Removing malicious Joomla code. Logbook Checking joomla for malicious code

If you have access to the site via SSH, you can find files with injected code by running the following commands:

#grep -lr --include=*.php "eval(base64_decode" /pathWebroot #grep -lr --include=*.php "strrev(" /pathWebroot

If there is no access, you can ask the hosting support team to do this for you and send you a report.

Here is an example listing: ./components/com_wrapper/wrapper.php ./components/com_wrapper/controller.php ./components/com_wrapper/router.php ./components/com_wrapper/views/wrapper/view.html.php ./components/ com_banners/models/banner.php ./components/com_banners/models/banners.php ./components/com_banners/controller.php ./components/com_banners/router.php ./components/com_finder/views/search/view.html. php ./components/com_finder/helpers/route.php ./components/com_finder/helpers/html/filter.php ./components/com_finder/helpers/html/query.php ./components/com_finder/controllers/suggestions.json. php ./components/com_jshopping/tables/productfiles.php ./components/com_jshopping/tables/statictext.php ./components/com_jshopping/tables/country.php ./components/com_jshopping/tables/productlabel.php ./components/com_jshopping /tables/shippingext.php .... ./administrator/components/com_jshopping/controllers/orderstatus.php ./administrator/components/com_jshopping/controllers/shippingsprices.php ./administrator/components/com_jshopping/controllers/vendors.php . /administrator/components/com_jshopping/controllers/productlabels.php ./administrator/components/com_jshopping/controllers/categories.php ./administrator/components/com_cache/cache.php ./administrator/components/com_cache/models/cache.php . /administrator/components/com_cache/controller.php ./administrator/components/com_cache/views/purge/view.html.php ./administrator/components/com_cache/views/cache/view.html.php ./administrator/components/ com_cache/helpers/cache.php ./administrator/components/com_content/tables/featured.php

Total 1606 occurrences. These are almost all PHP files. Removing injected code manually is useless. This will take too much time. Discovered and new file images/post.php to execute any code.

Removing malicious code from infected files

You should first make a full backup of your site in case something goes wrong.

If the immediate functionality of your site is very important to you, you can remove the injected code by running simple commands.

#grep -lr --include=*.php "eval(base64_decode" /pathWebroot | xargs sed -i.bak "s/eval(base64_decode[^;]*;//" #grep -lr --include=*. php "strrev(" /pathWebroot | xargs sed -i._bak "s/$_ = strrev([^;]*; @$_([^;]*;//"

The commands will remove all occurrences of such malicious code from the files and make backup copies of them with the .bak extension. This will only allow you to gain time to fully restore the site, but will not save you from subsequent attacks. It should be understood that there is a high probability of having files such as images/post.php described above for the execution of any code and old holes in installed extensions.

Third Party Extensions

If you have not been deprived of the site’s administrative panel, you can look installed components, modules, plugins and templates. If there is no access, you need to view the contents of the site by connecting via FTP or SSH.

Look at the list of modules #ls ./modules index.html mod_banners mod_login mod_users_latest mod_articles_archive mod_breadcrumbs mod_menu mod_weblinks mod_articles_categories mod_custom mod_random_image mod_whosonline mod_articles_category mod_feed mod_related_items mod_wrapper mod_articles_latest mod_finder mod_search mod_articles_news mod _footer mod_stats mod_articles_popular mod_languages ​​mod_syndicate #ls ./administrator/modules index.html mod_latest mod_menu mod_quickicon mod_title mod_custom mod_logged mod_multilangstatus mod_status mod_toolbar mod_feed mod_login mod_popular mod_submenu mod_version

Only standard Joomla modules are used

Look at the list of components #ls ./components com_banners com_finder com_media com_search com_wrapper com_contact com_jshopping com_newsfeeds com_users index.html com_content com_mailto com_phocapdf com_weblinks #ls ./administrator/components com_admin com_config com_installer com_media com_phocapdf com_users com_banners com_contact com_joomlaupdate com_menus com_plugins com_weblinks com_cache com_content com_jshopping com_messages com_redirect index. html com_categories com_cpanel com_languages ​​com_modules com_search com_checkin com_finder com_login com_newsfeeds com_templates

In addition to standard components, com_jshopping and com_phocapdf are used.

