Sucuri Webinar: How to identify and clean a hacked Joomla! website

HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR
Ben Martin| @sucurisecurity #AskSucuri
WEBINAR
How to
Identify and Fix
a Hacked
Joomla Website

KRISTEN THOMAS
Community Manager
Community Engagement Team
@kdthomas327

HOUSEKEEPING ITEMS
● Poll questions on your screen
● Q&A
● Place questions in Q&A box
● Ask questions right away
● Use #AskSucuri on Twitter to engage
● Questions will be answered and delivered post-webinar
● Brief survey at the end of the presentation
● Presentation video

WEBINAR
• Remediation Team Lead at Sucuri Inc.
• Security geek, malware slayer, music
producer
BEN MARTIN

WEBINAR
Victoria, BC, Canada

WEBINAR
Ben & Security
• 6 years working in cybersecurity and IT / software
• Has cleaned thousands of websites
• Helps to identify new malware campaigns and stop hacks
• Has attended and spoken at numerous CMS events

WEBINAR
Overview of Sections
• Signs that your website has been pwned
• Find and remove the source of the infection
• What to do after a hack

WEBINAR
Have I been pwned?
Tell tale signs that your website has been compromised

WEBINAR
How can I tell if I’ve been hacked?
• #1 – Your website has been blacklisted
• Common/major vendors include Google, Yandex, Norton,
McAfee, Sophos, MalwareBytes, Sucuri...
How to tell?
• Head on over to virustotal.com and scan your
domain
• https://sitecheck.sucuri.net
• Your visitors may report security warnings

WEBINAR
• #2 – You see spam in Google search results for your
website
• Pharmaceuticals, adult content, torrent downloads, NFL
jerseys, essay writing, cat food, cheap cheap cheap, knock-
off designer goods, cheap hotels, more pharmaceuticals...
How to tell?
• ‘This site may be hacked’ in Google
• Bogus/spam content in your site description
• Search site:mywebsite.com and check results

WEBINAR
• #3 – Traffic to your website is redirected elsewhere
• Spam sites, exploit kit landing pages, adult websites,
ransomware, malicious .ru / .su domains, phishing pages,
other hacked sites
How to tell?
• When you try to access your site, you end up
elsewhere
• Your visitors may report weird behaviour of your site
• Many redirects are conditional (ie: only for mobile
devices, only for some operating systems, only with
some specific referrers, etc...)

WEBINAR
• #4 – Weird pop-ups or other strange behaviour
How to tell?
• Unexpected ads, new tabs opening up, pop-ups
and pop-unders
• Your visitors may report weird behaviour of your
site
• Sometimes only happens on certain devices or
under certain conditions

WEBINAR
s
• #5 – SiteCheck flags malware
• Head on over to https://sitecheck.sucuri.net
How to tell?
• It will flag malware, spam, redirects, etc
• Disclaimer: 100% accuracy is not realistic and not
guaranteed
• A remote scanner can only flag what is displayed on
the website.
• Best to monitor file system for malware and file
modifications which are included in our services

WEBINAR
• #6 – Your website looks
something like this:
How to tell?
• Pretty self-explanatory

WEBINAR
So now what do I do?
Some helpful pointers on fixing the hack

WEBINAR
Basic Overview: Only so many places to hide
Process of Elimination
• Core files
• Templates
• Extensions
• Database
• .htaccess
• Ad networks
• The server itself

WEBINAR
Tools of the trade: Add these to your tool-belt
Security and Development Tools
• Filezilla (FTP client)
• NoScript (Script blocker)
• VirtualBox (Virtualization tool)
• ublock Origin (Ad blocker)
• PHPMyAdmin or Adminer (database management)
• User Agent Switcher
• Support forums (ie: https://forum.joomla.org/)
• OSSEC HIDS (server monitoring)
• SSH / BASH connection

WEBINAR
Heads up: Back up your website first!
Modifying files/database can cause damage
if any mistakes are made
• Make a website backup before making any changes
• This includes your file structure and database
• These can be safely stored as a compressed archive (ie: ZIP or
tar.gz) somewhere, but do not store them within the public_html
directory of your web server because it is a massive security risk

WEBINAR
Step 1: Core Files
Modification of core files is a
common way to infect a
website
Check the integrity of your core files (can
compare to fresh Joomla version)
Check for recent modifications of core files
Replace core files with fresh copies (includes,
libraries, etc...)
Common culprits are index.php,
./includes/framework.php,
./includes/defines.php ...

Example file: Joomla’s Default index.php
We can see that these two files
are called directly by the main
index.php file:
./includes/defines.php
./includes/framework.php
As such they are common
targets for malware.

