August 21, 2014

Sitting Ducks: Joomla 1.5 Sites Getting Hacked — What To Do

Another recent enquiry about a hacked Joomla 1.5 site. This time, encoded javascript in a module’s view (/modules/mod_foobar/tmpl/default.php).

Just enough J!1.5 sites have been hacked in my orbit of sites in a short period time to lead me to conclude that it’s a pattern, not random.

These hacks are invasive, writing snippets of javascript at the top of some PHP files, files that are invoked often. Sometimes, but in my own experience not usually, the hack involves writing to the database encoded javascript.

Once your site is invaded with an injection hack, you’re screwed. Forget about going into each PHP file and excising the offensive javascript. This approach lacks completeness, and you will invariably miss a file. I counsel zapping your site and reconstructing it. If you have a backup(s) to restore, you must restore it on a known clean server first in order to inspect that it is indeed clean.  Even with a known good backup, I’m still paranoid to counsel rebuilding this site from fresh installations.

Joomla 1.5 is not supported by the Joomla Project. Hackers know that these sites are sitting ducks for hacks. There is code on these sites that is vulnerable to hacks. Joomla 1.5 sites are soft targets for hard hacking.

I look back and think that I should have been extreme with my Joomla 1.5 installations. The benefit of hindsight, for sure. Instead of just taking Joomla 1.5 as-is and installing it as-is, I should have actively managed Joomla 1.5 itself.

This is my own checklist for going back to Joomla 1.5 sites. It’s a list of things that can be done today, without clients thinking I’m dreaming up excuses to invoice ‘em:

  • decent .htaccess file in webroot;
  • update JCE to the latest version (v2.3.1 for J!1.5) (older versions of JCE might be susceptible to hacks);
  • if you know of Joomla 1.5 updates for your extensions, update ‘em;
  • delete every component that can be deleted;
  • delete unused templates;
  • delete the native Joomla banner, newsfeed, poll, weblinks components, b/c these components are delete-able;
  • make sure you are using Joomla 1.5.26 — yeah, it matters.

Keep managing your going-concern Joomla 1.5 sites!