Written by Peter Bui Follow on
Published: 03 July 2013
MyJoomla Audit Screen

Recently I've been working on more and more hacked Joomla websites. Mainly Joomla 1.5 websites that are on old servers that haven't been maintained and looked after.

Using a tool such as MyJoomla has made the auditing process for clean up these sites so much easier but there are some limitations in removing and modifying malicious files that may be found on the site and server.

This example that I was working on came up with over 255 files that all had similar file name pattern.

The hacker had added in index.old.php files on to the server. To a novice or to a non developer, this may look like backup versions of the index.php file which could be very important and shouldn't be removed. In reality, the file is an automated duplication or creation with malicious code in to to do just that, fool a novice administrator into thinking it is important and shouldn't be removed.

Now with over 200+ copies of this file spread all over the server and hosting account, I wasn't actually going to go to every last file and delete each one individually. MyJoomla makes it easy with all the files to remove all displaying on one web page but this still takes a long time to update and remove each 200+ files.

Instead I gained access to the server via SSH and started to run a command to remove all files that could be found that were called 'index.old.php'.

This is the command that I used.

find . -name '*old.php' -exec rm \{\} \;

What this does is finds any file in the current folder and sub folders that have the string *old.php in the file name.

The server will pause for a few moments as it crawls the entire folder structure looking for files that match that pattern and remove it.

This is much much faster than going through every folder on the site and server looking for the malicious files via FTP or cPanel.

You can change and adapt the syntax of the command line to search and perform other tasks such as

Finding any file on the server with the string 'Peter' in its name.

e.g. 

find . -name '*peter*' -exec rm \{\} \;

 

Now let me break down the command line here as well for those that don't know what is going on do you can better understand the syntax that is being used.

 

find: this runs the command, everything after this is the operators to tell find what to do.

-name: this tells find to look at names of files

'*peter*': This is the string to look for in the name of the files. The * before and after peter means to look for files that may have string before and after peter as well such as 'goodpeter' or 'peterisgood' etc.

-exec: This tells find to do something when it finds a match

rm \{\} \: this is the secondary command that find runs when a match is found and in this case it is the remove command telling find to simply remove the file from the server.

 

Hope the command line search helps others in the same position to better clean up your websites. Be careful though, a slight typo there and you could potentially wipe everything on your site that may be important such as all of the 'index.php' files in your site. You need a lot of those.

So make sure you perform a backup before doing any work on your site.

You can read more about how this works from the original post where I learn this tip from on Stack Overflow:

http://stackoverflow.com/questions/9313613/find-and-remove-over-ssh

 

Peter Bui

Peter Bui

An all round web specialist with years of experience in web design, development and open source solutions at PB Web Development

Subscribe to the Podcast

Subscribe to Newsletter

Stay up to date with the latest Joomla news, design, development, marketing and management hints and tips right in your email.

Sub Category Topics Menu

Recent Comments

This site is hosted on

Digital Ocean

Simple Cloud Hosting, Built for Developers.

 

If you don't know how to build
your own server, we recommend

 siteground logo

Fast support, reliable & cost effective

Web Hosting