A client's Joomla 3.6.5 website was hacked. After running a virus scan and malware scan on the entire directory, nothing came up. When I searched for the malicious URLs, they appear in the database, but nowhere in the code of the website files. I'm not sure how to find the hack, or how to clean out the malicious URLs.
(11216,'http://xxxx.com/cache/j.js',NULL,'http://xxxx.com/philosophy-of-life-essay.html','',3,0,'2017-04-14 10:50:38','0000-00-00 00:00:00',301),
(11217,'http://xxxx.com/cache/jq.js',NULL,'http://xxxx.com/philosophy-of-life-essay.html','',3,0,'2017-04-14 10:50:38','0000-00-00 00:00:00',301),
(11218,'http://xxxx.com/cache/layout.css',NULL,'http://xxxx.com/philosophy-of-life-essay.html','',1,0,'2017-04-14 10:50:57','0000-00-00 00:00:00',301),
(11219,'http://xxxx.com/cache/ssc.css',NULL,'http://xxxx.com/philosophy-of-life-essay.html','',1,0,'2017-04-14 10:52:09','0000-00-00 00:00:00',301),
(11220,'http://xxxx.com/cache/jq.css',NULL,'http://xxxx.com/philosophy-of-life-essay.html','',1,0,'2017-04-14 10:52:09','0000-00-00 00:00:00',301)
Since the malicious URLs are in the database, was the database hacked? How do I remove the malicious URLs and how do I fix the hack? I know I have to change the passwords, but I'm stumped with how to unhack this site. I'm not sure how to clean out a hacked database. Any tips? Thanks!
Q: Since the malicious URLs are in the database, was the database hacked?
A: Not possible to tell with the information provided.
https://docs.joomla.org/Security_Checklist/You_have_been_hacked_or_defaced
The term "hacked" is very broad. Have credentials been fraudulently obtained? Was the website defaced? Was valid data stolen from the database? Has valid data has been removed or changed? Has new fraudulent data been added?
There are several ways any of those could have happened. One possibility is that database modifications were made through normal operation of the website, by a malicious actor who obtained credentials (login and password) to perform those operations.
Or, a malicious actor could have exploited a vulnerability in the website code. Given the predominance of XSS and SQL Injection vulnerabilities, and the relative ease of exploiting those, this is the most likely scenario. (A lot of website "plugins" are known to be vulnerable.)
Or, some other program connected to the database and performed database operations.
Q: How do I remove the malicious URLs?
A first step would be to restore a copy of the database from a known good backup.
And with a saved copy of the suspect database, we could do a comparison, to help identify data that has been removed, changed or added. (What makes a URL "malicious"? How are you defining that? All we see in the question is what appears to be some rows from a database table. How are these rows more "malicious" than other rows?)
Q: How do I fix the hack? I know I have to change the passwords ...
If an unauthorized actor has obtained login credentials, then yes, you need to change the passwords. And figure out how they obtained the credentials, and take steps to prevent that from happening again.
And close up the vulnerabilities, to prevent that from happening again.
Q: I'm stumped with how to unhack this site. I'm not sure how to clean out a hacked database. Any tips?
Restore the database from a known good backup.
And again, mitigate the vulnerabilities to prevent (or make it less likely) that this will happen again. Cross site scripting (XSS) and SQL Injection are always in the OWASP Top 10.
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project#tab=OWASP_Top_10_for_2013
https://www.owasp.org/index.php/SQL_Injection
What you are experiencing is a database hack, which is the worst kind of Joomla hacks.
Reverting to a backup may be a good solution if you are running a semi-static website, however, if your website has new content every day (or had new content since the hack), then you can't revert to a backup without losing data. In this case, you will need to use MySQL's REPLACE function to replace the hacked strings with an empty value.
Once you fix the database hack, you will need to run an internal scan on your website to ensure to find if there are hacked/backdoor files anywhere. Once that is done, you will need to uninstall all the unused extensions, and you will need to uninstall all the extensions that are on Joomla's VEL list. Any extension that you have must be updated to the latest version.
Once you are done with the above, then you will need to do the following:
Change all the passwords of the website: including Joomla passwords, FTP/sFTP, database passwords (avoid using FTP if you can), cPanel passwords, etc...
Restrict Apache's access of PHP files to the 'index.php' file (that can be done in the htaccess file).
Move the website to a VPS or a dedicated server if you are on a share hosting.
This seems to be a pretty bad one! A few tips:
Be sure to check Google blacklisting status & also do a 'fetch as google' to check if there's malware showing up in search results.
It is recommended to find all the external calls from the website to other domains (usually hackers point credit card details to their own domains or emails).
