Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Sucuri Webinar: How to identify and clean a hacked Joomla! website

1,493 views

Published on

Website compromises can happen to any CMS and fixing them can be a daunting task.

Sucuri Remediation Team Lead, Ben Martin provided in this webinar a step by step guide to fixing your hacked Joomla! site.
This webinar is helpful if your website becomes compromised minimizing the attack time and stress.

Video here: https://youtu.be/3BEUQ0X9IBo

Published in: Internet
  • I really like the presentation you have created. Previously my joomla website got hacked and I know how long it took to resolve the issues. Thank you so much. I wish I could have read this before. I used website comdev.eu/jomevents and started working again.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Sucuri Webinar: How to identify and clean a hacked Joomla! website

  1. 1. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR Ben Martin| @sucurisecurity #AskSucuri WEBINAR How to Identify and Fix a Hacked Joomla Website
  2. 2. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR Ben Martin| @sucurisecurity #AskSucuri KRISTEN THOMAS Community Manager Community Engagement Team @kdthomas327
  3. 3. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR Ben Martin| @sucurisecurity #AskSucuri HOUSEKEEPING ITEMS ● Poll questions on your screen ● Q&A ● Place questions in Q&A box ● Ask questions right away ● Use #AskSucuri on Twitter to engage ● Questions will be answered and delivered post-webinar ● Brief survey at the end of the presentation ● Presentation video
  4. 4. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR Ben Martin| @sucurisecurity #AskSucuri WEBINAR • Remediation Team Lead at Sucuri Inc. • Security geek, malware slayer, music producer BEN MARTIN
  5. 5. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR Ben Martin| @sucurisecurity #AskSucuri WEBINAR Victoria, BC, Canada
  6. 6. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR Ben Martin| @sucurisecurity #AskSucuri WEBINAR Ben & Security • 6 years working in cybersecurity and IT / software • Has cleaned thousands of websites • Helps to identify new malware campaigns and stop hacks • Has attended and spoken at numerous CMS events
  7. 7. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR Ben Martin| @sucurisecurity #AskSucuri WEBINAR Overview of Sections • Signs that your website has been pwned • Find and remove the source of the infection • What to do after a hack
  8. 8. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR Ben Martin| @sucurisecurity #AskSucuri WEBINAR Have I been pwned? Tell tale signs that your website has been compromised
  9. 9. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR Ben Martin| @sucurisecurity #AskSucuri WEBINAR How can I tell if I’ve been hacked? • #1 – Your website has been blacklisted • Common/major vendors include Google, Yandex, Norton, McAfee, Sophos, MalwareBytes, Sucuri... How to tell? • Head on over to virustotal.com and scan your domain • https://sitecheck.sucuri.net • Your visitors may report security warnings
  10. 10. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR Ben Martin| @sucurisecurity #AskSucuri
  11. 11. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR Ben Martin| @sucurisecurity #AskSucuri WEBINAR How can I tell if I’ve been hacked? • #2 – You see spam in Google search results for your website • Pharmaceuticals, adult content, torrent downloads, NFL jerseys, essay writing, cat food, cheap cheap cheap, knock- off designer goods, cheap hotels, more pharmaceuticals... How to tell? • ‘This site may be hacked’ in Google • Bogus/spam content in your site description • Search site:mywebsite.com and check results
  12. 12. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR Ben Martin| @sucurisecurity #AskSucuri WEBINAR How can I tell if I’ve been hacked? • #3 – Traffic to your website is redirected elsewhere • Spam sites, exploit kit landing pages, adult websites, ransomware, malicious .ru / .su domains, phishing pages, other hacked sites How to tell? • When you try to access your site, you end up elsewhere • Your visitors may report weird behaviour of your site • Many redirects are conditional (ie: only for mobile devices, only for some operating systems, only with some specific referrers, etc...)
  13. 13. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR Ben Martin| @sucurisecurity #AskSucuri WEBINAR How can I tell if I’ve been hacked? • #4 – Weird pop-ups or other strange behaviour How to tell? • Unexpected ads, new tabs opening up, pop-ups and pop-unders • Your visitors may report weird behaviour of your site • Sometimes only happens on certain devices or under certain conditions
  14. 14. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR Ben Martin| @sucurisecurity #AskSucuri WEBINAR How can I tell if I’ve been hacked? s • #5 – SiteCheck flags malware • Head on over to https://sitecheck.sucuri.net How to tell? • It will flag malware, spam, redirects, etc • Disclaimer: 100% accuracy is not realistic and not guaranteed • A remote scanner can only flag what is displayed on the website. • Best to monitor file system for malware and file modifications which are included in our services
