Concise guide about how to fix your hacked site from malicious content
In our previous guide, we talked about how to scan a site for malware. The next step is to clean your hacked site. The following guidelines are based on Joomla! sites but the methodology can be used for any other database-driven (eg WordPress) or pure HTML website as well.
You must act both fast to prevent further infection and not to be blacklisted (by google, your hosting server etc) and cautiously so as not to damage your site irreversibly.
Contents:
Prerequisites:
- Access to web server files -eg through control panel’s file manager (suggested), FTP service, FileZilla, etc
- Access to site database -if you use Joomla, WordPress or other database-driven sites
- Being comfortable with web server control panel
- Basic understanding of Unix/Linux file and folder permissions and command line
- Local pc to download and review sites would be extremely useful.
Hands up:
If you don’t have FTP access or not being familiar with the control panel, your hands are tied and it is better to ask for help from professionals.
STEP 1. Backup your site
Backup files
Before doing anything else, backup your hacked site. You may need to review it, restore a part of it, your hosting provider for security reasons may delete it (!) or for any case. But
BACKUP YOUR SITE!!!!!
Use the control panel’s file manager (suggested), select the site root folder, zip it, download .zip file, leave the .zip file on the server too for convenience. Ensure the downloaded backup is ok.
HANDS UP:
You may use FTP client software, such as Filezilla, but Filezilla does not support compression (zip, tar etc). It is much faster to compress and download one .zip file than downloading the same folder uncompressed with numerous files. It is not the size that counts but the number of files to be download.
Backup database
You may use PhpMyAdmin from the control panel and export data in a compressed file.
Ensure the size of the exported file not to exceed the PhpMyAdmin upload limit of your web server, otherwise you may not be able to restore it).
You can also use backup extensions such as Akeeba Backup or whatever solution your hosting provider offers you.
Ensure that you have downloaded the backup to your local pc or transferred it to a safe place.
STEP 2. Put your hacked website offline
Doing this prevents intruders from doing further damage, prevents the malware spread to other computers and you avoid being blacklisted by google or other services. Use one of the following methods:
1. Use .htaccess file to block all IP -suggested
Add these lines to the .htaccess:
order deny,allow deny from all allow from x.x.x.x
Access will be denied to everyone apart from the IP mentioned at the last line. Replace x.x.x.x with your IP. Visit http://www.whatismyip.com/ to find your IP.
2. Manually edit configuration.php
The file configuration.php is located on the root folder of your hacked site. Change the following line from
public $offline = '0';
to:
public $offline = '1';
3. Use Joomla administrator control panel
Log in to administrator back-end. Go to
System menu → Global Configuration
Site tab → site offline and click yes.
STEP 3. Restore files
Your files have been hacked in two ways:
- core files have been modified
- New files with malicious content have been added
So, you must replace the modified files with the original ones and remove the added files. You may do so following one or more of the solutions below.
1. Use a previous clean backup
Restore all your files using a previous backup with healthy files. It is obvious that the backup must have been taken before malicious content was uploaded to the site and that time is NOT the time you noticed you are hacked; it is long before.
Check affected files timestamp and log files to figure out when intrusion possibly happened. There are high chances that fresh backups may include affected files or at least vulnerable plugins.
2. Clean the hacked website manually
If you don’t have a trustworthy backup solution, then you must get your hands dirty. Alternatives:
- Download and examine locally your site for malware content using antimalware software. Double-check results using different antivirus tools. Remove the affected core or extra added files.
- Download the Joomla! version of your hacked site and extract it inside your site root folder. This way you replace site core files with the original healthy ones (remove the default installation folder).
- Examine manually the folders structure one by one for suspicious content in correlation with the structure of a clean joomla site. Examine the code of each file for malicious content.
Hint: If the size of a core file is different from the original or it has a timestamp greater than the others of the same folder, probably it has been altered by hackers; replace it with the original.
Possible hacked files and folders :
- /templates/[template_name]/index.php
- /tmp (remover them all)
- /cache (remove them all)
- /images (remove any .php files that shouldn’t be there)
- /index.php
- /.htaccess
Tools you can use to compare files:
- Diff for Linux and Mac
- Diff Tools on Mac
- Meld for Linux and Windows
It is obvious that this method is the most tedious, requires php and Joomla! files structure knowledge and is not false-proof.
- HIGHLY RECOMMEND: Use free online services, such as Sucuri Site Check, to scan your files online and get informed about which ones have been affected.
- Use the hosting provider’s malware scanner to inspect your files and then manually clean them. Usually, this is a paid service.
HANDS UP:
If you have downloaded and cleaned locally your site, before uploading the clean site to the live folder on the webserver, delete the contents of the live folder. If you don’t do this, then the uploaded files will override and replace all the files of the live folder (as expected and you want to) but the extra added malicious files of the live folder will NOT be deleted. When uploading, files in the same folder with the same file name are replaced but the others are left untouched -they are just merged with the uploaded files.
Always have a working backup before deleting!
3. Use online malware removal service
Use the online malware removal solution of your hosting provider or from other security professionals. They will scan and fix the site for you. It is the most easy, quick and secure way but the most expensive of all!
IMPORTANT: If you host more than one site on your web server, it is highly possible that other sites have been affected as well. You must scan your entire web server for malware and not only to folders of the affected domain.
STEP 4. Secure your site
Are you ready to go live now? No, further actions required. The previous steps help you to clean your hacked site from malicious content, but that‘s only half the job done. You are not safe to go live yet. Your site is still vulnerable and you must secure it
In the next article we will provide all the necessary steps required to secure your site and go live.