Example file: hacked ./includes/defines.php

Example file: hacked ./includes/framework.php

WEBINAR
Core files continued...
Joomla has three different
branches: 1.x.x, 2.x.x and 3.x.x
Support for Joomla 1.x.x ended September 2012 –
no more security patches!
Support for Joomla 2.x.x ended Dec 2014
Many website owners are stuck in 1.x.x or 2.x.x
due to custom code or particular extensions they
require
Like all software, even 3.x.x has had
security issues that required
patching!

WEBINAR
Core files continued again...
If you need some guidance on how to
update/migrate to the most recent version of
Joomla...
https://docs.joomla.org/Joomla_1.5_to_3.x_Step_by_Step_Migration
https://docs.joomla.org/Joomla_2.5_to_3.x_Step_by_Step_Migration
https://docs.joomla.org/Joomla!_CMS_versions/en

WEBINAR
How to tell which files are bad...
Here is an
example of
using diff to find
malicous files:
diff example.com Joomla 2.5.28 > diff.txt

WEBINAR
Example output:
We can see
there are some
(malicious) files
that only exist in
example.com, as
well as some
hacked content
in index.php

WEBINAR
To manually check recently modified files:
• Log into your server using an FTP client or
SSH terminal.
• If using SSH, you can list all files modified in the last
15 days using this command:
$ find ./ -type f -mtime -15.
• If using SFTP, review last modified date column for
all files on the server.
• Note any files that have been recently modified.

WEBINAR
Step 2: Template files
Very common place to lodge
malware
• Effective spot to place malware for nefarious purposes
• Check files on server for anything recently modified in
your template (see image --->)
• Most common culprit is index.php
• Hacked/freemium/nulled templates should be avoided
at all costs
• Try temporarily switching to a freshly downloaded
clean template to see if problem goes away
• Not sure what to do? Remove/replace ALL the template
files with fresh copies

Example file: Infected index.php template file

Example: Most
common Joomla
malware we see
today is bogus
jquery

WEBINAR
Step 3: Extensions
Bogus or hacked extensions
can be source of infection
• Check every single plugin, module,
component
• Check extension files that were recently
modified (Filezilla)
• Temporarily disable your extensions and re-
scan or re-visit your site to see if the problem
goes away
• Hacked/freemium/nulled extensions should be
avoided at all costs
• Not sure what to do? Remove/replace ALL the
extension files with fresh copies

Example: Backdoor injected into plugin file

WEBINAR
Step 4: Database
Spam, iframes, hidden div
tags...
• The database is where all the content of
your posts/pages/settings are stored
• Common place for attackers to place spam
links, particularly jos_content table
• Can add malicious iframes to posts/pages
• Try searching your database for spam terms
(viagra, cialis, cheap, etc...)
• Spam you see in Google or flagged by
sitecheck.sucuri.net is often hiding here

Example: display:none spam in database
Visitors cannot see, but search engines can

WEBINAR
Step 5: .htaccess
Can be used or abused
• Common location for malicious
redirects to be placed
• Can redirect whatever traffic you want
to wherever you want
• Can also be used to add additional
security rules to your website
• Default Joomla .htaccess is 3Kb in size
• Not a bad idea to set file as read-only

Example file:
Spammy/hacked
.htaccess

WEBINAR
Step 5: Advertising networks
Can be a source of great woe
and misfortune
• Crappy/cheap ad networks are commonly
related to malvertizing
• No server is 100% secure
• Integrating third party content is always a
risk
• Best to stick with reputable advertising
networks
• If you are using an ad network that has been
compromised, you need to disable the
network completely until the problem is
gone

Example code: Bogus/compromised ad
networks.
Code is placed at bottom of all jos_content posts and redirects
visitors to spam sites

WEBINAR
Step 6: The server itself
Not as common, but still happens
• Sometimes the server on which your website resides is
itself rooted
• Choose your hosting provider carefully
• What will your host do if your website or server is
compromised?
• VPS is a good solution for a safer, private server
• If your server is infected, it is possible to clean it but the
best option is to migrate whe website to a new server
• Do not re-use ANY passwords
• Use OSSEC HIDS for file modification warnings

WEBINAR
Step 7: Backdoors
The hardest part!
• If backdoors are inserted on your site the
attackers will still have access, even if you delete
the other malware
• Backdoors are always coupled with main payload
• New backdoors written all the time, lots of variety
• Check which files were recently modified on your
server
• Check logs to see any strange files being
accessed directly (especially from weird IP’s)

