Last Friday I had the task of restoring a clients site after it was hit by an iframe attack. Another friend has since been hit so I thought it would be useful for me to share the process I used to get the site backup and running with only a couple of hours of down time. The most important thing here is to make sure you keep a backup of your site.
This is the process which I went through after reading about similar infections on the Joomla forum.
1. Backup the unclean site files and database.
This is important if in case the site has been updated since the last backup was taken. Backups from the control panel are saved in the .zip format. The archive will not be extracted in case viruses are located on your server.
2. Delete all files from the server.
This is the fastest method of recovery as trying to find the infected files/hidden files could take hours. It is unavoidable that the site will incur some downtime.
3. Reset all passwords.
All access details will be changed.
This includes: FTP Password; MySQL Database username & password; all admin passwords
4. Restore site from last known backup
This may be out-of-date depending on updates. If it is then files will need to be individually extracted and verified to be clean.
FTP is how I restored my site. I’ve read that you should not allow FTP programmes to save the password in case your local computer is effected with viruses that harvest ftp account information thus by-passing all your efforts at hardening your security.
5. Verify site functions normally.
Check the site works as expected and that it is clean from exploits. Put the site into maintenance mode to hide from public while admin tasks are performed.
6. Confirm the web account is running php5 and not still running php4
PHP4 is no longer in development and PHP5 is more robust.
7. Add server hardening commands to php5.ini file
As recommended by our host these extra arguments should reduce the possibility of future attacks
8. CHMOD all files and folders
This ensures that all permissions correctly set.
9. Uninstall any unused components & modules
Unused components can be removed safely which reduces the need to update them.
10. Consult the Joomla Vulnerable Extensions List
11. Check for updates to all site modules
If security updates are available then they will be patched. Backups will need to be taken again prior to patches.
12. Return site to live mode.
Once we are happy that the site is clean and restored we will enable it again for all public access.