Tuesday, February 5, 2013

Restoring Joomla 1.5 site from hack

One of our clients got their Joomla 1.5 site hacked. The site started giving PHP errors. When they upgraded PHP, the home page was restored but all other pages were leading to "Page not found" message. After a couple of days of effort, we were able to restore the website. Here are the findings:

Signature images found
"hacked by Hmei7" logo image (Indonesian Hacker) and sejeal.jpg

Suspicious files found in the listed locations
/images/stories/susu.php
/images/stories/0day.php
/images/x.txt
/tmp/x.txt
/tmp/m.txt
/tmp/zzzzx.php

Original files modified during the attack
/.htaccess (most important)
/configuration.php
/index.php
/index.html

Here is a list of some other files that may be found in the folders. Their locations are random though!
susu.php, x.txt, 000-aaz.gif, 0day.php, c99.php, config.root, css.php, en-gt.php, index.old.php, lib.php, maroc.php, r57.php, rc.php, story.php, tar.tmp, toy.php, web1.php, wh.php, Wos.php, xxu.php, xxx.php, s.php, user.pl, 404.php, cpanelhorde5.txt

How we restored the site
  1. Created a PHP script to automate the task of locating the suspicious files (see list above).
  2. Removed all the suspicious files.
  3. Checked configuration.php, index.php, index.html, css.php and .htaccess to see if they were modified. In our case, configuration file was modified, so we checked each and every variable value and changed the incorrect ones. We also restored the .htaccess from another installation and modified it so that SEF URLs were working again.
  4. If configuration.php and index.php file are changed then best way is to delete and restore them from backup. Or check inside configuration.php for the values of $host, $db, $user, $dbprefix, $log_path, $tmp_path, $offline, $password variables. If the values are not correct, then modify them with help from your hosting provider.
  5. If '/.htaccess' is modified, then delete and restore it from backup. Do not try to edit this file because small changes in .htaccess can badly affect your website. If the file was not backed up, you can use this file from another Joomla installation but the exact same version.

Not all files will be affected on every site and there may be more files affected than in this list. Only those files with write permission will be changed by the hacker's script.

Simple ways to making your Joomla site hackproof
--Regularly upgrade to latest Joomla version
--Take regular backups
    --Zip up the entire Joomla folder
    --Export Joomla DB as a zip file
    --Store both zips offline (preferably in 2 places) and also online, but outside public_html folder

No comments: