Dang, don’t you hate it when you get a panicked phone call from a client advising their site’s been hacked?
Yeah, me too. It TOTALLY blows… especially when you’ve got way more important things to do than sift through an install to find the offending code…
As you may have gathered I got one such call this morning.
Now, you security heads out there are probably saying… well… if you’d been looking after the site properly it would never have happend… and yes, you’re right… though in my defence, I inherited this site… but yes, it needs lots of love and attention to security, which I should have done… I’ll own that.
Fact is, at this point, the urgency is cleaning up.
The symptoms were just that the site was throwing up unwanted pop ups for a Turkish P0rn site. Yay Turkey p0rn… oh… wait…
The webhost was completely unhelpful and told me to go searching google for base64 wordpress templates… for a joomla site… excellent. And, as it happened in this case, redundant, as the problem wasn’t with code insertion into existing files, it was with file insertion into the includes folder… but I’m ahead of myself…
Rightly or wrongly I decided the first/best course of action was to dig in and just manually check each file directory on the install… no easy feat, but as I’m using Cyberduck as my FTP client I can direct it to use an external editor to view/edit the files directly on the server (ok, not directly, but to download to temp and re-upload without any action on my part) … so I basically went directory by directory to visually check for any code starting with eval(base64 and I didn’t find any…
What I DID find was some really ugly files that had been dropped into the includes directory.
I think it's fairly safe to say if there's a huge spider in your code it's malware
So, Step 1 – change the ftp password to something really secure and difficult to crack.
Step 2 was to quarantine the files to make sure that the loss of none of them broke the site. So I created a quarantine directory and moved the 4 files in question to it. Now, at this point you’re going to be annoyed at me, because I didn’t record what the files were called before I deleted them… this one was tp57.php, there was one called ass.php (orignal, hackers… really clever), and two more. There was also an .htaccess file installed which looked like this
I think sux.html is a bit of a giveaway at this point...
Finally, there was an additional directory labelled ss which included 4 files, as below
Again, the titles are a bit of a giveaway as to their dubious nature
Once I’d quarantined them it was a simple case browsing the site to make sure there weren’t any additional problems and then deleting the directory from the server.
Problem solved.
(and yes, now comes the fun part of upgrading all the security measures - http://docs.joomla.org/Security_Checklist_1_-_Getting_Started )
