My Joomla Is Infected with Malware — Git to the rescue!

Joomla and almost every other open source CMS are very vulnerable, not because they are bad in their core, but because users mostly don’t care about updates and security issues.

chmod everything to 777, use pirated components from torrents and everything is just fine. After few months or years, the party will start.

TL;DR: Using git status you can easily detect changed files and, therefore, you can find what files are created by malware script.

SPAM mail example

Few days ago a friend called and asked about one site that I created back in 2013 — it was full of different malware scripts and mail queue was always full with a lot of SPAM email that used their infrastructure to distribute. Even in the root directory, there was a directory called ‘anal-xs4s’ and it was full of different malware PHP scripts.

Joomla was up to date but components weren’t and someone was able to infect server.

Ideally, the best solution would be to export articles and pages, burn everything with fire and reinstall it again. Unfortunately for me, this wasn’t possible.

I wish I used Git back then…

I was thinking about tricks and solutions I can pull on this and I got an idea — “Hey, I can just use Git to check what files are changed and just reset them!” — Great idea, if you have used Git earlier. I could just do git status and list files that are changed (i.e. infected) and rollback them.

Malware cleanup

Since I couldn’t just git init infected site, I had to clean project first. There are several steps I used, maybe you can find them useful:

  1. Do an antivirus scan to identify infected files with known malware. We got dozens of files with .suspected extension and delete them.
  2. Analyze one of the infected files — decode base64 obfuscated code and figure out what Mr. Bad Guy wants to do.
  3. Using grep try to identify similarly infected files using keywords base64 and eval - it will take some time to analyze and find what really is infected and what is misused.
  4. Disable known dangerous functions such as eval
  5. Once when project is clean, initialize git repo with git init
  6. Monitor changes with git status and stay safe.

Additionally, you have to fix directory and files permissions — 644 for files and 755 for directories. Also, uninstall all modules and components you aren’t really using.

Do you have your own method for malware cleanup? Let me know!

Originally published at on December 30, 2015.

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.