Look at the list of plugins #ls ./plugins authentication content editors-xtd finder phocapdf search user captcha editors extension index.html quickicon system

In addition, you need to view the contents of all these folders. They are groups of plugins.

#ls ./plugins/authentication gmail index.html joomla ldap #ls ./plugins/captcha index.html recaptcha #ls ./plugins/content emailcloak geshi joomla pagebreak rokbox finder index.html loadmodule pagenavigation vote #ls ./plugins/editors codemirror index.html none tinymce #ls ./plugins/editors-xtd article image index.html pagebreak readmore #ls ./plugins/extension index.html joomla #ls ./plugins/finder categories contacts content index.html newsfeeds weblinks #ls ./plugins/quickicon extensionupdate index.html joomlaupdate #ls ./plugins/search categories contacts content index.html newsfeeds weblinks #ls ./plugins/system cache highlight languagecode log p3p remember sef debug index.html languagefilter logout redirect rokbox #ls . /plugins/user contactcreator index.html joomla profile

In addition to standard plugins, the phocapdf plugin is used.

Look at the list of templates #ls ./templates atomic beez_20 beez5 index.html system templ1

In addition to standard templates, templ1 is used.

Restoring an infected site

• Download the distribution kit of the latest release, unpack the archive into the directory of the future site and delete the installation directory from it.
• Rename the htaccess.txt file to .htaccess. If it used directives that you wrote down, transfer them from the infected copy.
• We copy the configuration.php file from the infected copy, having previously checked for the absence of injected code in it.

Third Party Extensions

• We find the used third-party components Phoca PDF, JoomShopping, the plugin "Phoca PDF Content Plugin", download.
• We unpack and copy the files, having previously created a directory structure similar to that of the infected copy. Don't forget about localization files.

The situation with the template is a little more complicated. The template was generated by special software and is not possible to find. We'll have to "pick out everything unnecessary" from it.

Fortunately, there are 21 PHP files in the template and all the injected code was removed with the command #grep -lr --include=*.php "strrev(" /pathWebroot | xargs sed -i._bak "s/$_ = strrev([^ ;]*; @$_([^;]*;//"

Own files

• Create directories where you kept pictures, documents and other files and copy them.

The site should start working as soon as you replace the old content with the new one.

Go to the administrative panel of the site, change the username and password for accessing the CMS and see if the SuperUsers e-mail has been replaced (an attacker can use the function to recover a forgotten password). Never use the standard username admin. Carefully review the rights of all users. The possibility of an attacker installing another administrator cannot be ruled out.

Replace the username and database password MySQL data, if the standard database table prefix jos_ is used, it must be replaced with another one, this will prevent the possibility of an SQL injection attack.

Upon completion of the restoration work, install the BotsGo404 plugin.

If you found this article helpful, please vote for it. This will help others find this article more quickly from many others that are less useful.(17 Votes)

At first he had 4 Torjan-infected js files and some malicious code. I have cleared these files. But now I can't find this javascript include.

You can see by viewing the page source.

It turns on at the end of each one. It stores the page as it loads, and the scanner detects it as malicious code.

What I've tried so far.

1) Changed template 2) Try disabling all components. 3) try to disable all components. 4) tried to disable all plugins. 5) downloaded the full site and searched for this code on the full site. But I couldn't find it.

But he was still there. Can you give me some suggestions?

4 answers

The malicious code is present on the page even if javascript is disabled - this tells us that it is not written there document.write in other js files.

