How To Clean a Hacked Joomla! Site
OK, so your Joomla! site is hacked. Maybe you received an e-mail from your hosting provider saying you need to fix the issue or they will shut your site down. Or, maybe your site is no longer accessible because your browser detects it as a bad site. Or maybe your site has been hacked but you just don't know it yet. In any scenario, Zap Audit was written to help you get your hacked Joomla! site back up and running. It finds hacked files, recommends best practices based on a site analysis and provides proactive monitoring to minimize future hacking of your site.
Zap Audit generates a detailed audit report of your site, showing hacked files, potential issues, and best practices. A lite/free version is available that provides summary information of your site, which can be used to verify your site is free from hacks and provide peace of mind. If an issue is found, you can use one of the paid versions of Zap Audit to obtain details of the hack and best practices recommendations.
Depending on the status of your site, there are two methods of running Zap Audit:
- On-Line Mode - Use this method if your site is relatively healthy and you can access the administrator back-end normally.
- Off-Line Mode - Use this method if your site is off-line or you cannot access your Joomla! administrator back-end. You can also use this method to check a Joomla! 2.5 site using Zap Audit installed on a Joomla! 3.x site.
These methods will be described below.
This is the ideal way to run Zap Audit as it not only performs a file audit but it also performs other tasks not available in off-line mode, including a best practices audit. If you have performed an off-line mode audit to clean up a site and get it on-line, running an on-line audit of that same site is recommended to perform a full audit analysis.
To perform an on-line audit, go to the "Run Audit" menu option from Zap Audit. Select the "Run Audit Report" from the site audit section. In a few moments the audit analysis screen will appear. Review the report and correct the issues as needed. You can re-run the report as many times as needed after fixing issues.
Off-line mode allows a hacked site to be analyzed even if you are unable to access it from the administrator back-end. This same method can be used to analyze a Joomla! 2.5 site from a Joomla! 3.x site, since Zap Audit only runs on Joomla! 3.x. Once installed on a Joomla! 3.x site (and it is a good idea to run an on-line audit of this site prior to running the off-line audit), you will need to upload the files from the old site to the application. In order to do this, you will need to create a zip file of the infected site, starting at the root of the Joomla! site. For example, if your site resides under the folder "public_html", create a zip file of the folder "public_html" and all files beneath it.
From the audit site, go to Zap Audit's "Run Audit" screen. From here you can select either "Site Audit" or "File Audit". You will be using "File Audit" for an off-line analysis. Click the browse button to select and upload the zip file containing the infected site's files. Once uploaded, a second screen will appear asking to select the Joomla! version and site name. Ensure to select the correct Joomla! version for an accurate audit report. The Joomla! version of the infected site can be found in the file "libraries/cms/version/version.php" . Look in the file for the lines beginning with "const RELEASE =" and "const DEV_LEVEL =" to determine the Joomla! version. For example, if the release is "3.6" and the dev_level is "5", then the Joomla! version is "3.6.5". Older versions of Joomla! may show this as "public $RELEASE". and public "$DEV_LEVEL". Once the version and site name are submitted, you are ready to run an audit.
Select the "Run Audit Report" under "File Audit" to run an audit of the uploaded files. You will need to re-upload the site files when fixes are made an another audit is needed. Once the file audit is complete, remove the files from the system by clicking the button.
Proactively Monitoring a Site For Hacks
WIth Zap Audit Pro, you can automatically have sites audited and get e-mail alerts when the audit analysis detects a change. Automatic site audits for a single site can be done using the emailalert plugin. To monitor a group of sites, use the monitoring plugin.
Finding the Root Cause of a Hack
The use of Zap Audit and the Apache log file can help pinpoint the original hack of a file. If Zap Audit failed to pinpoint the cause, the Apache log can help. From the audit, look at the infected files and find the earliest date and time of the infected files. Open the Apache log for that day and find the records that occurred at that exact time, or close to it. Infected files occure with "POST" messages to the server. If, for example, you had a file infected at 18:06:32, look for Apache "POST" records between 18:06 and 18:07. This "POST" record should include a PHP file in the log entry. Look at this file to confirm it is a hacked file before removing it.
You should run site audits periodically ( or run them automatically as explained above) to ensure your site continues to be hack free.