Authors note: this and the previous section are the most technical sections of the guide. The techniques are more challenging and I've attempted to provide information about tools that you can use and how to access them, however, as I mentioned in the introduction, you will need some technical skill in order to execute these tasks. I assume that you can do basic technical tasks like use sFTP. Additionally, you will be working on potentially harmful files. Because of this, it's critical that you have anti-malware software installed on your workstation or have a secure environment to assess the files in like a "sandbox" virtual machine. Do not run or execute any suspected malware (E.g. oddly named binaries or programs, opening an image you don't recognize in an image viewer, and etc.) Finally, because you will be removing and editing files, always start with a backup!
Hacker Changes and Malware
When a Joomla website is hacked, you will always find changed files or database entries. However, occasionally you'll also find that malware has been uploaded into your site file structure. Malware includes things like viruses, spyware, root kits, worms, and trojans. It is nasty stuff that is generally targeted towards your visitors' desktop computers.
Fortunately, finding malware is easier than locating hacked files or database entries. The reason why is because malware is a large threat to everyone and there is more information available about threats and identifying information (signatures) for even very new malware attacks. (McAfee, Norton, and others have been working on this for over 20 years.)
Using ClamAV to Scan for Malware on Joomla
For malware scanning, we use the Clam AV file scanner. It's open-source cross-platform compatible software that has automatic virus signature updates.
You can get it here:
- Clam AV Official Website
- Clam AV Documentation
- WinClam (Windows)
- ClamXav (Commercial Mac version)
If you have shell and sudo/root access to your Web server, you can install it there and perform the needed scans without needing to have a separate secure environment to analyze in (though you have to be comfortable working on the command line.)
To scan for malware, you simply install it, and use the clamscan utility on the site directory. For example:
clamscan -r mysite/
If you find any infected files, what you do? Delete them.
A caveat to scanning site files is that, depending upon the success of the attack on your site, your server may be compromised and miss any included malware that is out of your site structure. Fortunately, this is not common, because attackers have to not only beat your sites defenses, but also your servers.
Scenarios where this is more likely to occur are:
- Where the Web server was not set up correctly with common security packages and hardening techniques.
- Shell access is enabled and the root or sudo-user password is easily guessed.
- Site owners or developers are self-hosting in house, on a VPS, cloud, or a dedicated server without using a skilled sysadmin to manage the server.
In the next section, we will look at how to keep from being reinfected.
Section 5: Secure Your Joomla Site To Keep from Being Hacked Again
Note: ClamAV image above re-used under https://creativecommons.org/licenses/by-nd/2.5/