Trying to Fix Hacked Site

by UltraJ   Last Updated September 07, 2019 09:10 AM

My Joomla 3 site was recently hacked. Browsing to it with a common web browser works fine, but when you switch the user agent to a web crawler, it displays a spam page. How do I track down where the code is that does this?

I replaced index.php in the root with a test page and the test page appears. When I replace index.php in the root of a template, the spam page appears when using a web crawler user agent.

Any help would be greatly appreciated.



Answers 3


The best method to check the hacked website is to scan the malware using this link : https://sitecheck.sucuri.net/

Here, all the malware content will be loaded and you can easily back track them.

Enter your website URL in 'Scan your website' textbox and hit the scan button. Check for the results accordingly.

Let me know further if it helps.

Liz.
Liz.
January 21, 2016 04:56 AM

I had to face this problem recently. In most cases I saw the libraries folder hacked and I had to replace it with a clean one to see my website correctly.

Here is what you can do:

  1. put on the root this https://github.com/mikestowe/Malicious-Code-Scanner/blob/master/phpMalCodeScanner.php , don't forget to put your email address. Then wait for the email listing all malicious files (be carefull deleting them, create a backup)
  2. Secure some folder through your htaccess file preventing the execution of php scripts (or shell), more info here: https://www.gavick.com/documentation/joomla/how-to-secure-your-joomla-3-1-site-against-hacker-attacks
  3. Install Marco's SQL injection plugin, it works great!
  4. sure, update your joomla to latest version, same for extensions. Don't forget to backup all
  5. Check directory and file permissions

Hope it helps, Marco

EDIT: I wrote an article here for more details http://goo.gl/47VTwn

Marco
Marco
January 21, 2016 10:39 AM

There are obvious places to look such as the template index.php file but a Joomla install has thousands of files and the only way to be confident that you have identified all the compromised files is scan the whole file structure in your web hosting account with a reliable and recently updated scanning tool.

The most useful tool for this on a Joomla website is the mysites.guru (formerly myjoomla.com) security tool from Phil Taylor. It's not free but very affordable. mysites.guru quickly identifies compromised files and can restore any changed core Joomla files to the original versions.

There are other paid services that can help with scanning such as sucuri.net.

Neil Robertson
Neil Robertson
January 22, 2016 08:17 AM

Related Questions


Updated April 30, 2016 08:04 AM

Updated January 29, 2017 14:04 PM

Updated April 10, 2015 19:04 PM

Updated April 25, 2015 21:04 PM

Updated February 16, 2016 00:16 AM