We are sorry for any basic language used in this document. Before you post in the joomla security forum please read this checklist summary, then use it as a post template.

On Line Action List

• Take your site offline temporarily to prevent others being infected

• Run the forum post assistant and security tool The simple Instructions available here

• Ensure you have the latest version of Joomla

• Notify your host and work with them to clean up the site, and to make sure there are no back doors to your site.

• Review Vulnerable Extensions List to see if you have any vulnerable extensions and deal with them.

• Review and action Security_Checklist to make sure you've gone through all of the steps (please note some steps are optional, but please review them all).

• Change all passwords and if possible user names for the domains control panel, mysql, FTP, joomla Super Admin, and joomla Admin password; do change them often. Passwords should be at least 12 mixed alphanumeric characters and contain no common word phrases. Do not use the standard Admin user. Disable it. If you need to reset your admin password, see these instructions

• Replace all templates and files with clean copies,
• Check and/or replace all .pdf, image, photo files for exploits
• Check you server logs for IP's calling suspicious files or attempting POST commands to non-form's
• Use proper permissions on files and directories. They should be max permissions of 644 for files & 755 for folders with no exceptions.

IF you have permissions to access SSH (secure shell) via putty/sftp you can chmod the files and directories. You can use the following commands from within the public_html (or similar) directory. For files use:

 find -type f -exec chmod 644 {} \; 

and for directories use:

 find -type d -exec chmod 755 {} \; 

• Request to be put on another server with php as cgi and suphp and up-to-date serverside software (apache, php etc) on your existing host or find another server host if necessary.

To check the recent file changes on your system use these commands or via a cron job

 find \public_html -ctime -1 

or

 find \public_html -mtime -1 

Please note the location of your files may be public_html or httpdocs or similar.

To protect directories that seemed to need 777 permissions to run or as a default in your images/media folder try this code within a .htaccess file within the open folder.

# secure directory by disabling script execution
AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi
Options -ExecCGI

especially in your images folder

• Make sure that is in a htaccess file in a directory that will not run any scripts or remove the extensions as required

Do check with your hosting provider to see if they have purposely secured the server your site is on; and that they or you perform regular (weekly) security updates to keep the server up to date. Check you have jail shell. A rule of thumb is the less you pay, the less they care

A Safe route for disaster relief

• save the configuration.php file and your images and personal files one by one, (not the folder)?
• wipe the entire joomla installation folder
• upload a new clean version of joomla1.5.15 (minus the install folder)
• reupload your configuration file & images, templates (even better is to use original clean copies to ensure that the hacker/defacer did not leave any shell script files in your site)
• reinstall the latest versions of your extensions.

To do this will take your site off line for around 15 minutes. To track down your hacked/defaced html may take hours or even longer.

Local Security

• Don't store user name/password in ftp program
  • Use a password manager such as the free keepass

• Scan all machines with FTP, Joomla super admin, and Joomla admin access for malware, virus, trojans, spyware, etc.

• Several packages available are
  • ENOD32 from eSet
  • Spybot Search and Destroy
  • Malwarebytes
  • Microsoft Malicious Software Removal Tool
  • Linux AntiVirus boot cd
• Consider the Ultimate Boot CD for Windows used for repairing, restoring, or diagnosing almost any home computer problem

Other Considerations

• Do not use the standard jos_ table prefix and avoid one click installers where possible

• Set the joomla security newsfeed as the main top module in your joomla admin control panel
  • Add the Admin Feed Display Module if it is missing. Enable it to the first place on your sites back end control panel.
  • Set up the Security Newsfeed

• Consider adding a bot block list to your .htaccess file

• Use sFTP instead of FTP where possible

• Do not enable or use anonymous ftp accounts for any reason.

• Use a server that has mod_security installed properly

• Check for any added sub domains and/or added directories

• Check for any cgi scripts

• Check cron for any cron jobs not set up by domain administrator

• Download and Review raw access and error logs.

• Deny any IP's that you got to the IP ban on your site but it may belong to a proxy site.

Was your site hacked in the past and proper site sanitation not used to remove actual
(and hidden) hack thus leaving a backdoor for reinfection.

• Consider removing "welcome to the front page" to reduce search engine attacks.

• Completely remove/uninstall, don't unpublish unused or vulnerable extensions. Un-publishing a vulnerable extension will not protect your site.

Malicious Code or Odd Links appearing on your site

Check that the original template file does or does not insert the unwanted code or that you downloaded a paid for template from a non trusted source eg file sharing sites

Gumblar doesn’t use any particular script vulnerability. This script is injected into every web page ( I would imagine though not confirmed, if infected page is edited then saved it will also be in database) on a site. Script changes every time it is accessed. It has been seen on phpBB, SMF and vBulletin forums, on WordPress 2.7.1 blogs, on proprietary PHP sites. The script starts with (function( and has no name and is obfusticated. A common Gumblar version breaks sites due to a bug in script.

iFrames

In recent iframe exploits the malicious code was only injected into files with most common filenames (e.g. index.html, index.php, etc.). Related Forum Sticky

Contributors & Editing

mandville PhilD fw116 JeffChannell dynamicnet