A diff command would go a long way:
$ mkdir joomla-3.6.4
$ cd joomla-3.6.4
$wget https://github.com/joomla/joomla-cms/releases/download/3.6.4/Joomla_3.6.4-Stable-Full_Package.tar.gz
$ tar -zxvf Joomla_3.6.4-Stable-Full_Package.tar.gz
$ diff -r joomla-3.6.4 ./public_html
There are more steps which can be checked from this URL: https://www.getastra.com/blog/cms/joomla-security/joomla-admin-security/
I'm locked out of Wordpress install but I have access to the cPanel of this site.
I need to just remove some links that are pointing to another site that I'm trying to rank for in google's SERPs.
So I figured that maybe I can query the database for all instances of the referring link I need to remove, and remove them that way, instead of waiting 10 million years for the support team to get back to me.
My question is this:
How would I search all the posts in a Wordpress database for a string or link, and then how would I delete them? I know close to nothing about SQL, so your help is really appreciated...
I highly recommend pulling an export of the database and searching that data that way. Be aware that some text editors might struggle opening files of more than a few megabytes.
Another way to do this if you have access to phpMyAdmin is to click on the database name and then click search. You can enter the link you are looking for and search all the tables that way.
I've done a lot of WordPress migrations from one server to another at work and elsewhere, but one strange thing I've never been able to understand is why widget settings never get carried over.
I'll dump the MySQL database, find/replace localhost with the live domain, SSH the database up to the live server, and then ftp the whole WP installation (core and theme, from my local machine), and still the widget settings are wiped out. And sometimes this is also the case with values saved in theme options pages I make in the Dashboard.
What am I missing?
Wordpress stores widget options - and some plugins and themes also store their options - as serialized data, and so you have to be more careful than a full find/replace of the URLs.
Much more comprehensive answer and some other ways to do move databases and retain serialized data: https://wordpress.stackexchange.com/questions/9076/why-is-my-database-import-losing-text-widget-data
To move a wordpress site and to reconvert all serialized data I used this script.
the using is very simple, download the script, change the credential variable to the database inside the php script and run it.
link to download the script:
http://davidcoveney.com/575/php-serialization-fix-for-wordpress-migrations/
work fine.
Don't do it manually!
Dont edit database manually when migrating between different domains!
Use small scripts, like this:
Wordpress-Migrator.php (read description too.)
because SERIALIZED arrays needs to be modified specifically too!!!
Before I start I want to say this is my first site I am uploading that has a database - so I will appreshate any help whatsoever!
What site is the best for webhosting - the cheapest and most reliable? I'm not sure how big my database will get - but I need to have a lot of space! (just in case).
I, of cource, don't want my site to break down, so need a very reliable well known site. I have an account already with 1and1.com - and know about Godaddy.com but neither of them are really THAT cheap - if you know what I mean. There is one site I found : "http://www.000webhost.com/" - does this seem alright?
Also, when I upload my site and database - do I have to leave my computer on full time to allow my database to be added to etc?!! Is there some way I can upload the database from my computer - so it's not anything to do with my computer ... or something.
As you can tell - this really is my first site - and I have really know idea.
Im using MYSQL, Coldfusion and Dreamweaver btw.
So again, any help would be great. thanks.
Cheap, Reliable, Easy.
In general, you can only pick two from the above.
Check out bluehost.com.
No, you do not need to leave your computer on. You definitely want to put the database on their server, not yours. It sound like you need to do some research on that.
Upload the CMS files from your local system and then perform an export of your MySQL database (software like phpMyAdmin makes this dead simple) and then import it to your new database on your new host. Modify the configuration of your CMS (database host, username, and password will need to change) and check that it connects and reads the database properly and everything works right.
That way you don't need to leave your computer on all the time - you're literally moving your entire website to their server.
I'm looking for something similar to the table creation form from phpmyadmin, but it should simply display a CREATE TABLE statement in a textarea below the form.
It should also not require MySQL, PHP, or even a server to work.
I want this for times I'm working on projects and just want to whip up a quick table definition. I'll more than likely always have a text editor open, so being able to save to file isn't a must-have.
I'm on Ubuntu and use Gnome. A tiny GTK application I could stick in my Applications menu would be ideal.
It's not that hard to get familiar enough with the syntax that knocking out a table definition in a text editor becomes second nature.
However, check out DBDesigner4, which is a GPL application which might be useful to you.
Use the MySQL Workbench: http://dev.mysql.com/downloads/workbench/5.0.html
Download and install it.
To see the screen you want, you have to open a connection first under "Open Connection to Start Querying".
Enter your root password (or other, if your connection is for another user).
Then your SQL Editor should immediately open.
From the left column, under 'schemas', open your database,
then right-click on 'Tables'.
Select 'Create Table.'