Authors note: the next two sections are the most technical sections of the guide. The techniques are more challenging and I've attempted to provide information about tools that you can use and how to access them, however, as I mentioned in the introduction, you will need some technical skills in order to execute these tasks. I assume that you can do basic technical tasks like use sFTP. Additionally, you will be working on potentially harmful files. Because of this, it's critical that you have anti-malware software installed on your workstation and/or have a secure environment to assess the files in like a "sandbox" virtual machine. Do not run or execute any suspected malware (E.g. oddly named binaries or programs, opening an image you don't recognize in an image viewer, and etc.) Finally, because you will be removing and editing files, always start with a backup!

In this section, we'll explore how to identify hacked Joomla files and database entries so that you can remove them (These approaches don't change whether you're trying to secure a Joomla 1.5, Joomla 2.5, or Joomla 3 website.)

What Does a Hacked Joomla File Look Like?

 

The most common sign of a hacked file is obfuscated code. Essentially, anything that looks like a long line of gibberish is likely an injected attack. Especially if it's next to an obfuscating function like base64_decode. Real code may be Greek to the layperson, but it still doesn't look like a machine wrote it.  

Hacked files also tend to have very poorly written code with loose organization where functions are enormous and variables crammed together.

It's common for hacked files to reference other websites or to use specific functions. See further down on the page for a list of common functions in hacked files. Please note that the existence of such a function does not mean that a file has been hacked, just that it adds to the evidence that it may have been.

Another sign is any reference to an off-site URL or an oddly named file. E.g. include('../../templates/beez_20/b996.php'). Similarly, a reference to a normal sounding file in an odd location is another indicator of an attack. E.g. include('../../templates/beez_20/settings.php').

Likely Targets for an Attack

Because of how Joomla works, it's common for attacks to focus on files that are always loaded when the application runs. The three most likely affected files are:

• Joomla's index.php
• The template's index.php
• The site's .htaccess

Attacks on these files are very obvious and more devious hacker scripts dig deeper into the system when they make their changes.   For example, targets include files in system and content plug-ins, language files, and core templates.

Verifying a File is Hacked

To know for certain whether or not it is hacked code, download an unaltered file from the extension or core matching the version you are checking and create an MD5 checksum on that file and check it versus the MD5 checksum on the one that you believe is altered. This acts like a fingerprint and will tell you unequivocally whether the file has changed versus the version that it is supposed to be.

Here are tutorials on how to generate a MD5 checksum:

• Using MD5SUM to Validate the Integrity of (Downloaded) Files (Linux/Windows)
• Generate & Compare MD5, SHA1 Hashes For Files In Terminal (Mac)

More information about MD5 checksums from the official Joomla documentation: How to determine a package checksum

Locating Hacked Joomla Files

In looking for hacked files, there are two things to keep in mind:

1. Hacked files and database entries are altered in some way.
2. Hackers add files to create vulnerabilities or provide another kind of exploit.
3. Hackers seek to achieve some goal by doing this.

These may seem glaringly obvious, but they are going to help us to narrow in on what has been hacked instead of just throwing tools at the problem and hoping to hit on a solution.

If we know that hacked files and database entries are altered in some way how can we tell what has been changed? Two ways:

1. We can compare versus an old backup.
2. We can create a copy of our site from the same versions of the software installed on the site and compare it for changes.

Comparing Files

Here are a couple tools you can use to compare files:

• Diff (Linux/Mac)
• Diff Tools on Mac
• Meld (Linux/Windows)

Finding Hacked Joomla Files with a Backup

The first approach is the easiest. However, you have to actually have a backup that you can restore somewhere and you have to be able to have confidence that that backup was an altered. Because you don't know exactly when you are hacked, you have to go back in time far enough to where you can be reasonably sure that you were not hacked then. If your site doesn't change much, and you have backups that are several months old, I would go back two months, if possible.

Some people rely on their web host to manage backups for the site. In this case, often times, the host will delete backups after a certain amount of time. If you're lucky, they will maintain certain time period snapshots and you'll be able to get a snapshot at 45 days or three months. Ideally, they will restore the backup into a subdirectory for you to access. However, each host is different and you will have to contact your web host if you have been relying solely on them for backups.

To compare the backup versus the current version, download both file structures into side-by-side directories. Then, use a difference scanning tool to compare the two file directories. Once this is completed, save both databases as a SQL dumps and run the same difference scanning tool to look for anomalies.

This approach takes a few hours, but it will show you exactly what is been changed and what to remove and fix. Note that if your Joomla site was updated between the backup in the current version you will have several false positives. 

The weakness of this approach is that because you don't know exactly when your site was hacked, potentially the backup you restore has been compromised as well. Additionally, you need backups to even try this.

