that can perform
regular backups for you (we offer one and it’s very
affordable ☺ )
55. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR
Ben Martin| @sucurisecurity #AskSucuri
Example: Sucuri backups dashboard
56. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR
Ben Martin| @sucurisecurity #AskSucuri
WEBINAR
Step 7: Harden your site!
Any CMS out of the box can
use some tweaking
• Disable .PHP execution from /includes
directories as well as any upload directories
• Use a security plugin if you don’t already
(jHackGuard, Akeeba, JoomDefender, JSecure)
• Make sure reporting/logging is functional
57. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR
Ben Martin| @sucurisecurity #AskSucuri
WEBINAR
Step 8: Use a WAF!
Web Application
Firewalls are the best
defense against the bad
guys
• Sanitizes all traffic to your website
• Prevents XSS, DDoS, etc...
• Vulnerable software will be virtually
patched and protected
• Speed/performance of website will
increase
58. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR
Ben Martin| @sucurisecurity #AskSucuri
WEBINAR
• Questions?
• Tweet us @sucurisecurity #AskSucuri
THANK YOU!