A Couple of Shell Commands to Find Hacked PHP Files on a Joomla Website

Note: This post assumes your website is running on a WHM environment. If your website is running on Plesk than the physical location of your Joomla website will be different.

Another note: This post assumes you have some very basic Linux knowledge. If that’s not the case then you can ask some Joomla security experts (such as, ahem, us) to help you.

Psst! Psst Psst! Psst Psst Psst! We have to tell you a secret – a secret that we have kept for ourselves for a long time for not-so-mysterious reasons! A secret that took us years to discover. A secret that we hope, once revealed, will make Joomla websites safer. Interested? We thought so…

What is that secret, we hear you ask? Well, the secret is that not a single alphanumeric string in Joomla’s core PHP files is larger than 62 characters, and not a single alphanumeric string with pluses and forward slashes is longer than 137 characters. OK – are you done laughing now? Let us explain…

You see, a huge sign of a malicious file is a long continuous string – which means that if we search for long continuous strings in the PHP files of a hacked Joomla website, then we will be able to find most (if not all) of the malicious/hacked files on that Joomla website.

Now the question is, how to find those files? Well, that’s easy, if you want to find all the PHP files containing alphanumeric strings that are more than 62 characters, then you will need to do the following:

  • Login to your Joomla website and clear your Joomla cache.
  • ssh to the server hosting your Joomla website.

  • cd to the directory where your Joomla website resides:

    cd /home/[cpanel-user]/public_html/

  • Run the following command to get the list of all the files containing strings that are longer than 62 alphanumeric characters:

    grep -r --include=*.php -e '[[:alnum:]]\{63,\}'

Now to find all the PHP files that contain alphanumeric characters including forward slashes and plus signs that are longer than 136 characters you just need to run the following command:

grep -r --include=*.php -e '[[:alnum:]\/\+]\{137,\}'

The above 2 commands are excellent for finding malicious/hacked files, and we use them when we are cleaning up a hacked Joomla website in order to weed out those files.

Will these commands really work?

Yes – and we use them every day to find those nasty malicious/hacked files on Joomla websites. The nice thing about these commands is that they are fast and they have a very high accuracy.

What about false positives? Will there be any?

If you have 3rd party Joomla extensions installed, then you may see some false positives, but they are easy to identify. For example, we know that Admin Tools and RSForm Pro will both yield false positives. There are other extensions of course that may have this issue – so you must carefully check each file returned by the above search before taking action (deleting it/cleaning it).

What about JavaScript files?

We’re glad you asked. You can use the same method for JavaScript files, except that the numbers are different: for core JavaScript files, the maximum size of an alphanumeric string is 149 characters, and that of an alphanumeric string with pluses and forward slashes is 480. Which means that we will need to run the below commands to get those potentially malicious JavaScript files:

grep -r --include=*.js -e '[[:alnum:]]\{150,\}'

and

grep -r --include=*.js -e '[[:alnum:]\/\+]\{481,\}'

Now the problem with JavaScript is that the maximums are quite high, so it’s possible to miss some malicious files because of that (maximums are inversely proportional to the accuracy). What we do is mainly use about half the numbers above (e.g. 75 and 240 instead of 150 and 481, respectively), and we ignore the core false positives.

What if the output of these commands is really large?

In the case of an overly hacked Joomla website (or one with many extensions installed), the above commands may return a lot of files, and that will most likely fill the scrollback buffer. To address this issue, you will need to pipe the results to a file (e.g. direct the generated output to a file instead of the screen). You can do this by adding a greater sign after the command followed by the name of the file. For example, the first command will be:

grep -r --include=*.php -e  '[[:alnum:]]\{63,\}' > potentially-malicious-php-files.php

That’s all for today! If you have some doubts on whether these commands will work for you – then try them, you won’t be disappointed. If you still think that there are some malicious files on your server, then please contact us. We are experts in Joomla security, our fees are super affordable, and we will clean and secure your website!

No comments yet.

Leave a comment