How to Quickly Fix a Hacked Joomla Website

Note: This post is very advanced and is targeted at programmers. If you’re not a programmer, you can ask us to do the below for you.

As of May of last year, we are often getting several hacked Joomla websites a day to clean. In this post, we are going to share with our readers/clients how to quickly do that.

In many cases, the Joomla website is hacked because one or more of its core files are hacked – which means that to fix the hack, one has to clean those files. But the question is, how can one find out which files were hacked?

Well, nearly always, hackers like to hide their malicious code in an encrypted form – and then decrypt that code usually using the built-in PHP function base64_decode. So, in order to find out which files were hacked, one has to write a script to search the Joomla files for the base64_decode function and detect if the files containing the function have it for legitimate reasons.

But, is it really necessary to search all the files? We think it’s not only not necessary (was that a double negative?), it’s also not practical. This is because Joomla has thousands of files and running a script that will search every single file might take a long time. Additionally, searching all the files might return a lot of false positives, which means that weeding them out and finding the culprit(s) can be a highly tedious process.

A better way to find the offending files is to search only the files that are being loaded on the affected page. So the process for cleaning up your Joomla website will be something as the below:

  • Get a list of all the files that are being loaded in the index.php (we have described the process here).
  • Just after getting the list of the files that were loaded, create a script that will search each and every one of these files for the base64_decode function.

  • Once you have the list of the files containing the above function, do a visual check on the code of each of the files in the list for anything that may seem fishy (we suggest to check the content of each file with the content of an identical file in an equivalent, and clean, installation of Joomla). Keep going through the list even if you find the offending file, as there may be more than one.

  • Cleanup all offending files.

  • That’s it!

Some caveats:

  • Some hacked websites may contain several malicious files that will re-infect the core files even after cleaning them up. Be sure to change the permissions to 0444 on all core files and make sure you use DSO for your Joomla website so as to block these malicious files from writing to your core Joomla files.
  • Some files containing the base64_decode function are purely malicious files (e.g. they shouldn’t even exist). These files should be deleted immediately.

  • Make sure you backup the website before doing the above. As fixing or deleting a false positive can render your website inoperable.

As you can see, unhacking a Joomla website is not that hard if you have the right programming skills – but if you don’t, or if you just don’t have the time to do it, then we’re here to help! Just contact us and we’ll fix your website immediately. Our prices are right, our work is professional and clean, and we are the friendliest programmers out there!

3 Responses to “How to Quickly Fix a Hacked Joomla Website”
  1. Pingback by Database Hacks on Joomla – The Worst Kind of Hacks | itoctopus — February 20, 2013 @ 1:03 am

    […] filesystem, and we didn’t discover anything! (even after following our super-duper easy-peasy method to quickly discover the infected files on a Joomla website). We then pondered for a moment; could this be a database hack? We haven’t seen one for a […]

  2. Pingback by Your Joomla Website Is Really Really Slow? Maybe It’s Hacked! | itoctopus — February 23, 2013 @ 11:54 pm

    […] links to malicious websites! Aha, the website was still hacked! With that knowledge, we used our easy method to quickly discover which Joomla file(s) was(were) hacked, and we had an immediate winner! It was the application.php file located under the includes […]

  3. Pingback by The “GoDaddy Joomla Hack” – How to Fix | itoctopus — July 1, 2013 @ 11:32 am

    […] If none of the above files is hacked, then you can use our (now famous) super-duper way of quickly finding and fixing a (filesystem) hack on a Joomla website. […]

Leave a comment