When we visit a site with the settings tmpl=component&no_html=1, which suppresses template output and only sends component output, the code is still there: http://ziggymonster.com/?tmpl=component&no_html=1

This will pretty much indicate that the code is being added to the end of the main Joomla index.php file at the root of your site. Alternatively, a component.php file in your own template folder or in the /templates/system/ folder could be a viable candidate.

Cleaning up a site on site is risky - but it can be done with the right knowledge, experience and the right tools. I would suggest finding an experienced Joomla security expert to do this, or rebuilding the site files: install a new Joomla in a completely clean folder (it would be better to use local server), install all your extensions, and then delete your live site and upload files to your webspace, linking the files to the original database.

Of course, back to backup copy since a few days ago it would have been the best option- you have backups right?

You must examine the log files to understand how the attack was carried out. You should also change all passwords, update Joomla and all add-ons - and consider changing web hosts if this seems different account on the server, made available for hackers to access.

If you like ssh you can use this command:

Find. -type f -iname "*.php" -exec grep -l "mail(\|eval(\|sockopen\|socket_client" () \;

who is looking for php files(recursively from the current directory) containing dangerous code. PHP functions mailboxes are of interest to hackers, but there are eval and api functions for this. I run this command on my server once a day and it has detected malicious scripts in the past.

most quick way remove all types of malicious code - connect via ssh, open the yous site directory and run a request like:

find. "*.*" -exec replace "HERE_IS_BAD_CODE" "" -- () \;

you can also filter the file types to search by changing. to *.php or *.html

disclamer: you have to be VERY VERY careful with ssh

To be sure, you need to rebuild your site. Backup the database and files, then delete ALL files from docroot and re-download them from fresh copies (Joomla from http://www.joomla.org/, extensions from their sites, etc.). You will then re-upload your media folder and any custom code (template, etc.).

If you are not very technical you will need to install Joomla and extensions and then delete the database and configuration.php and re-upload old file configuration.php and database. Otherwise, you will have to unpack the extensions yourself.

At the very least, I would recommend downloading a fresh copy of Joomla core (you will need to delete the "installation" directory immediately after this). This is quite safe as the distribution does not overwrite your .php config. Of course, if you hacked Joomla core (Bad Idea), you will need to reapply your custom hacks.

It would also be a good idea to consider your security measures - do you need to change your passwords? Should all your files be writable on the web server?

Joomla is not only one of the most popular CMS on the Internet. Unfortunately, this content management system is most susceptible to hacker attacks. Today we will talk about what to do if your Joomla site is hacked, and we will also look at preventive measures and combating intruders.

Communication with readers forced me to add a paragraph. We do not provide free or paid consultations related to the hacking of your site, but we are ready to provide a paid service for treating and restoring the site after a hacker attack.

Why do hackers hack a website?

I will not consider exotic cases when an attack on a site occurs purposefully in order to obtain information. Because when placing confidential data on the Internet, anything but Joomla is used. The motivation of modern hackers is quite clear and can be divided into three main sections.

Promoting an attacker's website.

Scripts are introduced that fill your pages with links to the attacker’s website. A redirect option is possible, when the visitor is immediately sent in the direction the hacker wants.

There are often cases when an attacker gains access to the database and the administrative panel, and you find other people's articles and news in the list of materials.

Hacking to boost a hacker's self-esteem

Joomla files can be either completely deleted or replaced with attacker scripts. There is a high probability that the visitor will see something in red and dark colors, where it will be written that the hack was carried out by a wonderful guy from Turkey.

Sending spam on behalf of your site.

In 2015, most hacks occurred for this reason.

What is the algorithm for the operation of malicious scripts and attackers?

An attack on a site is carried out through a vulnerability in the Joomla CMS or component. There are cases when malicious code is initially present in an installed extension.

This applies to those components, plugins, modules that were downloaded illegally.

The result of penetration into the site is the appearance of numerous script files in different Joomla directories.

The names of the files and their placement in directories are such that at first glance it is not easy to distinguish malicious scripts from “native” Joomla files. For this reason, the “treatment” of the site is often incomplete, and after a few days or weeks another batch of spam leaves on behalf of your domain.

