CODEWITHSUNDEEP
mysqljoomlajoomla3.0
Ravia
Ravia

Reputation: 73

Joomla Website was hacked, the hacked URLs are in the database

A client's Joomla 3.6.5 website was hacked. After running a virus scan and malware scan on the entire directory, nothing came up. When I searched for the malicious URLs, they appear in the database, but nowhere in the code of the website files. I'm not sure how to find the hack, or how to clean out the malicious URLs. 

(11216,'http://xxxx.com/cache/j.js',NULL,'http://xxxx.com/philosophy-of-life-essay.html','',3,0,'2017-04-14 10:50:38','0000-00-00 00:00:00',301),
(11217,'http://xxxx.com/cache/jq.js',NULL,'http://xxxx.com/philosophy-of-life-essay.html','',3,0,'2017-04-14 10:50:38','0000-00-00 00:00:00',301),
(11218,'http://xxxx.com/cache/layout.css',NULL,'http://xxxx.com/philosophy-of-life-essay.html','',1,0,'2017-04-14 10:50:57','0000-00-00 00:00:00',301),
(11219,'http://xxxx.com/cache/ssc.css',NULL,'http://xxxx.com/philosophy-of-life-essay.html','',1,0,'2017-04-14 10:52:09','0000-00-00 00:00:00',301),
(11220,'http://xxxx.com/cache/jq.css',NULL,'http://xxxx.com/philosophy-of-life-essay.html','',1,0,'2017-04-14 10:52:09','0000-00-00 00:00:00',301)

Since the malicious URLs are in the database, was the database hacked? How do I remove the malicious URLs and how do I fix the hack? I know I have to change the passwords, but I'm stumped with how to unhack this site. I'm not sure how to clean out a hacked database. Any tips? Thanks!

Upvotes: 0

Views: 645

Answers (3)

Pong
Pong

Reputation: 21

This seems to be a pretty bad one! A few tips:

  1. Be sure to check Google blacklisting status & also do a 'fetch as google' to check if there's malware showing up in search results.
  2. It is recommended to find all the external calls from the website to other domains (usually hackers point credit card details to their own domains or emails).

  3. A diff command would go a long way:

    $ mkdir joomla-3.6.4

$ cd joomla-3.6.4

$wget https://github.com/joomla/joomla-cms/releases/download/3.6.4/Joomla_3.6.4-Stable-Full_Package.tar.gz

$ tar -zxvf Joomla_3.6.4-Stable-Full_Package.tar.gz

$ diff -r joomla-3.6.4 ./public_html

There are more steps which can be checked from this URL: https://www.getastra.com/blog/cms/joomla-security/joomla-admin-security/

Upvotes: 0

itoctopus
itoctopus

Reputation: 4261

What you are experiencing is a database hack, which is the worst kind of Joomla hacks.

Reverting to a backup may be a good solution if you are running a semi-static website, however, if your website has new content every day (or had new content since the hack), then you can't revert to a backup without losing data. In this case, you will need to use MySQL's REPLACE function to replace the hacked strings with an empty value.

Once you fix the database hack, you will need to run an internal scan on your website to ensure to find if there are hacked/backdoor files anywhere. Once that is done, you will need to uninstall all the unused extensions, and you will need to uninstall all the extensions that are on Joomla's VEL list. Any extension that you have must be updated to the latest version.

Once you are done with the above, then you will need to do the following:

  • Change all the passwords of the website: including Joomla passwords, FTP/sFTP, database passwords (avoid using FTP if you can), cPanel passwords, etc...

  • Restrict Apache's access of PHP files to the 'index.php' file (that can be done in the htaccess file).

  • Move the website to a VPS or a dedicated server if you are on a share hosting.

Upvotes: 1

spencer7593
spencer7593

Reputation: 108450

Q: Since the malicious URLs are in the database, was the database hacked?

A: Not possible to tell with the information provided.

https://docs.joomla.org/Security_Checklist/You_have_been_hacked_or_defaced

The term "hacked" is very broad. Have credentials been fraudulently obtained? Was the website defaced? Was valid data stolen from the database? Has valid data has been removed or changed? Has new fraudulent data been added?

There are several ways any of those could have happened. One possibility is that database modifications were made through normal operation of the website, by a malicious actor who obtained credentials (login and password) to perform those operations.

Or, a malicious actor could have exploited a vulnerability in the website code. Given the predominance of XSS and SQL Injection vulnerabilities, and the relative ease of exploiting those, this is the most likely scenario. (A lot of website "plugins" are known to be vulnerable.)

Or, some other program connected to the database and performed database operations.

Q: How do I remove the malicious URLs?

A first step would be to restore a copy of the database from a known good backup.

And with a saved copy of the suspect database, we could do a comparison, to help identify data that has been removed, changed or added. (What makes a URL "malicious"? How are you defining that? All we see in the question is what appears to be some rows from a database table. How are these rows more "malicious" than other rows?)

Q: How do I fix the hack? I know I have to change the passwords ...

If an unauthorized actor has obtained login credentials, then yes, you need to change the passwords. And figure out how they obtained the credentials, and take steps to prevent that from happening again.

And close up the vulnerabilities, to prevent that from happening again.

Q: I'm stumped with how to unhack this site. I'm not sure how to clean out a hacked database. Any tips?

Restore the database from a known good backup.

And again, mitigate the vulnerabilities to prevent (or make it less likely) that this will happen again. Cross site scripting (XSS) and SQL Injection are always in the OWASP Top 10.

https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project#tab=OWASP_Top_10_for_2013

https://www.owasp.org/index.php/SQL_Injection

Upvotes: 1

Related Questions