Support

Hi,

When your site gets hacked you should follow some necessary steps to restore it to working order, identify the attack vector and resolve the vulnerability so that you don't get hacked easily over again:

• Immediately use ATP's Emergency Off-Line Mode to make sure that the hacker can't get back into your site
• Change your database password and your hosting account password. You should consider them compromised even though we don't know if they are really compromised (better be safe than sorry).
• Check your access logs +/- 15 minutes from the last modified time of your hacked index.php file. This should tell you how the hacker got in. If you see an exploit targeting a specific component please be advised that the version of that component is vulnerable.
• Wipe out all of the files in your site. It is very likely that the hacker has left a "back door" script which makes it easy for him to come back and hack your site again.
• Restore the site from a backup. While restoring use a different password for your Super Administrator user. Make sure you use Kickstart's FTP mode while restoring! This will ensure that the ownership of the file matches your hosting account (they are not owned by the system-wide PHP) which adds an extra -yet thin- layer of security to your site.
• Take the restored site off-line using the Emergency Off-Line mode.
• Make sure you're using the latest Joomla! release (1.5.23 at the time of this writing). Using an outdated Joomla! release is a security mortal sin. Hackers are very keen on exploiting known vulnerabilities in old Joomla! releases.
• Check all of your extensions and make sure that they are not in the Vulnerable Extensions List. If they are and they are marked in green, upgrade them to their latest release. If they are marked in red immediately uninstall them.
• Enable all of the options in Admin Tools' WAF Configuration.
• Use the .htaccess Maker to produce a security enhanced .htaccess file which will block access to rogue PHP files, commonly used by hackers to gain access to your site.
• Make sure the permissions of your files and directories are sane (0755 for directories, 0644 for files). Do note that permissions all by themselves do not mean anything for security; it's a combination of ownership and permissions that does the trick. That's why I told you to use Kickstart's FTP mode. Of course, this means that you will have to enable the FTP mode in your site to allow it to function properly.

As you will notice, most items on this list can be applied to site before being hacked. In fact, that's the "secret sauce" to security: enable all protection measures and keep all your extensions (component, modules, plugins and templates) up-to-date.

IMPORTANT: See how I stressed templates above? Most people don't realize it, but modern templates -especially those based on a template framework- are PHP applications on their own right. Many templates have known security vulnerabilities and their authors have provided updates to address them. Make sure you do install such updates. While templates will never appear on the Vulnerable Extensions List it doesn't mean they are secure. Consult your template developer for upgrade information.