Joomla site hacked
So an interesting couple of days….
A good friend of mine posts on his Facebook wall that he is having problems with his website. Now as he is a self employed guitar tutor this could potentially cost him some business.
I know that he’s not as busy as he was and that he’s already shelled out £200 to have it looked at so I offer a hand to see what’s going on.
When you hit the site directly you don’t see any problems, but when you search for the site on a search engine its a whole different story! depending on the device your using depends on the results, some device redirect you back to Google, other to Yahoo, and others to a random site, the results also being different depending on the browser your using!
The site is written in Joomla 1.5.26 but this could be the same problem for other versions or other applications offering CMS
Arm yourself with a couple of simple tools to do the job
Once you have Notepad++ installed open it, you are going to need to add a plugin for later. From the menu select ‘Plugins’ and then ‘Plugin Manager’ and ‘Show Plugin Manager’
Wait for the list to populate, and then find “Compare” tick the box and bang the ‘Install’ button, do the required if prompted to restart Notepad++
Curing the Problem
1st step was to download the entire site from the host and obtain a copy of the original install files for Joomla 1.5.26
Then run a comparison between the two directories using WinMerge, the output will revile a load of files that don’t exist in the original install that are in the site as is to be expected due to content being added, site customisation, etc..
The trick is to look for “Text files are different” in the comparison results, pick a file that stands little chance of being modified by customisation of the site I went with index.php as general speaking it isn’t changed and also stands a big chance that it may well have been hacked.
Open it up using Notepad++ and also open the same file from the original install files you have downloaded. Both files will be there sitting on different tabs, go back to the ‘Plugins’ menu select ‘Compare’ and then click on ‘Compare’ ALT+D is the short cut if your interested
The files will now open side by side, with any differences highlighted by a yellow triangle. So now all you need to do is work out if the highlighted difference is the code that’s causing your problems. For this Google is your friend! copy and past bits of the highlighted code into Google and see what answers you get.
In this case it was code added after the initial <?php that started eval(base64_decode(
Google shows pages of results that this is the problem and needs to be removed, so….
From Notepad++ select the ‘Find’ menu then ‘Find in files’ paste the same text you did into Google above into the ‘Find what’ box, then point the ‘Directory’ box at the location you downloaded your site too. Bang the “Find All” button and go get yourself a coffee this could take some time!
When it’s finished you will have a list of files at the bottom of the screen that contain the search term you entered above.
Open each file in turn and carefully compare it to the same file from the original install and work out how much needs to be removed to put it back the way it was and to make it work again. Save the edited files out to somewhere safe, upload them back to your server overwriting files that are already there.
Test the results to see if things are working as they should now. Remembering that this may not be your only problem, other bits maybe there that are back-doors to allow a further attack in the future!
Now get on Google and look at how this happened to you in the 1st place, apply all the fixes that are suggested for stopping it happening again.