Almost immediately, hosting technical support sends you a threatening letter, offering to solve the security problem. Inaction threatens to block your account and shut down the site.

What to do if a Joomla site is hacked?

The beginning of your war against malicious scripts will begin with your hosting provider. Most likely, it is his letter that will give the go-ahead for military action

Their success largely depends on what tools the hosting company puts at your disposal. I will list the main ones:

Antivirus panel built into the hosting. As a rule, it does not perform disinfection, but it will help to find a significant part of malicious scripts

Access via SSH. Without it, it is impossible to talk about a full fight against viruses.

Prompt and qualified technical support

Daily backup. The ideal option is the ability to restore or download a copy from a month ago

If your hosting provider does not provide antivirus software(it can be built into the hosting panel, or launched independently by the hosting provider at your request) - grab your infected site and change the company providing the hosting service. The market is simply replete with such offers.

Most sites are hosted on virtual hosting, and I would give a solid five on all four points listed to the company, the link to which is below:

It's a completely different story if you rent the entire server. The first, third and fourth points will be entirely on your conscience. And point two will go without saying.

Procedure for hacking

Step 1. Clean the site from malicious files

As a rule, it doesn’t take much time from a hack to a letter from hosting technical support. In rare cases, the site owner himself discovers a hack.

The easiest way is to restore the site from an uninfected backup. However, it is only suitable if no changes have been made to the site for a long time.

On a regularly updated site, the search will have to be done manually. And do this via SSH. The task will be extremely simple. You need to find out which files have changed recently. For example, in a week. For operating system Debian command would look like this:

find /directory where the search is performed/ -type f -mtime -7

According to this command, the system will display those files that have changed over the last 7 days. We pay attention to files with the PHP extension.

They are the ones who pose the threat. At the same time, you should understand that some of the displayed files may not be infected and belong to Joomla itself. Therefore, you should have at hand the original distribution of the version that works in this moment.

In the screenshot we see two files. The first is most likely a virus. The second one is system file Joomla.

Where are such conclusions from?

The fact is that in principle, no start.php file should be present in the /components/com_weblinks/views/category/ directory.

And the error.php file in the /logs/ directory is part of the CMS. However, if it is specifically deleted, nothing critical will happen, since it serves as a storage for Joomla logs.

Step 2. Protect the site from hacking

Let's assume you have successfully removed all malicious scripts. Hosting technical support and antivirus reported: “yes, everything is clean.” What needs to be done to prevent this from happening?

Updating Joomla and extensions to the latest version

If your site runs on Joomla version up to 3.X, there is another reason to think about upgrading. Lately, many hosting providers have been insisting on this.

This will not solve the security problem 100 percent, but in the future you will have the opportunity to quickly update the system and install security patches with the click of one button, which have recently been released almost every week.

I want to pay special attention installed extensions on your website. Each component, plugin, module must also be updated to the latest version. Conduct an audit in the administrative panel of your site.

Are all extensions used?

Due to low qualifications, modern web masters solve any issue by installing a plugin or module, although it is enough to add a couple of lines to the website template code. Or tweak the CSS.

The less on your site additional extensions, the less likely it is to be hacked!

RSFirewall component

Regardless of the content, a website running the Joomla CMS is susceptible to attacks every day. Hackers guessing the password to the administrative panel and trying to introduce malicious code occur with alarming regularity. It is impossible to resist attacks and intrusions alone.

I would like to draw your attention to a component that solves a huge number of problems related to website security. Its name is “RSFirewall”.

Let's briefly consider the main capabilities, functions and tasks solved by RSFirewall:

Checking your system for vulnerabilities. The database, files, and the environment in which the site operates are analyzed

Comparison of files on your system with the original Joomla distribution. This greatly simplifies the search for infected files.

Analysis of rights to directories and files.

