My Joomla Is Infected with Malware — Git to the rescue!
Joomla and almost every other open source CMS are very vulnerable, not because they are bad in their core, but because users mostly don’t care about updates and security issues.
chmod everything to 777, use pirated components from torrents and everything is just fine. After few months or years, the party will start.
git statusyou can easily detect changed files and, therefore, you can find what files are created by malware script.
SPAM mail example
Few days ago a friend called and asked about one site that I created back in 2013 — it was full of different malware scripts and mail queue was always full with a lot of SPAM email that used their infrastructure to distribute. Even in the root directory, there was a directory called ‘anal-xs4s’ and it was full of different malware PHP scripts.
Joomla was up to date but components weren’t and someone was able to infect server.
Ideally, the best solution would be to export articles and pages, burn everything with fire and reinstall it again. Unfortunately for me, this wasn’t possible.
I wish I used Git back then…
I was thinking about tricks and solutions I can pull on this and I got an idea — “Hey, I can just use Git to check what files are changed and just reset them!” — Great idea, if you have used Git earlier. I could just do
git status and list files that are changed (i.e. infected) and rollback them.
Since I couldn’t just
git init infected site, I had to clean project first. There are several steps I used, maybe you can find them useful:
- Do an antivirus scan to identify infected files with known malware. We got dozens of files with
.suspectedextension and delete them.
- Analyze one of the infected files — decode base64 obfuscated code and figure out what Mr. Bad Guy wants to do.
greptry to identify similarly infected files using keywords
eval- it will take some time to analyze and find what really is infected and what is misused.
- Disable known dangerous functions such as
- Once when project is clean, initialize git repo with
- Monitor changes with
git statusand stay safe.
Additionally, you have to fix directory and files permissions — 644 for files and 755 for directories. Also, uninstall all modules and components you aren’t really using.
Do you have your own method for malware cleanup? Let me know!
Originally published at itworkslocal.ly on December 30, 2015.