  15. 15. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR Ben Martin| @sucurisecurity #AskSucuri WEBINAR How can I tell if I’ve been hacked? • #6 – Your website looks something like this: How to tell? • Pretty self-explanatory
  16. 16. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR Ben Martin| @sucurisecurity #AskSucuri WEBINAR So now what do I do? Some helpful pointers on fixing the hack
  17. 17. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR Ben Martin| @sucurisecurity #AskSucuri WEBINAR Basic Overview: Only so many places to hide Process of Elimination • Core files • Templates • Extensions • Database • .htaccess • Ad networks • The server itself
  18. 18. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR Ben Martin| @sucurisecurity #AskSucuri WEBINAR Tools of the trade: Add these to your tool-belt Security and Development Tools • Filezilla (FTP client) • NoScript (Script blocker) • VirtualBox (Virtualization tool) • ublock Origin (Ad blocker) • PHPMyAdmin or Adminer (database management) • User Agent Switcher • Support forums (ie: https://forum.joomla.org/) • OSSEC HIDS (server monitoring) • SSH / BASH connection
  19. 19. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR Ben Martin| @sucurisecurity #AskSucuri WEBINAR Heads up: Back up your website first! Modifying files/database can cause damage if any mistakes are made • Make a website backup before making any changes • This includes your file structure and database • These can be safely stored as a compressed archive (ie: ZIP or tar.gz) somewhere, but do not store them within the public_html directory of your web server because it is a massive security risk
  20. 20. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR Ben Martin| @sucurisecurity #AskSucuri WEBINAR Step 1: Core Files Modification of core files is a common way to infect a website Check the integrity of your core files (can compare to fresh Joomla version) Check for recent modifications of core files Replace core files with fresh copies (includes, libraries, etc...) Common culprits are index.php, ./includes/framework.php, ./includes/defines.php ...
  21. 21. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR Ben Martin| @sucurisecurity #AskSucuri Example file: Joomla’s Default index.php We can see that these two files are called directly by the main index.php file: ./includes/defines.php ./includes/framework.php As such they are common targets for malware.
  22. 22. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR Ben Martin| @sucurisecurity #AskSucuri Example file: hacked ./includes/defines.php
  23. 23. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR Ben Martin| @sucurisecurity #AskSucuri Example file: hacked ./includes/framework.php
  24. 24. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR Ben Martin| @sucurisecurity #AskSucuri WEBINAR Core files continued... Joomla has three different branches: 1.x.x, 2.x.x and 3.x.x Support for Joomla 1.x.x ended September 2012 – no more security patches! Support for Joomla 2.x.x ended Dec 2014 Many website owners are stuck in 1.x.x or 2.x.x due to custom code or particular extensions they require Like all software, even 3.x.x has had security issues that required patching!
  25. 25. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR Ben Martin| @sucurisecurity #AskSucuri WEBINAR Core files continued again... If you need some guidance on how to update/migrate to the most recent version of Joomla... https://docs.joomla.org/Joomla_1.5_to_3.x_Step_by_Step_Migration https://docs.joomla.org/Joomla_2.5_to_3.x_Step_by_Step_Migration https://docs.joomla.org/Joomla!_CMS_versions/en
  26. 26. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR Ben Martin| @sucurisecurity #AskSucuri WEBINAR How to tell which files are bad... Here is an example of using diff to find malicous files: diff example.com Joomla 2.5.28 > diff.txt
  27. 27. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR Ben Martin| @sucurisecurity #AskSucuri WEBINAR Example output: We can see there are some (malicious) files that only exist in example.com, as well as some hacked content in index.php
  28. 28. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR Ben Martin| @sucurisecurity #AskSucuri WEBINAR To manually check recently modified files: • Log into your server using an FTP client or SSH terminal. • If using SSH, you can list all files modified in the last 15 days using this command: $ find ./ -type f -mtime -15. • If using SFTP, review last modified date column for all files on the server. • Note any files that have been recently modified.
  29. 29. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR Ben Martin| @sucurisecurity #AskSucuri WEBINAR Step 2: Template files Very common place to lodge malware • Effective spot to place malware for nefarious purposes • Check files on server for anything recently modified in your template (see image --->) • Most common culprit is index.php • Hacked/freemium/nulled templates should be avoided at all costs • Try temporarily switching to a freshly downloaded clean template to see if problem goes away • Not sure what to do? Remove/replace ALL the template files with fresh copies
