We had a weird case today. One of our clients came to us and told us that one of his Joomla websites got hacked, and he sent us some links on his website, containing some obscene content, links to malicious websites, and of course, malicious JavaScript that will probably install a spware/adware/virus on one’s PC once he visits that link.
The first thing that we did was that we searched the database for this obscene content, we couldn’t find any. We then searched the database for the title of the link, we also couldn’t find any. Weird…
The second step was checking the template files, we wanted to see if any of these files was hacked. To our surprise, none was…
We then thought, apparently the content is not there, so it might be that there is this one malicious Joomla extension that our client installed by mistake and made this mess. We disabled all 3rd party extensions, and still that page existed, with the obscene content in it.
Our last and final step was to check the .htaccess file in the root directory of the website, maybe, just maybe, the .htaccess was hacked and the traffic was redirected somewhere else? We opened the .htaccess file and we found that many lines in this file were replaced by other malicious lines (one of those lines called a file called “functions.php” which included a lot of malicious code). To fix the problem, we did the following:
– We restored a previous version of the .htaccess file
– We changed the permissions on the .htaccess file to 644 (it was 777 before)
– We removed the malicious functions.php
– We then advised the client to upgrade to the latest version of Joomla (the client was using Joomla 1.5)
There are many reasons on why a Joomla website gets hacked, but regardless of the reason, we are always there to help, and as usual, at lightning speed! So feel free to contact us to fix your Joomla website in the unfortunate event of it being hacked.
[…] and see if you can find any alien code. – Check your .htaccess file for malicious redirects (see here for a case of a hacked .htaccess file). If you find some weird code then revert to a backup file […]