How to fix “hacked by Hmei7″ on Joomla web site

 

How to fix “hacked by Hmei7″ on Joomla web site

Source From: http://www.joshpate.com/2013/01/how-to-fix-hacked-by-hmei7-on-joomla-web-site/

 

So I received a call from a past client yesterday. Apparently their web site had been hacked and the simple text “hacked by Hmei7” replaced their home page. This was a shock to them, but it was even more of a shock to their customers. Luckily, for my client, and myself, this is an easy fix. Let’s get down to business to get your site back up. More thoughts after the fix.

hacked by Hmei7

hacked by Hmei7

 

 

The fix

Seven files are potentially affected by this attack:

  1. /images/stories/susu.php (this file name may vary)
  2. /images/x.txt
  3. /tmp/x.txt
  4. /configuration.php
  5. /index.php
  6. /index.htm
  7. /index.html

Not all files will be affected on every site and there may be more files affected than the seven in this list. Only those files with write permission will be changed by the hacker’s script.

To fix the hack and restore your web site:

  1. Remove the files susu.php and x.txt.
  2. Check the configuration.php and index.php files to see if they have been changed by the hacker.
  3. If configuration.php or index.php has been changed, delete them.
  4. If index.htm or index.html exist, delete them.
  5. If your configuration.php file was changed by the hacker, restore the file from a backup or from scratch if needed.
  6. If your index.php file was changed, restore the file from a backup.

If you don’t have a backup of your configuration.php file, here is a sample file. Create the configuration.php file and put this text into the file. The configuration.php file should be located in the root directory of your site.

configuration.php:

 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58

Configure these vars to get your site back up and running:

  • $secret – change to a random string of uppercase and lowercase letters and numbers.
  • $log_path – path to log directory.
  • $tmp_path – path to tmp directory
  • $user – database username.
  • $db – database name.
  • $password – database password.

Configuring these six vars is enough to get the the site working. The rest of the configuration.php file can be filled out manually, or it can be configured more easily through the admin area. If you want to use the admin area, be sure to chmod 777 the configuration.php file. It might be a good idea to chmod 644 the configuration.php file once finished configuring the site. This will prevent any unwanted changes in the future.

This should get your web site back into operation. Please continue reading as there is important information for completely removing any lingering files from the hacker and preventing a successful attack in the future.

 

Check for additional hacker files

It is possible that the hacker changed or created other files on the server that were not mentioned in this article. It would be a good idea to search the web site files for any other changed files as a result of the attack.

An FTP browser or an SSH shell can be used to find any files that were recently changed. If you have SSH access, the following command can help find any files that have been changed:

find . -mtime -2 -type f

Run this command in the root directory of your site. This will find any files that have been changed in the last 2 days. If you only have FTP access, an FTP browser can be used to browse the files and check the date the web site’s files and folders were last changed. Most files in a web site are not changed very often. Look for any files that have been recently changed, or changed within the time frame of the attack.

Since the web site has been compromised, all users of the hacked site should change their passwords immediately. I highly doubt Hmei7 stole passwords from the web sites that were hacked in this manner, or even yet would return to a previously hacked site with that information (even more so if the site is small). In any case, since the site was hacked, the passwords should be changed as a precaution.

 

Content of the hacker files

susu.php:

 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123