  30. 30. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR Ben Martin| @sucurisecurity #AskSucuri Example file: Infected index.php template file
  31. 31. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR Ben Martin| @sucurisecurity #AskSucuri Example: Most common Joomla malware we see today is bogus jquery
  32. 32. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR Ben Martin| @sucurisecurity #AskSucuri WEBINAR Step 3: Extensions Bogus or hacked extensions can be source of infection • Check every single plugin, module, component • Check extension files that were recently modified (Filezilla) • Temporarily disable your extensions and re- scan or re-visit your site to see if the problem goes away • Hacked/freemium/nulled extensions should be avoided at all costs • Not sure what to do? Remove/replace ALL the extension files with fresh copies
  33. 33. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR Ben Martin| @sucurisecurity #AskSucuri Example: Backdoor injected into plugin file
  34. 34. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR Ben Martin| @sucurisecurity #AskSucuri WEBINAR Step 4: Database Spam, iframes, hidden div tags... • The database is where all the content of your posts/pages/settings are stored • Common place for attackers to place spam links, particularly jos_content table • Can add malicious iframes to posts/pages • Try searching your database for spam terms (viagra, cialis, cheap, etc...) • Spam you see in Google or flagged by sitecheck.sucuri.net is often hiding here
  35. 35. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR Ben Martin| @sucurisecurity #AskSucuri Example: display:none spam in database Visitors cannot see, but search engines can
  36. 36. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR Ben Martin| @sucurisecurity #AskSucuri WEBINAR Step 5: .htaccess Can be used or abused • Common location for malicious redirects to be placed • Can redirect whatever traffic you want to wherever you want • Can also be used to add additional security rules to your website • Default Joomla .htaccess is 3Kb in size • Not a bad idea to set file as read-only
  37. 37. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR Ben Martin| @sucurisecurity #AskSucuri Example file: Spammy/hacked .htaccess
  38. 38. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR Ben Martin| @sucurisecurity #AskSucuri WEBINAR Step 5: Advertising networks Can be a source of great woe and misfortune • Crappy/cheap ad networks are commonly related to malvertizing • No server is 100% secure • Integrating third party content is always a risk • Best to stick with reputable advertising networks • If you are using an ad network that has been compromised, you need to disable the network completely until the problem is gone
  39. 39. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR Ben Martin| @sucurisecurity #AskSucuri Example code: Bogus/compromised ad networks. Code is placed at bottom of all jos_content posts and redirects visitors to spam sites
  40. 40. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR Ben Martin| @sucurisecurity #AskSucuri WEBINAR Step 6: The server itself Not as common, but still happens • Sometimes the server on which your website resides is itself rooted • Choose your hosting provider carefully • What will your host do if your website or server is compromised? • VPS is a good solution for a safer, private server • If your server is infected, it is possible to clean it but the best option is to migrate whe website to a new server • Do not re-use ANY passwords • Use OSSEC HIDS for file modification warnings
  41. 41. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR Ben Martin| @sucurisecurity #AskSucuri WEBINAR Step 7: Backdoors The hardest part! • If backdoors are inserted on your site the attackers will still have access, even if you delete the other malware • Backdoors are always coupled with main payload • New backdoors written all the time, lots of variety • Check which files were recently modified on your server • Check logs to see any strange files being accessed directly (especially from weird IP’s)
  42. 42. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR Ben Martin| @sucurisecurity #AskSucuri WEBINAR Step 7: Backdoors Backdoors commonly include the following PHP functions: • eval • base64 • str_rot13 • gzuncompress • gzinflate • exec • create_function • curl_exec • location.href • system • assert • stripslashes • preg_replace (with /e/) • move_uploaded_file • strrev • file_get_contents • encodeuri • wget
  43. 43. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR Ben Martin| @sucurisecurity #AskSucuri Example file: Backdoor lodged in ./libraries/joomla/factory.php
