How to fix a hacked site and
Presented by Tim Plummer
Joomla User Group Sydney
11th June 2019
Recognising your site is hacked
• Sometimes it’s obvious, other times more subtle
Other common indicators of hacked site
• Blacklist warning by Google etc.
• Warnings from web host regarding resource usage
• Complaints from customers
• Unusual file modifications (template, core files etc)
• Malicious new users created on your site
• Unexpected or abnormal browser behaviour
• Do you have a disaster recovery plan?
• What can you do quickly to minimize damage/exposure?
• Site offline / maintenance mode (if appropriate)
• Change passwords (Cpanel, Joomla Admin, etc)
Why did my site get hacked
• Deface / vandalize
• Spreading malware
• Hacker showing off
• Profit (e.g. crypto currency mining, spamming)
• Targeted attack, for example to obtain personal information
How did my site get hacked?
• Look for evidence in Cpanel error logs/raw access logs
• 220.127.116.11 - - [09/May/2019:08:54:59 +1000] "GET
/index.php?option=com_myfiles&controller=../../../../../../../../../../../../..//proc/self/environ%0000 HTTP/1.1" 404 613 "-"
"Mozilla/4.0 (compatible; MSIE 6.0; America Online Browser 1.1; rev1.2; Windows NT 5.1;)“
• 18.104.22.168 - - [09/May/2019:13:28:02 +1000] "GET
//index.php?option=com_alphauserpoints&view=../../../../../../../../../../../../..//proc/self/environ%0000 HTTP/1.1" 404 613
"-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7"
Do I have any outdated or insecure extensions?
• Check Joomla! Vulnerable Extension List
Are there any other sites on this hosting account?
• Could the vulnerability be due to another site/app on the hosting
• For example, the recent Joomla Extension Directory vulnerability was caused by an outdated
Stapler web framework used by Jenkins, which is the tool used for daily automated testing
• What files have been modified?
• Have any files been uploaded?
How does the hack affect your customers?
• Is there any personal/financial information exposure – do you need to
report a mandatory data breech?
• Do you need to retain a copy of hacked files and logs for
• Do you have a good (offsite) backup from before the hack? Will there
be any data loss if you restored this?
• Have you addressed the source of the hack?
• Is manually cleaning the files appropriate (editing source code to remove
• Should you reinstall Joomla over the top to restore core files?
• Can you fix this yourself, or do you need to engage security
• Do you need to change passwords (Cpanel, Joomla admin users, mySQL, FTP
• Do you need to clean database (remove users and suspicious content)
• Do you need to contact web host to remove suspension?
• Do you need to request removal from blacklisting (e.g. Google Search
• Myjoomla.com audit / fix hacked
• Watchful.li malware scan
Hardening your site
• Firewall software (e.g. Akeeba Admin Tools or RSFirewall)
• .htaccess rules to block common exploits
• Make sure all software is up-to-date (core Joomla, extensions, PHP etc).
• Limit who has admin/super user access
• Regular malware scans (both your site and computer)
• Regular review of logs, hosting resources etc. looking for suspicious activity
After your site is fixed
• Continue to monitor to ensure site doesn’t get hacked again (maybe you
missed the true source of the hack in your cleanup)
• Remember, security is not a once off exercise, you should regularly
review your site security and make incremental improvements as