Search for files with malicious code. After the list is displayed, you will have to manually analyze each file, since some of them may turn out to be quite normal working code for Joomla extensions

Logging login attempts to the Joomla administration panel and the ability to block users who entered the wrong login and password a certain amount of once

Logging of any site visits and the ability to block IP addresses from which a hacking attempt was made

Prohibition of access to the site from specified countries.

The component is paid. Current version available exclusively for Joomla versions 3.X

At the time of writing this article is distributed in three versions. Below is a table showing the cost, terms of subscription and a link to the page where this subscription is purchased.

We will explore RSFirewall using “default” localization. That is, the interface language will remain English.

Installation of the component is standard, carried out through the extension manager. After the component is installed, go to “Components - RSFirewall - System Check”

A page will open where we will be asked to check the Joomla and server configuration for resistance to hacking. The following will also be searched:

Joomla files that have been modified and differ from their counterparts from the original distribution

malicious files

rights to directories and files will be checked

In order for the check to begin, just click the “Perform the System Check” button.

Let's consider the result of the analysis.

At the top you can see the number of points or percentages that the component assigns after checking the site. A value of “100” is the highest score. At the moment, the tested site is rated only 84 points. Let's figure out why.

Let's look at the list in detail, not excluding the text highlighted in green.

Joomla Configuration Section

Checking if you have the latest Joomla! Version — Check: is it installed version Joomla is the latest. As you can see, everything is fine with this. At the time of writing this article, the version of Joomla was 3.4.8

Checking if you have the latest RSFirewall! Version - Check: the installed version of the RSFirewall component is the latest. This is an important security characteristic of your system, since from version to version the component not only acquires a database of malicious scripts, but constantly changes functionality according to vulnerabilities discovered in Joomla.

Checking if you have a weak database password - In this case, the component checks the hacking resistance of the database password.

Checking if the default "admin" user is active . - For security reasons, the login of the super site administrator should be different from the widely used “admin”. If the component finds a user with this login in the database, a warning will appear.

Checking if you have set your FTP password - At the stage of installing Joomla or editing its settings, a fatal error is made. FTP access is specified in the Joomla configuration file. There is also an equally tragic option. When saving general Joomla settings, the login and password for the administrative panel are recorded in the FTP access field. Therefore, we make sure that the corresponding parameters in the configuration.php file are empty.

Checking if you have Search Engine Friendly URLs enabled - Checking: whether it is enabled in general Joomla settings SEF URL support.

Checking the integrity of configuration.php — Checking the configuration.php file for correctness and integrity.

Checking if any admin users have weak passwords - Checking all passwords of super administrators of your site for crack resistance

Checking your session lifetime — Checking the session lifetime, which is set in general settings Joomla. If it exceeds 15 minutes, a warning will appear.

Checking if there are any files left in the Joomla! temporary folder - In this case, it is checked whether the files are located in the Joomla temporary directory. By default, this directory is the “tmp” folder. You need to keep this directory clean, because after installing extensions or updating Joomla, there may be unnecessary archives and scripts there.

Checking for .htaccess - Checking for the existence of the .htaccess file. After installing Joomla, the htaccess.txt file is created in the root of the site by default. Your task is to rename it to .htaccess. Exactly as written, with a period at the beginning and without .txt at the end

Checking if the Joomla! temporary folder is publicly accessible - Checks whether the directory for temporary Joomla files is accessible to open access. What is meant by this? Simply put, is it possible to dial in address bar browser link like www.yoursite.com/tmp.

Not everyone knows that it is possible to place a temporary directory so that only Joomla scripts can access it. It is enough to create a folder with an arbitrary name at a level higher than the directory where the site is located and write the path to this folder in the configuration.php file

Checking your Session Handler - Checking the type of session handler. We are recommended to set the value to “No”. This can be done in the general settings of Joomla

Server Configuration Section

Let's move on to the next section, where the server configuration was analyzed.

