This week a website which was running on outdated Joomla version got hacked the site had hidden SEO-Spam embedded code. I found out about it after I ran the free malware scanner from Sucuri. You can view the results.
An malicious bot took advantage of the vulnerable JCE editor. From the Apache logs this is what got recorded.
184.108.40.206 - - [28/Aug/2015:14:43:24 -0400] "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1" 200 385 "-" "BOT/0.1 (BOT for JCE)"
The IP address being used by the bot came from Taiwan. If I wanted to block the whole CIDR block from accessing the web server I could find the information here. With this information I can use CSF firewall to block the CIDR block or the whole country by just adding the country code TW for Taiwan.
How to fix a hacked website
This is how I went about to get rid of the malware and cleaned up pages with SEO-Spam links. I downloaded the website files to my Mac. Once I have the website zipped data downloaded (Don’t unzip it yet for Avast will start blocking the infected files) I ran the free Anti-virus program called Avast this amazing free anti-virus software was able to detect additional hidden malware files. You will need to install Avast on your computer if it is not yet already installed.
Click on Custom scan start. Then browse to the location of files to be scanned when scan completes the result will appear. It shows there are 8 infected files. If you click on the > next to scan result it will show in detail path and malware files.
Now that I know where and which infected files need to be deleted I then connected to the website back-end using SSH, and deleted each of the files shown above. After getting that done I proceed to search the public_html directory of the infected website using Webmin file manager, find.
When you click on view payload it will show you which files need to be cleaned up. This is the part which took the most time for I had to clean up all of the embedded code within the webpages.
After getting that all done I went ahead and did another Sucuri scan and the results show the website is no longer infected. Near the bottom of the Sucuri scanner page is a link to force Re-scan click this.
I hope this helps. Good luck!