Joomla Hacked: Symptoms, Vulnerabilities & Fixes
Contents of This Guide
- 1 Joomla Hacked? These Joomla Vulnerabilities Could be the Reason
- 1.1 Signs of a Joomla Hack
- 1.2 Joomla Security Issues
- 1.3 Cleaning a Joomla Hack
Joomla Hacked? These Joomla Vulnerabilities Could be the Reason
Joomla is a CMS in the long list of free software. This free CMS has been helping to build and maintain robust websites. There has been a long-standing debate about which CMS is the best, WordPress or Joomla. However, Joomla outperforms the rival in flexibility and security. Moreover, it powers some of your favorites like the Pizza Hut, Harvard University etc. However, as it is open source, its source code is publicly available. More developers looking through its code means discovering more vulnerabilities in the Joomla CMS. So, leading to its popularity Joomla hack is relatively common these days. Even this year multiple Joomla security issues have been discovered. These include vulnerabilities like Joomla XSS, File intrusion, Joomla SQL injection etc. So, Joomla security issues have been keeping the security team busy throughout the year. It makes website cleanup a tedious task as more and more bugs are discovered. According to the official Joomla website,
A CMS-powered website has all the ingredients for an IT security nightmare: it is publicly accessible, it’s running on powerful machines with great connectivity and the underlying system is used countless times around the globe, making it an attractive target for attackers.
Signs of a Joomla Hack
- A google search shows ‘This site may be hacked‘ in the meta description.
- Cryptocurrency mining in the background.
- DNS redirection for your website.
- Index page defaced or replaced by a Joomla hack.
- Logging you out of admin account.
- New admins appear.
- Page loading gets slow or bulky.
- Previously non-existant spam starts to appear on your site.
- The site gets blacklisted by Google for ‘malware‘ or ‘phishing‘.
- This spam also includes ads and unwanted redirects.
- Unnatural traffic hike on your site. You can check all this using the Google webmaster tools.
- CMS or other software may be broken. Especially firewall!
Your website shows signs of a Joomla hack? Drop us a message on the chat widget and we’d be happy to help you. Fix my website results now.
Joomla Security Issues
1) Joomla Vulnerability: Joomla SQL Injection
SQL injection is one of the significant Joomla security issues. Joomla has a long history of SQL vulnerabilities. An SQL injection is the result of unsanitized input. You trust the user with input and all kinds of things can go wrong. Joomla SQL injection dates back to as far as 2008. Back then it was due to Ice Gallery (com_ice) component 0.5 beta 2 for Joomla. This year too, multiple Joomla SQL injection points have been found. The latest Joomla SQL injections this year includes CVE-2018-8045. Multiple vulnerable components were discovered this year. However, to simplify things we will focus on the latest one. The ‘jimtawl‘ component of Joomla is vulnerable to SQL injection. The vulnerability resides in the parameter ‘id‘. A simple post statement would look like this:
However, the problem is if a user provides unsanitized input after the parameter ‘id‘. Things can be escalated from here on. It can be exploited using an ‘error based and‘ statement.
' AND EXTRACTVALUE(66,CONCAT(0x5c,(SELECT (ELT(66=66,1))),CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION())))-- VerAyari
So, this code given above can be used to exploit it. This code prints the user info and database version of the server. The code can be tweaked to execute all kinds of database operations. Recently, details regarding this have been released on exploit-db. This means it is publically visible to all. So even a noob can cause a Joomla hack. Especially using tools like sqlmap. Sqlmap would automate the whole process. So this component is one of the Joomla security issues on your site. Avoid till its patched!
2) Joomla Vulnerability: Joomla XSS
For instance, this piece of code steals the user cookie. So, this one is a reflected XSS. That means the attacker can create a special request. Sending this request can be used for phishing or cookie stealing. Further tools like Xsser can help to automatically detect and exploit websites.
- Insert fake forms on the site.
- Steal user cookies.
- Change the complete appearance of the site.
- Used for injecting spam.
- Used for fake redirects.
4) Joomla Vulnerability: Phishing
Phishing attacks are often deployed to commit a Joomla hack. A phishing attack makes a legitimate user believe in fake pages. The unwary user then submits sensitive info to the page. This info is then read by the attacker to gain access to the system. Multiple methods are used for phishing like:
- Fake login pages.
- Phishing Emails.
- Phishing phone calls.
- Fake update pages etc.
- Using Joomla security issues like XSS for phishing.
A new type of phishing attack is on the rise nowadays. Firstly it shows a login page in the minimized container.
This looks like any other legitimate page. However, the trick lies in minimizing the page. The user can see only the first few words of the URL. So he/she may assume the page to be legitimate.
However when the full URL is exposed the scenario is different. It was a fake page set up by MaliciousSITE.com. It is no big deal for it to gain an HTTPS certificate. Moreover, certain advanced tricks like URL encoding etc come handy for attackers. This makes the page look just like the real page. So always beware of opening any Joomla login links!
5) Joomla Vulnerability: Pharma Hack
Joomla websites are good targets for SEO spammers. Mostly owing to their popularity. Spammers use these websites to spread their ads. Mostly showing pharmaceutical products especially pills. The bulk of SEO spam infected websites can be searched on Google. A simple Google Dork like
inurl: "viagra" "powered by Joomla" can do the trick. The search query then shows something like this.