We can see that the PHP configuration directives from the component's point of view are not configured properly.

There is no need to understand which directive is responsible for what. However, you first need to resolve the issue with the Joomla temporary directory, which I wrote about above.

Copy it to HDD your computer, and delete it from the root of the site, because it is for informational purposes only and tells you the meaning of PHP directives that you should insert into your php.ini

How to find it on the server and whether access is allowed there should be checked with your hosting provider. Often PHP directives are changed by changing the hosting panel settings. Therefore, there is no universal recipe here.

Scan Result Section

Here are the results of the scan of your system. I suggest studying their results.

Scanning the integrity of your Joomla! (CMS) files - in this section the result of scanning CMS Joomla files will be shown and compared with the original distribution for integrity and possible changes to the files. Not only scripts will be compared, but also image and CSS files. Well, that's all.

Scanning your folders - scan via FTP to visit each one and make sure that it is clean from malicious scripts

Scanning your files - in this case we are talking about file rights. The actions should be the same as in the case of directories

Scanning your files for common malware - scanning for the presence of malicious code. As you can see, RSFirewall found one file and when analyzing it in text editor, it was found to be truly malicious and was removed from the server by me.

Let's sum it up

Unfortunately, it is not possible to cover all the capabilities and settings of the RSFirewall component in one material. In the next article we will study the component configuration.

If you are not ready to resolve the issue of website hacking on your own, write through the “Contacts” section, or in the chat in the lower right corner of the screen.

Site treatment is carried out for a fee.

The current cost of work is indicated on the page: “Treatment of websites (CMS Joomla) from viruses"

Best regards, Vladimir Egorov

Must be done together. If you eliminate the original cause of the hack (for example, a vulnerability in the CMS extension), but do not remove all the malicious files, the attacker will be able to gain access to the site again using one of his scripts. If you remove all downloaded malicious scripts, but do not eliminate the cause of the hack, the attacker will be able to hack the site again and download scripts onto it again.

A specialist with the appropriate knowledge and experience should carry out work to remove malicious scripts and analyze the causes of hacking:

• To remove malicious scripts, you need to know the language PHP programming, as well as knowledge “from the inside” of popular CMS (Joomla, WordPress, etc.) and extensions for them. This knowledge is required to distinguish scripts directly from the CMS and its extensions from extraneous files, and also to be able to unambiguously determine what actions they perform when encountering dubious scripts.
• To analyze the causes of hacking, server administration experience is required. This is necessary to analyze the state of the files on the account, the time they were changed, and also to compare this data with server logs to determine which actions of the attacker led to the hacking of sites.

Therefore, if your site has been hacked, it is recommended, in order to avoid repeated hacks, not to do the work yourself, but to contact a specialist who will perform the necessary diagnostics and recommend or take the necessary actions to solve the problem, and who can guarantee the quality of the result obtained.

However, there are a number of measures that in some cases help to restore the safe operation of the site without special knowledge. The limitation of the method below is that in order to resume operation of the site, it requires a backup copy of it created before the hack. If the date of the breach is unknown, you can try this method using the oldest backup available. The second limitation, as a consequence of the first, is that after restoring the site, data added to the site after the restore backup was created (for example, new articles, images or documents). If you need to restore the site while retaining new data, you need to contact a specialist.

These measures do not allow us to determine the cause of the site hack, but each of them is aimed at eliminating one of the potential causes of penetration. Since the exact reason for the hack is unknown, it is necessary to perform all of them. The actions are arranged in such an order as to first completely eliminate the possibility of the attacker continuing his activities on the site or hosting account in currently, and then prevent an attacker from entering the site in the future.

The steps below assume that you only have one website on your hosting account. If there are several sites on the account, then they could also be hacked, and the site could be hacked through them. It is necessary to either transfer the site with which restoration work is being carried out to a separate account, or carry out restoration for all sites hosted on the account at the same time.

The order of actions is important, so it is necessary to perform them in the exact order in which they are located below.

