My joomla website redirects to a Malicious site

Question

My Joomla website redirects to a malicious Chinese website. I found out that there is a random Chinese code is written in the index.php file so I removed but it keeps coming back. What can I do?

Answer 1

Chances are you missed some of it. I had the same issue this past weekend - the malicious code kept coming back. Turns out when I deleted "all of the bad code", I missed a piece that made my site vulnerable to keep being reinfected.

If you can use FTP (FileZilla, for example), do a search of the server for all .php files edited in the week or two prior to noticing the issue. Fix them all. Generally it seems they (the affected files from a given "hacking event", if you will) are all dated about the same so that should help find the rest.

I had a malicious extension installed on a Joomla site by some malicious-intent person as well, so I'd say double check the database against a known-secure local copy for updates around that same time, or anything that ought not be there.

And change your passwords. All of them. 9 character minimum using uppercase letters, lowercase letters, numbers and symbols. Preferably not words, names or personal dates.

Answer 2

Contact your host. They usually keep weekly backups (assuming you don't have a backup). You can roll back to a clean version. Change your passwords, explore your log files and find out where they gained access and plug the hole.

Once you're sure it's fixed and clean, make sure Joomla is up to date. Then make sure your plugins/modules are up to date.

Answer 3

You might have something in your JS. I've had some sites with malware that was injected through the PHP. Have a look - it may be obfuscated.

Answer 4

Nuke it from orbit, it's the only way to be sure.

(and change your SSH/FTP passwords, and inform your webhost).