  44. 44. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR Ben Martin| @sucurisecurity #AskSucuri WEBINAR Pro Tip: Some More Helpful Resources Can help to determine problem: • https://sitecheck.sucuri.net ● Website malware scanner • http://unmaskparasites.com ● Website malware scanner • https://aw-snap.info ● Can find redirects, spam, malvertizing • https://www.webpagetest.org ● See what’s loading on your website/server • https://portswigger.net/burp ● A more advanced web application tool • http://ddecode.com and https://unphp.net ● Useful for decoding malware and obfuscated code
  45. 45. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR Ben Martin| @sucurisecurity #AskSucuri WEBINAR The malware is gone, now what? Gotta’ protect those Interwebs
  46. 46. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR Ben Martin| @sucurisecurity #AskSucuri WEBINAR Remember: They will be back • Much like an e-mail account targeted by spammers, you can’t just hope the problem will go away • When attackers identify vulnerable/easy site to hack, they will keep hacking it over and over • Attackers know that root problems are rarely addressed • Need to take proactive steps to prevent re-infection
  47. 47. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR Ben Martin| @sucurisecurity #AskSucuri WEBINAR Step 1: Update all the things! Out of date software is the leading cause of infection • Update Joomla to latest version, all extensions, templates • If you are using 1.x or 2.x migrate to 3.x as soon as possible • Make sure your server is up to date (cPanel, apache, etc...) • Basic and proactive website maintenance is first line of defense • This is a constant process, never let your guard down
  48. 48. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR Ben Martin| @sucurisecurity #AskSucuri WEBINAR Step 2: Change all the passwords! Easy to guess/crappy/compromised passwords is #2 reason for website compromise • Change all admin passwords to your site • That includes admin panel, FTP/SFTP, cPanel, hosting, database, basically everything • Consider using password manager like LastPass • The harder it is for you to type/remember the harder it will be to brute force
  49. 49. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR Ben Martin| @sucurisecurity #AskSucuri WEBINAR Step 3: Review who has access! Have as few administrator users as absolutely necessary • This applies to everything from admin panel, FTP, any other connection mechanism • The more admin accounts you have the more likely it is that something will go wrong • Ensure that all passwords are strong and complex • Perform admin work from admin account, and have separate account for blog posting etc.
  50. 50. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR Ben Martin| @sucurisecurity #AskSucuri Example: Malicious super administrator
  51. 51. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR Ben Martin| @sucurisecurity #AskSucuri WEBINAR Step 4: Clean your kitchen! Decrease the attack surface • Remove unused extensions and templates from the server • Remove any old versions of your website, dev sites and backups of your website from your server and store them somewhere else • Remove unnecessary administrator accounts • Exercise ‘least privilege’ only grant minimum privileges necessary for people to perform work
  52. 52. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR Ben Martin| @sucurisecurity #AskSucuri WEBINAR Step 5: Scan your box! If your laptop/workstation is pwned, that could be the source of the attack • Regularly scan your computer for viruses/malware • Use a good, reputable anti-malware program • Don’t administer your website from a public computer • Use encrypted protocols such as SFTP when accessing your website (encryption is your friend...)
  53. 53. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR Ben Martin| @sucurisecurity #AskSucuri WEBINAR Step 6: Backups regimen! A clean, functional backup is your best friend on a rainy day • Perform regular backups of your website • DO NOT store your backups ON YOUR PRODUCTION SERVER • Backups should be stored off-site • There are many online services that can perform regular backups for you (we offer one and it’s very affordable ☺ )
  54. 54. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR Ben Martin| @sucurisecurity #AskSucuri Example: Sucuri backups dashboard
  55. 55. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR Ben Martin| @sucurisecurity #AskSucuri WEBINAR Step 7: Harden your site! Any CMS out of the box can use some tweaking • Disable .PHP execution from /includes directories as well as any upload directories • Use a security plugin if you don’t already (jHackGuard, Akeeba, JoomDefender, JSecure) • Make sure reporting/logging is functional
  56. 56. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR Ben Martin| @sucurisecurity #AskSucuri WEBINAR Step 8: Use a WAF! Web Application Firewalls are the best defense against the bad guys • Sanitizes all traffic to your website • Prevents XSS, DDoS, etc... • Vulnerable software will be virtually patched and protected • Speed/performance of website will increase
  57. 57. HOW TO IDENTIFY AND FIX A HACKED JOOMLA WEBSITEWEBINAR Ben Martin| @sucurisecurity #AskSucuri WEBINAR • Questions? • Tweet us @sucurisecurity #AskSucuri THANK YOU!

×