Immediately after discovering that a site has been hacked, it is necessary to completely block visitor access to it. This, firstly, will prevent the attacker from carrying out malicious activities on the site, and secondly, will not allow him to interfere with restoration work. This step is very important, since removing malicious scripts and eliminating the cause of the hack does not happen overnight - as a rule, it takes several hours. If the site remains accessible from the outside, the attacker will be able to re-upload scripts to the section of the site that has already been cleared. In this case, an attacker can use different IP addresses to connect, so denying access only to a list of IP addresses will not work. To ensure that the site is cleaned of detected malicious scripts, it is necessary to completely block the attacker’s ability to access the site, which can only be done by completely blocking the site for any visitors. Contact the technical support service of the hosting that hosts your site to block it.

After blocking the site, you need to check the computers from which you were working with the site with a modern antivirus with updated virus databases. If the site was hacked by stealing account passwords using a virus, you must make sure that further work with the hacked site is carried out from a computer that does not have viruses, otherwise after changing the access passwords they may be stolen again.

After blocking the site and checking for viruses, you need to change all access passwords to your account: access via FTP, via SSH, as well as access to the hosting control panel. If an attacker accessed account files using one of these methods, once the passwords are changed, they will no longer be able to do so.

After changing passwords, you must destroy all server processes running under the account on which the site is maintained. Launched by an attacker in background processes, without being destroyed, will be able to re-place malicious scripts on the site after restoration work. To prevent this from happening, all processes running before the site was blocked must be destroyed. The site should already be blocked at this moment so that the attacker cannot launch new processes by accessing one of his scripts on the site. To destroy processes running on your account, contact the technical support service of the hosting that hosts your site.

Now it is impossible to penetrate the site from the outside and you can begin to restore it.

Before proceeding further, remove all existing files site, so that among them there are guaranteed to be no malicious scripts or CMS scripts in which the attacker has introduced malicious code. This step is also important because when restoring a site from a backup, files that existed before the restoration are not always deleted. If, after restoring from a backup, old malicious scripts remain on the site, the attacker will be able to re-enter the site. You can avoid this by deleting all site files before performing recovery.

After deleting all site files, restore the site from a backup created before it was hacked. Often it is enough to restore only the site files, but if, after restoring them, errors are observed in the site’s operation, it is necessary to restore the site completely: both the files and the database.

After restoring from a backup, update your content management system (CMS) and extensions to the latest versions. This is necessary to exclude the presence of known vulnerabilities on the site through which it could be hacked. As a rule, the update can be done through the CMS administration section. For getting full instructions To update the CMS, you must go to the system developer’s website. It is important to update not only the CMS itself, but also all its extensions, since hacking often occurs through a vulnerability present in one of the CMS extensions (for example, plugins, themes, widgets, etc.). At this moment, it is still impossible to unblock the site for visitors, as it may still be vulnerable. To access the site for updates, please contact technical support hosting provider that hosts your site, and ask to allow access to the site only from your computer's IP address. You can find out your IP address, for example, at inet.yandex.ru.

After updating the site management system and its extensions, go to the site administration section and change the administrator access password to it. Make sure that among the site users there are no other users with administrative privileges (they could have been added by an attacker), and if any are found, delete them.

Now that the site has been restored from a backup and does not contain malicious scripts, the CMS and its extensions have been updated to latest versions, in which there are no vulnerabilities, and the access passwords to the site and hosting account have been changed, you can reopen the site to visitors.

All the above actions must be performed in accordance with the specified order, without omissions or any changes. If the actions are performed inaccurately, malicious scripts or vulnerabilities may remain on the site, as a result of which it can be hacked again by an attacker after a short time. If for some reason it is not possible to perform the above steps in the form in which they are indicated, contact a specialist to carry out work to restore the site after a hack.