WEBINAR
Step 7: Backdoors
Backdoors commonly include the following
PHP functions:
• eval
• base64
• str_rot13
• gzuncompress
• gzinflate
• exec
• create_function
• curl_exec
• location.href
• system
• assert
• stripslashes
• preg_replace (with /e/)
• move_uploaded_file
• strrev
• file_get_contents
• encodeuri
• wget

Example file: Backdoor lodged in
./libraries/joomla/factory.php

WEBINAR
Pro Tip: Some More Helpful Resources
Can help to determine problem:
• https://sitecheck.sucuri.net
●
Website malware scanner
• http://unmaskparasites.com
●
Website malware scanner
• https://aw-snap.info
●
Can find redirects, spam, malvertizing
• https://www.webpagetest.org
●
See what’s loading on your website/server
• https://portswigger.net/burp
●
A more advanced web application tool
• http://ddecode.com and https://unphp.net
●
Useful for decoding malware and obfuscated code

WEBINAR
The malware is gone, now what?
Gotta’ protect those Interwebs

WEBINAR
Remember: They will be back
• Much like an e-mail account targeted
by spammers, you can’t just hope the
problem will go away
• When attackers identify
vulnerable/easy site to hack, they will
keep hacking it over and over
• Attackers know that root problems
are rarely addressed
• Need to take proactive steps to
prevent re-infection

WEBINAR
Step 1: Update all the things!
Out of date software is the leading
cause of infection
• Update Joomla to latest version, all extensions, templates
• If you are using 1.x or 2.x migrate to 3.x as soon as
possible
• Make sure your server is up to date (cPanel, apache, etc...)
• Basic and proactive website maintenance is first line of
defense
• This is a constant process, never let your guard down

WEBINAR
Step 2: Change all the passwords!
Easy to guess/crappy/compromised
passwords is #2 reason for website
compromise
• Change all admin passwords to your site
• That includes admin panel, FTP/SFTP, cPanel, hosting,
database, basically everything
• Consider using password manager like LastPass
• The harder it is for you to type/remember the harder it
will be to brute force

WEBINAR
Step 3: Review who has access!
Have as few administrator
users as absolutely necessary
• This applies to everything from admin panel, FTP, any
other connection mechanism
• The more admin accounts you have the more likely it is
that something will go wrong
• Ensure that all passwords are strong and complex
• Perform admin work from admin account, and have
separate account for blog posting etc.

Example: Malicious super administrator

WEBINAR
Step 4: Clean your kitchen!
Decrease the attack surface
• Remove unused extensions and templates from the
server
• Remove any old versions of your website, dev sites and
backups of your website from your server and store
them somewhere else
• Remove unnecessary administrator accounts
• Exercise ‘least privilege’ only grant minimum privileges
necessary for people to perform work

WEBINAR
Step 5: Scan your box!
If your laptop/workstation is
pwned, that could be the source
of the attack
• Regularly scan your computer for
viruses/malware
• Use a good, reputable anti-malware program
• Don’t administer your website from a public
computer
• Use encrypted protocols such as SFTP when
accessing your website (encryption is your
friend...)

WEBINAR
Step 6: Backups regimen!
A clean, functional backup is your
best friend on a rainy day
• Perform regular backups of your website
• DO NOT store your backups ON YOUR PRODUCTION
SERVER
• Backups should be stored off-site
• There are many online services that can perform
regular backups for you (we offer one and it’s very
affordable ☺ )

Example: Sucuri backups dashboard

WEBINAR
Step 7: Harden your site!
Any CMS out of the box can
use some tweaking
• Disable .PHP execution from /includes
directories as well as any upload directories
• Use a security plugin if you don’t already
(jHackGuard, Akeeba, JoomDefender, JSecure)
• Make sure reporting/logging is functional

WEBINAR
Step 8: Use a WAF!
Web Application
Firewalls are the best
defense against the bad
guys
• Sanitizes all traffic to your website
• Prevents XSS, DDoS, etc...
• Vulnerable software will be virtually
patched and protected
• Speed/performance of website will
increase

WEBINAR
• Questions?
• Tweet us @sucurisecurity #AskSucuri
THANK YOU!

Sucuri Webinar: How to identify and clean a hacked Joomla! website

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Sucuri Webinar: How to identify and clean a hacked Joomla! website

Similar to Sucuri Webinar: How to identify and clean a hacked Joomla! website (20)

More from Sucuri

More from Sucuri (16)

Recently uploaded

Recently uploaded (20)

Sucuri Webinar: How to identify and clean a hacked Joomla! website