3. Other common indicators of hacked site
• Blacklist warning by Google etc.
• Warnings from web host regarding resource usage
• Complaints from customers
• Unusual file modifications (template, core files etc)
• Malicious new users created on your site
• Unexpected or abnormal browser behaviour
4. Immediate response
• Do you have a disaster recovery plan?
• What can you do quickly to minimize damage/exposure?
• Site offline / maintenance mode (if appropriate)
• Change passwords (Cpanel, Joomla Admin, etc)
5. Why did my site get hacked
• Deface / vandalize
• Spreading malware
• Hacker showing off
• Profit (e.g. crypto currency mining, spamming)
• Targeted attack, for example to obtain personal information
6. How did my site get hacked?
• Look for evidence in Cpanel error logs/raw access logs
• 77.221.130.18 - - [09/May/2019:08:54:59 +1000] "GET
/index.php?option=com_myfiles&controller=../../../../../../../../../../../../..//proc/self/environ%0000 HTTP/1.1" 404 613 "-"
"Mozilla/4.0 (compatible; MSIE 6.0; America Online Browser 1.1; rev1.2; Windows NT 5.1;)“
• 77.222.40.87 - - [09/May/2019:13:28:02 +1000] "GET
//index.php?option=com_alphauserpoints&view=../../../../../../../../../../../../..//proc/self/environ%0000 HTTP/1.1" 404 613
"-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7"
7. Do I have any outdated or insecure extensions?
• Check Joomla! Vulnerable Extension List
https://vel.joomla.org/
11. Are there any other sites on this hosting account?
• Could the vulnerability be due to another site/app on the hosting
account
• For example, the recent Joomla Extension Directory vulnerability was caused by an outdated
Stapler web framework used by Jenkins, which is the tool used for daily automated testing
etc.
13. How does the hack affect your customers?
• Is there any personal/financial information exposure – do you need to
report a mandatory data breech?
https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme
• Do you need to retain a copy of hacked files and logs for
evidence/further investigation?
14. Recovery considerations
• Do you have a good (offsite) backup from before the hack? Will there
be any data loss if you restored this?
• Have you addressed the source of the hack?
• Is manually cleaning the files appropriate (editing source code to remove
injected code)?
• Should you reinstall Joomla over the top to restore core files?
• Can you fix this yourself, or do you need to engage security
professionals?
• Do you need to change passwords (Cpanel, Joomla admin users, mySQL, FTP
accounts etc)
• Do you need to clean database (remove users and suspicious content)
15. Recovery considerations
• Do you need to contact web host to remove suspension?
• Do you need to request removal from blacklisting (e.g. Google Search
Console)
17. Hardening your site
• Firewall software (e.g. Akeeba Admin Tools or RSFirewall)
• .htaccess rules to block common exploits
• Make sure all software is up-to-date (core Joomla, extensions, PHP etc).
• Limit who has admin/super user access
• Regular malware scans (both your site and computer)
• Regular review of logs, hosting resources etc. looking for suspicious activity
18. After your site is fixed
• Continue to monitor to ensure site doesn’t get hacked again (maybe you
missed the true source of the hack in your cleanup)
• Remember, security is not a once off exercise, you should regularly
review your site security and make incremental improvements as
needed.