To protect your site from repeated hacks in the future, you must adhere to the following recommendations:

Keep track of updates to the CMS and extensions for it on the developers' websites and promptly update them to the latest versions. If an update comment states that it fixes a vulnerability, install the update as soon as possible.

Work with the site and hosting account only from computers that are protected from viruses by modern antiviruses with constantly updated virus databases.

Use complex passwords, so that they cannot be selected by searching through the dictionary.

Do not save FTP and SSH passwords in programs for connecting to the site, and do not save the access password to the administrative area of ​​the site and the hosting control panel in your browser.

From time to time (for example, once every three months), change the passwords for accessing the site and hosting account.

If viruses were detected on the computer from which you were working with the site, change the access passwords to the site and hosting account as quickly as possible. It is necessary to change all passwords: access passwords via FTP, SSH, the password from the site’s administrative panel, as well as the password from the hosting control panel.

Do not provide access to the site to third parties unless you are confident that they will also follow these guidelines.

This post was prompted by questions from several site owners about how to remove malicious code from their website. Below I will try to describe the sequence of simple steps, which does not require any special knowledge and will primarily be useful to beginners in the administration of Internet resources.

How do you know if a website has become the victim of an attack during which it was hit with malicious code? The first and simplest thing is that the site has stopped working or does not look the way a “healthy” resource should look. This may manifest itself in the appearance of unwanted content or the disappearance of your content, pages do not load or load with errors. In addition, if your site is added to Yandex or Google webmaster, you high probability Receive notification from these systems about malicious code. In some cases, you can learn about the vulnerability from your browser (screenshot from Google Chrome).

In such cases, it is highly undesirable to try to open the page further.

We are looking for malicious code on the site

We will not understand the motives of the person who installed malicious code on your site, much less search for it. Our main goal is to find "bad" code and remove it. First, you need to scan the resource to detect all “infected” pages. This allows you to narrow your search. For example, malicious code could be placed in the form Javascript script to some separate page, say, to the contents of a post or a comment to it. In this case, the problem can be solved through the site admin by removing such code from the content/comment. Otherwise, you have to look for it in the source code of your resource.

To scan a site for vulnerabilities, you can use https://sitecheck.sucuri.net As a result, you can see the following:

As you can see from the screenshot, the “bad” script was found on several pages of the site, so you’ll have to look for it in the source code.

Get access to source code site in several ways:

The easiest way is through the site admin panel. In Wordpress for example, " Appearance" -> "Editor". This method is not entirely convenient due to the lack of search for the contents of the files, so you have to very carefully look through them all separately and look for a “bad” script.

Many blogs, corporate resources, and online stores are located on servers that can be accessed through the hosting control panel. Often this panel is cPanel. To gain access you need to know your login and password. They are usually sent when purchasing hosting to the person making the transaction. After logging into the control panel, you can view absolutely all source files through the “File Manager” and try to find those that contain the detected malicious script.

Most convenient way- via FTP client. If you “communicate” with your resource using an FTP client, you can easily run a search through the contents of the source files.

Do not try to find malicious code in the source files of your site, substituting it completely in the search. Select its unique part, such as googleleadservices.cn in our case, and repeat the search several times.

Removing malicious code

Once malicious code is detected, it simply needs to be removed. In our case, the site was running Joomla, and the “bad” script was inserted into index.php in the root directory. That is why the vulnerability was discovered on several pages at once, since this index.php is used when building all pages of the resource.

Immediately after removing the malicious code, I recommend changing the passwords of all users in the site control panel, and also trying to find the experiences of other administrators who have encountered this problem. It may be necessary to take some additional measures.

Prevention

Prevention is always better than cure, so I recommend:

Use “good” passwords for all site users (long, with numbers, uppercase and lowercase letters).

Take seriously and filter content that is not generated on the site by you (guest posts, comments).

Do not wait for notifications, but periodically scan the site for vulnerabilities.

Timely update the content management system (Wordpress, Joomla, Drupal, ...).

Please leave any questions or comments in the comments.