Your Joomla website got hacked or is infected? Malware, Spyware, Virus or Mail Spammers are living inside your website? Don't panic, you can Scan, Fix, Clean and Secure your website without losing any data. Read how the plugin Vik Secure can help you remove virus from your Joomla website.

Many Joomla webmasters have probably seen one of their websites being violated or hacked at least once. Luckily, you don't need to trash the entire website and re-build it on a different environment to make sure you are not copying a virus. We have a plugin that can help you sanitize your website to make it clean and safe to browse again: Vik Secure.

A few things you should know about hackers, spammers and bots...

Identifying the responsible of the hack is not an easy task, nor is it really necessary as long as you accomplish your goal, and even though there are no specific reasons why exactly your website was attacked among billions, for sure your website was violated due to a lack of security in one of the following things:

  • Server: it is very unlikely that your website was violated at server level, maybe through a rootkit exploit, or by stealing a password. If this was the case, any attempts to clean up your website would become vain if a backdoor is available on the server that hosts your site. Attackers could come back to bother you at any time in this case. We strongly recommend to clean up your website first, and then inform your hosting company to make sure the server configuration was not compromised during the attack.
  • Software: your Joomla core files should always be updated to the latest version of the official stable release in use. If you had not updated your Joomla core files in a long time, by missing many security updates, then this is probably why it was so easy to hack your website. The Joomla project is a public repository that anyone can check online at any time. If a security patch is released, then it is very easy for ill-intentioned people to see where was the security flaw, and which parts of the website were affected. By knowing the issues resolved, hackers, spammers and bots know what to attack on non-updated websites. Keep your Joomla files up to date!
  • Application: another common exploit can be accomplished by attacking your Joomla Template, Modules, Plugins and Components. An insecure or non-updated extension can open the doors of your website to hackers. It is true that sometimes, a new Joomla version can break your website template or main component, but the developers should be ready to release a patch or an update to be compliant with the new releases. It has happened before that some Joomla releases accidentally broke third party components in some functions, but after a couple of days there was already another Joomla release ready to fix such issues. A well coded Template or Component, should not be compromised by an official Joomla update, it's very rare, so keep your extensions up to date!

Why websites are hacked?

Most of the times, websites are attacked for no reason, maybe just for fun, or to let you know that your website is not secure. Since most of the attacks are performed by bots (computers that scan and attack websites to find vulnerabilities), no one cares about stealing your contacts or sensitive data. Also, even the "human" attacks are made in a smart way, because no one is looking to be sued for stealing data. However, this doesn't mean an attack has no "after the fact" consequences, and the consequences are never nice.

Joomla website clean and secure

What consequences does a hack bring?

Knowing that your website was hacked or hosts a virus is definitely not fun. This can actually harm your business and cause several problems if you don't react on time.
The most common post-factum results are the followings:

  • The hack made your website a spamming machine: if hackers don't care about stealing your data, they still want to damage the website violated by leaving some unwanted "presents". In fact, it happens many times that hacks leave/drop some PHP files onto your own web-server by hiding them into hidden folders, or by merging their code into files that were once safe (Infection). These code snippets are later called remotely by other bots, just like if they were visiting a page on your website. The bad thing is that these files will put your server IP address in many Blacklists because they can send up to 1000 email messages per minute. They basically send SPAM email messages by using your identity, and by using your server to deliver this heavy load of SPAM.
  • External Advertisement: links to your website may be redirecting your customers to external websites that you don't know. This is to produce traffic and impressions for Ads, or (sometimes) to simply merge porn contents with your website. This is made by filling your server with HTACCESS files, and by loading unwanted JavaScript code.
  • Backdoors: whenever your website is violated, the first thing hackers try to do is to avoid the risk of getting locked inside/outside your server. They basically want to make it even easier for the next times to access your website again. This practice is called "backdooring", as the name suggests, it consists in setting up a hidden way to re-access your website and cause as much damage they want once more. Moreover, you should know that backdoors are usually shared with other bots that were designed to cause damage to websites just for fun, or for one of the above mentioned reasons.

There are mainly two ways to open a backdoor:

  • Server Backdoors: really bad ones because it means that your entire server (or chroot'ed) configuration was compromised. Only your web-hosting company could remove this kind of backdoors as they are not part of your website. Server backdoors can be removed by restoring the correct file, users and daemons permissions, by changing passwords, and by making sure no extra ports were open in the server Firewall. A well protected server will never let hackers open a backdoor at server level.
  • Application Backdoors (also called Infection) are the most common type of exploit. This is usually made by infecting PHP files that were once safe, or by adding new files that can execute arbitrary code externally. Basically, hackers drop spies on your own server, like if these were pieces required by your Template or Modules, and they call them from the outside to cause more damages. We have seen many cases of backdoors opened at application level, and luckily, these are relatively easy to be removed to secure your site again. Just to give you an example, we saw many times websites full of .HTACCESS files that were redirecting the users to external porn/ads websites. Even though these files were removed manually via FTP, they kept coming back again in mass after some time. This is a clear example of how an application backdoor can let bots/hackers cause more damage.

How to check if your Joomla website was hacked or is infected

Red indicators for hacking attempts

If you happen to discover that one of the following situations is actually the one you are in, then your website was probably hacked. You are not the only one, and it's not the end of the world.

Indicator How to check it
The host suspended your website. Make sure you can visit and navigate your website pages regularly.
Your email messages are no longer delivered to all recipients, due to the fact that your server IP address is blacklisted. Ping your website with the Terminal to obtain your server IP address. Then look online for blacklisted IP addresses to see if yours is there.
Your browser is redirecting the users to other sites, links are not working, or some contents are different from the ones you created. Make sure to visit as many pages as possible of your website, and try to follow links especially to PDF files. Pay attention to strange behaviors.
The Search Engine Results Pages for your website show strange keywords and descriptions. Look up your website name on Google or other Search Engines to see if the results are the ones you'd expect to see.

