|
|
Home  FAQs |
RECOVERY: Help! My site's been compromised. Now what?
| Author(s): | Rliskey | Experience level: | Beginner | Contributors: | Joomla! version: |  | Date added: | Tuesday, 17 April 2007 | Date last changed: | Thursday, 26 July 2007 |
Directions
- Change all relevant passwords
Assume your passwords have been harvested and immediately change all critical passwords, including shell access, FTP access, Joomla! Administrator accounts, and the database account. - Check raw logs
Identify when and how the attackers gained access to your site by carefully reviewing your raw server logs. Make careful note of the date/time and names of attacked files. Note that these logs may have been deleted or altered, so a lack of evidence does not prove a lack of activity. - List recently modified files
Before making any changes to your site, generate a list of recently modified files. Here's a php script that will list the files for you. Remove this script as soon as you have your list and don't publish a link to it! - Note suspicious newly-created files
Use this list to identify new files that don't belong. Pay particular attention to their creation and modification dates, and correlate them to the dates of attacks shown in your log files. - Note suspicious recently-modified files
Check the modified files list for any files that were recently changed. Pay particular attention to the modification, and correlate them to the dates of attacks shown in your log files. - Check for bogus CRON Jobs
Hacked cron jobs can be setup to reinfect your site over and over again. - Coordinate with your host
If you have identified how you were cracked, report the method to your host. If you are on a shared server, you may habe been attacked through another vulnerable site on your server. Report this to your host. A reputable host will appreciate your efforts in this area. - Delete the entire public_html directory
This is the best way to guarantee that every potential vulnerabililty in that site is removed. - Delete related database records
This step may only be possible if you have good backups. Simple script kiddies, who are only trying to mark your index page, may not attack your database, but professionals are usually very interested in confidential data, such as passwords. They may pose as script kiddies to avoid suspicion while repeatedly harvesting confidential information from your database. - Reinstall everything
Use pre-crack backups. If you don't have good backups, go on to step 10. - Reset critical passwords again
You must reset your passwards again now that your server is finally cleaned of any possible, hidden trojan horses. - Rebuild site: If you are unable to rebuild from clean backups, rebuild your entire site using original, pre-crack installs. Use only the latest stable versions of all software, and check the List of Vulnerable Extensions
- Review security processes
Follow standard security precautions for important settings in php.ini, globals.php, configuration.php, .htaccess, etc. - Review backup processes
If you don't already have one, add a dependable backup process to your site administration practices. - Stay watchful
Attackers often return repeatedly. Closely monitor your raw logs for suspicious activity.
More Information
- Joomla! Admin Security Checklist
- You think your site got hacked? Read this first, please!!!
- Discussion topic for this FAQ
Last Updated Thursday, 26 July 2007
| < Prev | Next > |
|---|