As we can see all these Joomla websites are infected with SEO Spam. Their meta description shows ‘viagra‘ ads. Multiple Joomla vulnerabilities can be used to inject this spam. Probably it could be a code injection or any other Joomla hack. However, the results are devastating for the website. The website loses its reputation and user trust. It can be hard to recover back on the search rankings after a Pharma Hack.
6) Joomla Vulnerability: Misconfigured Server
Sometimes in case of a Joomla hack, the faulty server could be responsible. Often lack of proper permission on the server can wreak havoc. In Joomla installations, by default, the
.htacess file has the write permissions. So, This could cause the attacker to gain sensitive info. Multiple things can go wrong with the servers like:
- Weak credentials.
- Open ports.
- Forgotten sub-domains.
- Outdated installations.
- Unprotected DNS server.
- Multiple websites sharing the same space without subnetting. So if one is infected it spreads.
So, the server installation needs to be checked from time to time. Weak file permissions and errors expose sensitive info. Therefore server security is vital to avoid a Joomla hack.
Need professional help in securing server from a Joomla Hack? Drop us a message on the chat widget and we’d be happy to help you. Fix my website results now.
Cleaning a Joomla Hack
1) Fixing Joomla Hack: Database Cleanup
Firstly begin cleaning from that infected database. Joomla SQL injection can create new database users. To look out for new users created after a specific date, use the following code:
Select * from users as u
AND u.created > UNIX_TIMESTAMP(STR_TO_DATE('My_Date', '%M %d %Y '));
Once rogue users are found. So, Delete them using the SQL statement
Drop User;.Not only this, to avoid future infections:
- Sanitize the user input.
- Restrict database permissions to the account.
- Block Database error disclosure to locally only.
- Use type casting wherever possible.
2) Fixing Joomla Hack: Securing the Server
Even when the installation is secure, fault servers can cause a Joomla hack. Although there is a big list of Joomla security issues. Certain key points to remember are:
- Close any open ports.
- Remove the unused subdomains.
- Check regularly for configuration issues.
- If you are sharing a server go for subnetting. Or use a VPN.
- Block the error messages leaking info.
- Give strong and random passwords to FTP accounts and database!
- Make sure you use a firewall or some sort of security solution.
3) Fixing Joomla Hack: Setting Permissions
- Primarily, ensure that no user can upload executables like
.aspxetc. Only image files are to be uploaded on the server.
- Now move on to set the file permissions for the server. Perhaps the most sensitive file is the .htaccess file. So, to set proper file permissions. Set your
444 (r–r–r–)or maybe
- Also, ensure that your PHP files cannot be overwritten. Therefore you need to set
- Most importantly use the popular file extensions. Joomla is a pretty big CMS so alternates are always there. Popular extensions get updates faster in case of vulnerability. So try most of the times to go with the popular demand!
4) Fixing Joomla Hack: Check Modified Files
$ mkdir joomla
$ cd joomla
Firstly, we created a directory named
joomla and switched over to that.
$ wget https://github.com/joomla/joomla-cms/releases/download/3.6.4/
$ tar -zxvf Joomla_3.6.4-Stable-Full_Package.tar.gz
wget command downloaded Joomla files from GitHub. The second line of code
then extracts them.
$ diff -r joomla-3.6.4 ./public_html
Finally, the diff command here is comparing the contents. This time we are looking
public_html file. Similarly, you can check multiple files. Moreover, the files
can be manually checked. Just log in using any FTP client and check files. SSH
enables you to list file modifications.
$ find ./ -type f -mtime -15
Here this SSH command reveals the files modified in last 15 days. Similarly, you
can change the time stamp. Look out for any recently modified files!
Consult Astra security experts now to find and fix a Joomla hack. Our powerful Firewall
safeguards your website from XSS, LFI, RFI, SQL Injection, Bad bots, Automated Vulnerability Scanners, and 80+ security threats. Secure my website now.
Fixing Joomla Hack: Check User Logs
System logs are the best tool to identify the cause of a Joomla hack. System logs record
all the previous activities that took place. So whenever an XSS or SQL injection takes place,
there is always a record of the request. Furthermore, the hackers tend to create new admin
accounts. If you wish to check for any suspicious users, then:
- Firstly Log in your Joomla Dashboard.
- Now, click on Users and select Manage.
- Here check for suspicious users. Especially those recently registered.
- Now proceed to Remove any unknown users.
- Also, check the Last Visit Date.
- Find out where the server logs are stored. Use it to identify Joomla SQL injection etc.
- If you see users logging from unknown IPs, remove them.
Moreover, use google diagnostic report to find the cause. It gives you a comprehensive view
of your site. If your site is blacklisted work closer with Google. The diagnostic report will give
you the cause for blacklisting. Use it to find and weed out the infection!
Fixing Joomla Hack: Update
Most of the time a Joomla hack takes place due to unpatched files. Ensure all your modules are updated. Also, make sure the server software is up to date. Always turn on Automatic Updates. It may sound resource consuming but it is a secure practice. Joomla security issues can keep you busy. So, if you find it difficult to clean the Joomla hack, consult experts.