8
First, I'm not into HTML and PHP programming.
A friend's Joomla site was hacked by some sort of html injection, and now every php and html file has an iframe which is linked to some sort of malware page. And now I want to copy the infected files from the server to my machine and "clean" them. Is this dumb and dangerous?
14
No, it's not dangerous to store. What you intend to do with them might or might not be dangerous.
If you open these local files in a web browser, it will likely visit those addresses specified in iframes. Or JavaScipt in those files could do something bad like checking for browser security holes.
Open these files in some editor which will not attempt to render the page. Any stupid non-HTML editor will do.
Disable JavaScript in your browser when opening the files
Tell your browser not to open any links not coming from the main domain (will be the local file system in your case). Actually, this is prudent security measure for daily browsing as well.
You can store something poisonous like certain mushrooms for years in your house, but if you don't intend to eat them, you're safe.
5However, if it's not labeled poisonous, someone else might eat it. I'de make sure that the said website is well identified as dangerous. – None – 2010-03-29T15:34:37.560
8
As long as you download the files using classic FTP, and open/edit the files in a text or HTML editor only (no WYSIWYG/preview function!) this is totally harmless. Looking at the file in a text editor isn't dangerous, executing it in a browser is.
Get the latest security updates for the browser you will be using to look at the pages - through Windows Update for IE, or by just downloading the latest Version of Firefox, Chrome or whatnot. I'd recommend Firefox because of its Web Developer toolbar.
To be 100% safe during editing in a WYSIWYG editor, and to test the cleaned pages in a browser (if you have a local Joomla to test), you could disconnect the computer from the Internet while editing.
To test a page that you're cleaning, also consider turning off JavaScript, for example using the Web Developer Toolbar in Firefox.
Also, having a virus scanner running in the background is not a bad idea.
Note that you really need to check every single resource on the site, every HTML page and JavaScript file.
However, don't forget to fix the actual problem first - the vulnerability that made the injection possible! I assume from what you're writing that that has been already sorted but make sure you find out where the break-in occurred.
As a minimum measure, change all passwords to all web hosting related accounts (FTP, Control Panel, etc.).
The Google Webmaster Blog's article My Site's been hacked - now what? is always good reading as well. It also describes how to get the site re-indexed with Google fast.
Pekka
Posted 2010-03-29T15:28:48.010
Reputation: 2 239
Great tips. Do all of them and you'll be 100% fine. – None – 2010-03-29T15:35:03.440
+1 for diconnecting from the internet whilst working. – Dominic Rodger – 2010-03-30T14:18:11.743
3
You should be just fine storing and editing the files; however, be careful about executing them (actually serving them up with php and a web server). Only do that once you're sure they're clean, and have the correct permissions.
Tim Lytle
Posted 2010-03-29T15:28:48.010
Reputation: 959
2
It's not necessarily dangerous, as long as you don't attempt to load any of the infected pages into anything that would follow the links. That said, if I was doing it, I'd probably do it inside a virtual machine -- that way if an accident should happen, restoring to an earlier state, or just throwing it away and building a new VM when/if needed is relatively trivial.
Jerry Coffin
Posted 2010-03-29T15:28:48.010
Reputation: 336
1
No, but, your anti-virus make detect it and clean it which would probably defeat the purpose.
Natalie Adams
Posted 2010-03-29T15:28:48.010
Reputation: 2 071
4I seriously doubt that an antivirus is going to detect some javascript hack in a downloaded website. – None – 2010-03-29T15:35:31.553
Detection is haphazard, but yes, many AVs will trigger off JS exploit code. – bobince – 2010-03-29T15:53:24.433
@incrediman I know for a fact AVG will, as a client asked me to take a look at their site because somehow something kept infecting it and when I downloaded it, it had some JS included and AVG detect the line and told me what "virus" it was. – Natalie Adams – 2010-03-29T16:45:52.810
1
Assuming that you will be manually examining them and removing the "bad" stuff, you should be fine. It's only text files after all and those can't hurt you -- until you use them as instructions for some program. The HTML files may contain harmful code that a browser will act upon. Likewise for the PHP scripts and a web server (e.g. Apache).
As long as you only open them with a text editor you'll be fine. If you must open them with a browser, make sure you lock out Javascript and ActiveX.
1
There won't be any harm in keeping those files on your disk as long as you don't open them in a browser with javascript and frames enabled.
1
It's not a bad idea at all. It's the best way to clean a website.
Here's what we do:
1). Use FTP and download the entire site to your PC. 2). Get a copy of grepWin (it's free) 3). Look in certain areas for malscripts: before the opening html tag, between the closing head tag and opening body tag, after the opening body tag, after the closing body tag and after the closing html tag.
4). Use grepWin to scan for: eval(base64_decode strings. These are often found in gifimg.php files and are used to remotely infect websites after the FTP passwords have been changed.
5). Use regex searches. It can help you find common malscripts where the domain or some small segment has changed.
Depending on what anti-virus program you have, many of them will detect the malicious javascript files and either block you from editing them, or quarantine them. Programs like Avast, Vipre and Kaspersky all have to be turned down or off when we're cleaning a website.
0
I'd have to agree with others that it's not dangerous to store, but if you want to ensure that you don't do damage to your machine while cleaning it I'd grab a copy of Virtualbox, install Ubuntu in the virtual machine and download the site within Ubuntu and clean it from there.
That way your main machine is as safe as you can make it and if it kills the virtual machine then salvation is only a delete key away.
Mokubai
Posted 2010-03-29T15:28:48.010
Reputation: 64 434
1the malicious code was probably injected into the database, so you'd have to clean that too. the only other thing to be affected are template files – knittl – 2010-03-29T15:44:48.757