: Joomla Sites hacked by DR-MTMRD Possible Duplicate: My Sites Were Hacked. What To Do? A few of my joomla sites were hacked. After I became aware of this, I did these things: Changed
Possible Duplicate:
My Sites Were Hacked. What To Do?
A few of my joomla sites were hacked. After I became aware of this, I did these things:
Changed hosting passwords (mysql, ftp, control panel)
Renamed joomla admin user name to "admin" in users table (Hacker had changed the user name how?)
Upgraded joomla latest Added php.ini root directory of host.
Disabled cgi access
But the site is still hacked. I checked up on the index.php file and owerwrite original index.php but the site is still hacked.
How is this possible?
More posts by @Gonzalez347
1 Comments
Sorted by latest first Latest Oldest Best
Start from Scratch
If you have a recent database and files copy nuke all and start all over again. This is truly the best way there is when you have been hacked in a massive way.
No Good Backups
Most of the time there is no good backup in my experience. And I guess you do not either. If you did a scan with ClamAV and or online scans with sites like
TrendMicro
Unmask Parasites
Sucuri - Awesome site in my opinion to do scans
and found the contaminated files you could remove and or replace them by clean files. Hopefully all hidden shells will be caught as well as all other possible backdoors. It does seem like the infection is pretty bad though. So hard to say this will be waterproof. It has worked for me before so do try!
Backdoor Shell
In your case it seems there is probably a Shell file on your server you missed with a name the scans do not find easily. Online shells are files that have server rights to change other files on that server on command. Shells can have names like "I love you" or other less taunting names. I have found several in the past and have some on backup to use as intel in case I need to help another client.
Compare clean install to contaminated one
You could also do a comparison using Diff or Meld - GUI version of Diff - and compare a clean installation to the infected one. This will cover all standard files, but not the template nor extension files. These you would have to do separately using the proper packages.
Database Cleanup
This all will not help with the database as much though. If you have a copy of the database that is OK and was from before the hack I would replace the database by that copy. If you have a decent backup of all files and the database a clean start would be the best way anyways. If not, then I would use some of the upcoming command line tools if possible. Remember you can download a database copy and run these commands locally as well!
Command Line Tools
Another option - if you have Shell access - is to do some basic scans for obfuscated code. There are even some PHP scripts I use for that that work as well. Here some useful search and destroy stuff. Most of them help to unhide obfuscated code like:
<?php $_8b7b="x63x72x65x61x74x65x5fx66x75x6ex63x74x69x6fx6e";$_8b7b1f="x62x61x73x65x36x34x5fx64x65x63x6
Find base64 Occurrences: gist.github.com/731099 Often bad code is obfuscated using Base64 or ASCII
General Shell "search for evil hacks" commands: gist.github.com/3191187
PHP Script(s)
Base64 PHP search script gist.github.com/3191185 Look for bad guys by Chun and Whitney: gist.github.com/3191259
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.