Database Hacks on Joomla – The Worst Kind of Hacks

A new client called us today and told us that his website was hacked, and asked us to fix it. The moment we hung up the phone with him, we started working on it immediately (we treat such tasks as urgent).

We did our regular check on its filesystem, and we didn’t discover anything! (even after following our super-duper easy-peasy method to quickly discover the infected files on a Joomla website). We then pondered for a moment; could this be a database hack? We haven’t seen one for a long time!

So, we checked the database, and we were right, the filesystem was not infected, but the database was! It was a dreadful moment… Dreadful not because it’s hard to fix, but dreadful because we know that ensuring that the website remains clean (after it’s fixed) can be costly for the client (he was running a very old Joomla website with some very outdated and low profile extensions).

So, what is a database hack? And how is it different from a filesystem hack?

A database hack is when the malicious code is inserted directly into the database, rather than in one or more core files. Generally, the database hack consists of inserting the malicious code in one or more rows of the following two tables (replace #__ with your table prefix):

  1. #__content
  2. #__modules

The malicious code inserted in the database usually has the same outcome as if it was inserted to a core Joomla file: It can redirect to malicious websites, it can infect clients (by clients we mean PCs loading the website) with a virus, or it can show content that is completely irrelevant to the website (the different content may be shown to Google’s bot, to the visitors, or both).

What is the cause of a database hack?

The cause of a database hack is generally a SQL injection exploit (hence we say that the rows are injected with malicious code). Now we know what your second question is: “Isn’t SQL injection a thing from the past in Joomla?” Well, the answer is that it’s not, thanks to some exploitable Joomla versions (including many releases of Joomla 1.5) and to some poorly written extensions (exploits of such extensions are well documented on Joomla’s official website).

How to fix a database hack on a Joomla website?

The answer to this question is simple: “Find and replace”. “But how?”, you might be wondering. Well, all you need to do is the following:

  1. Login to your Joomla database using phpMyAdmin.
  2. Click on a affected table (e.g. a table that has some malicious code injected in one or more of its rows).

  3. Issue the following command (in our example below, we are assuming that the infected table is #__content and the infected column is the introtext column – make sure you replace #__ with your table prefix):

    UPDATE #__content SET `introtext` = REPLACE(`introtext`, '[malicious code]', '');

  4. Repeat Steps #2 and #3 for all the infected tables and all the infected columns.

Note: Finding which tables/columns are infected consists of doing a global search at the database level in phpMyAdmin.

How to ensure that the database hack will not happen again?

In order to ensure that your Joomla database won’t be hacked again you need to do the following:

  • Upgrade your Joomla website to the latest version.
  • Hire some Joomla experts to analyze the 3rd party extensions that you have on your website to ensure that they’re all clean.

Why is the database hack the worst kind of hacks?

Good question! It’s because, as mentioned earlier, it can be very costly. While hacks on the filesystem can be completely blocked by enforcing strict permissions (e.g. changing ownership to root, changing file permissions across the board to 444, etc…), database hacks can only be prevented by ensuring that all the extensions, as well as Joomla itself, are up-to-date and are not exploitable. This can take a lot of time and can cost a lot of money – especially if the website in question is very large in size.

Now, if your Joomla website is hacked – regardless of the type of hack – then fear not! Relax, take a deep breath, and call us! We always answer the phone, we know Joomla from inside out, and our rates are very affordable for what we do! As many of our clients describe us, we are life savers!

One Response to “Database Hacks on Joomla – The Worst Kind of Hacks”
  1. Pingback by The “GoDaddy Joomla Hack” – How to Fix | itoctopus — July 1, 2013 @ 11:33 am

    […] your website suffers from a database hack. In this case, please follow the instructions described here to cleanup your […]

Leave a comment