Yellow indicators for hacking attempts

The following indicators show a couple of situations where your website was not hacked or violated, but you simply had some silly visitors that wanted to cause you a bit of trouble. Do not panic if you happen to discover some of the situations below, because your website is probably just safe and intact.

Indicator How to check it
Many, Malicious and New user accounts in the Joomla Users List. Open the Users Management page in Joomla to see the list of users you have. If you see a lot of malicious users listed, then it means that someone wanted to occupy a few thousands of records in your database. Nothing to be worried about, because Joomla allows (by default) the registration of new users. You can either turn it off from the Users Settings, or if you need this function, you can make the registration more secure by enabling the captcha verification system. Please remember that bots or hackers will always use the Joomla native registration form only to add unwanted users to your website. So you can ignore third party components because there are too many, and "attacks" are predictable, they are always the same!
SPAM messages for contact requests or newsletter sign up. If you receive a lot of fake contact requests from strange clients, or with strange contents, do not panic because your website was not hacked. There are people who have fun in developing bots that send fake contact requests. The solution is to enable a captcha verification system in the contact form, and to stop sending a confirmation email to the sender. This is because they mainly want to put your server IP address in blacklists, by sending SPAM messages to real recipients through your website.
Contact requests containing code. If you see some contact requests that contain pieces of code where you actually asked for the "subject", the "name", or the "email address", then it means that someone is trying to hack your website. In this case, it is not a bot (a computer), but a real person. However, this doesn't mean your website was already hacked! For those who may not understand a lot of code, just pay attention to words like "select", "drop", "delete", "insert", "truncate", "alter"... It's like looking for a scratch in the latch on the door to see if thieves tried to force it.

How to clean, sanitize and secure an infected website?

If you are reading this article, then you probably care more about this part than all the rest. Use our plugin Vik Secure to remove virus and SPAM from your Joomla website. Trusted by hundreds of websites everyday, Vik Secure has cleaned many devastated websites of our clients that were desperately looking for a way to not trash their entire site.

Our plugin Vik Secure does anything you need to resolve a desperate situation: it cleans up your website by performing smart scans of the entire website, it helps you remove or sanitize the infected files found, and then it lets you build up a solid firewall. Files scanner, Files sanitizer and Firewall: all you need to stay secure.

PROBLEM SOLVING

Just like how this hack-action was done, there must be a way to un-do it. Unless the hacker removed all your files and contents (in this case you just need a back-up copy of your site), there is merely always a solution to cancel the hack. The goal is the following:

  1. Find what viruses were dropped on your website.
  2. Remove or sanitize the infected files.
  3. Secure your website so that it won't happen again.

Based on our experience with unlucky customers, Vik Secure crashes the viruses, removes application backdoors and sanitizes infected files by following 5 steps:

  1. Restore the Joomla core files
    Open the component Joomla! Update from the administrator section and click the button "Reinstall Joomla core files" (or update to the latest version if you are not up to date). This procedure will automatically sanitize any previously core infected file. However, this would be too easy to solve the problem. Hackers are smart enough to place their hacks outside the core files, maybe inside core directories, but not only in core files.
  2. Scan your entire website
    Let Vik Secure scan your website to see what it founds as malicious or infected. The Scanner applies various security rules to all your files and database records, to gather a list of all the suspected files and activities.
  3. Analyze and sanitize the scanning results
    This is the most delicate operation because you now have a list that definitely contains the cause of your problems. The solution to removing the hack with all its virus lies within the results of the scan. Identifying the infected files may require some knowledge in coding (we offer technical analysis services with some plans of Vik Secure), but you can always use the function "Make Safe" that Vik Secure suggests for any malicious file found by the scanner.
  4. Secure your website with the Firewall
    Use the Configuration page of Vik Secure and follow our Documentation to see how you can secure your website. You can white-list certain IP addresses of yours, you can add to the blacklist certain Countries or IP addresses, and you can set up a Token to access the administrator section. Vik Secure will then auto-ban (blacklist) certain IP addresses after a certain number of failure login attempts.
  5. Change your passwords
    Some passwords of your website cannot be decoded by hackers as they are stored with a one-way encoding technique by Joomla. However, the database password is written by Joomla in plain text for obvious coding reasons in the file configuration.php, so even though most of the times hackers do not really care about your passwords, you should change the password for the following services, and anywhere else you used these passwords: FTP, Joomla Administrators, Database Users, CPanel, Mail Accounts.

What to do once the website is clean and working again?

The last things you should do to complete your medical operation is to request that your IP address is removed from the main blacklists, if it was listed on any (the request procedure changes from one blacklist to another, but you can just wait some time to be automatically removed), and that the Search Engines Results Pages are showing the correct meta-data for your website. All the above things can be accomplished by simply waiting some time. For the Search Engines Results Pages there is not much you can do to speed up the process, unless visiting your Webmaster Tools for Google for example. Instead, to temporarily resolve the Email Blacklist issue with the IP address, you should simply set up an SMTP account for the email sending functions in Joomla, from the Global Configuration page. You can use an SMTP service like Gmail or Hotmail if you don't need to send thousands of messages. Then, once you know you are no longer blacklisted, you can keep using your own IP address to send email messages through the internal PHP Mailer.

Purchase Vik Secure and install it on your website!

Purchase Vik Secure


We look forward to hearing your positive story with Vik Secure!