Note: The following post assumes that your Joomla website is powered by a WHM/cPanel server and that the Eximstats service is enabled (you can enable the Eximstats service from WHM’s Service Manager).
At itoctopus, we go at great lengths to monitor the security of our managed Joomla websites, to the point where we check the Eximstats database for anything suspicious. The Eximstats database, in case you’re wondering, is a SQLite database containing a record of every email sent from the server (this is the case for almost all WHM/cPanel powered servers, where Exim is the default mail server).
But how can the stats of an email server signal anything suspicious on the Joomla website?
Well, if your Joomla website usually sends about a 1,000 emails every month, and the Eximstats database contains about 100K entries for that particular month, then this a huge signal that your website is compromised.
So how do you go by analyzing the EximStats database?
As mentioned at the very beginning of this post, the EximStats database uses the SQLite database engine, which is fairly similar to MySQL, but with one major difference: a SQLite database is just one file, unlike a MySQL database which is spread across many files. This makes the whole process of analyzing the database fairly simple. All you need to do is the following:
- Install phpLiteAdmin onto the server (phpLiteAdmin is the phpMyAdmin equivalent for SQLite). This can be done by issuing the following shell commands on the server:
cd /home/[cpanel-user]/public_html mkdir phpliteadmin cd phpliteadmin wget https://bitbucket.org/phpliteadmin/public/downloads/phpLiteAdmin_v1-9-7-1.zip unzip phpLiteAdmin_v1-9-7-1.zip
-
Copy the Eximstats database to the newly created phpliteadmin folder:
cp /var/cpanel/eximstats_db.sqlite3 /home/[cpanel-user]/public_html/phpliteadmin/
Note: by default, the Eximstats database retains data for one month.
-
Point the phpLiteAdmin application to use the Eximstats database that was just copied:
cd /home/[cpanel-user]/public_html/phpliteadmin mv phpliteadmin.config.sample.php phpliteadmin.config.php
After doing the above, open the file phpliteadmin.config.php and then change the following code:
$databases = array( array( 'path'=> 'database1.sqlite', 'name'=> 'Database 1' ), array( 'path'=> 'database2.sqlite', 'name'=> 'Database 2' ), );to:
$databases = array( array( 'path'=> 'eximstats_db.sqlite3', 'name'=> 'Database 1' ), ); -
Launch the phpLiteAdmin application by pointing your browser to https://www.[yourjoomlawebsite].com/phpliteadmin.
-
Login with the password “admin” (without the quotes).
-
Check the sends table for an abnormal volume of sent emails (abnormal, in this context, is fairly subjective).
If you find anything out of the ordinary in the EximStats database (e.g. a huge number of sent emails), then your Joomla website is likely hacked. Try our super quick shell commands to find the hacked files on your Joomla website. If you can’t find anything, then it would be a good idea to contact us. We are experts in Joomla security, we will clean your website, and you won’t have to sell your business to cover our fees!