Finding Hacked Joomla Files with a Clean Comparison

This approach doesn't require a backup, but works very similar to the first approach.

1. In your Joomla extension manager, under the "manage" menu link, you simply compile a list of all your Joomla extensions and their versions installed on your hacked site.
2. In your template manager, you do the same.
3. Download a copy of Joomla that is the same version as your hacked version, install it, and install all the extensions and templates at those same versions (you don't need to configure anything.)
4. Place your Joomla site in a directory next to your hacked site and run your file compare tool.

This is very similar to comparing to an old backup, but you can be confident that you're comparing against clean files. However, the weakness of this approach is that it doesn't identify any attacks on your database and it takes 4 to 5 times longer to do rather than comparing against a backup. If you have lots of extensions installed, it can take you up to a day of work just to create a matching clean version of the site. Finally, you should note that if you have had any custom work done it will show up in your file compare tool.

Finding Hacked Files with Pattern Matching

If we know that hackers seek to achieve some goal by altering database records or Joomla files, we can look for changes will that would effect those goals.

Think back to the symptoms list from the section, "Is my Joomla Website Hacked?" Any file, function, or other code that could generate the symptoms means that we should look more closely at these areas.  These are side effects of hackers achieving their goals and they all revolve around a particular set of needs that hackers have in order to effectively use your site. It's like planning a trip to a distant city- there are only so many roads that get there.

This is important because we can use tools that detect patterns in the code which may indicate a file or database entry has been compromised. For example, here are a few common "roads" that a hacker altered file may have to use to get where they want to go:

• base64_decode
• eval
• exec
• strrev
• wget
• file_get_contents
• stream
• create_function
• assert
• system
• preg_replace
• gzuncompress
• gzinflate
• str_rot13
• curl_exec
• header
• location.href
• encodeuri
• encodeuricomponent
• any link or domain

Using tools, we can scan for matching patterns for these strings. The most basic to use is grep or egrep. If you work in Linux, like I do, this is available by default.  It's also on Mac. However, if you run Windows you may need to download a comparable tool like PowerGREP.

For any search on your file system, you'll want to be case insensitive. To scan your database, export it using PHPmyAdmin or another MySQL client into a text SQL dump. Then you can run the same searches on it.

A basic grep search looks like:

egrep -Ri 'location.href' mysitedirectory/

Here is a tutorial with more indepth explanations on how to get a grep on finding patterns: Linux and Unix grep command

The strength of using patterns to locate hacked files is that it's very quick and doesn't require setting up a backup or a comparable site. The weakness of pattern matching is that you can miss things. Hackers constantly look for ways to avoid these sort of file scans seeking trickier and trickier ways to achieve their goals.

Finding Hacked Files Using JAMSS

JAMMS is an excellent script developed and maintained by Bernard Toplak. It stands for Joomla! Anti-Malware Scan Script.

It is another tool that uses pattern matching to identify files that may be hacked. Similar to other file scanning tools, it will return many false positives, so you need to be careful and check to make sure that any changes or removals you make based on its results are because the file has actually been hacked. You can use MD5 Checksums as explained above or compare file contents to a clean version.

Using it is very easy, you simply uploaded into your web root, and visit the URL http://yoursite.com/jamss.php

More information and a link to download is available on the Joomla security forum here: http://forum.joomla.org/viewtopic.php?f=714&t=778692

Once you are finished using it make sure and remove it from your site directory!

Finding Hacked Files Using Joomla Extensions

Several Joomla extensions available will do the pattern matching for you in their file scanner. You can install these on a hacked site and attempt to use them to find suspicious files.

Here is a list of a few of these tools:

• Admin Tools
• RSFirewall
• AntiVirus Website Protection
• Securitycheck Pro

The benefit to using one of them is that they're are easy to get set up and scanning. The drawback is that you don't know what they're looking for and what they are missing. The problem is that if you have even one hacked file that you don't find on your site that can potentially reinfect it with even more hacked files after you think you are secure. However, even with that, it's still worth using one just to have an alternate approach to analyzing your files.

Finding Hacked Files Using a Debugger

The most thorough way to determine what is happening in your site is to go through it line by line using a debugger. We use PHP Storm and Xdebug when we're doing our debugging. I'm not going to the details of how to do this, because it is going beyond the target reader of this guide. If you are a developer and you can't identify where the attack is being pulled into your site's code, this approach will tell you exactly where's it is occurring and what it is doing. The downside to this approach is that it can only detect hacked code that is being loaded. If you are unaware of a successful attack on your site that is not entering through your main index.php file, this will not detect it.  With that caveat, it's quick and effective.

What Do You Do If You Can't Find What's Hacked?

Hackers are tricky and if they've compromised your site, they're already in a better position than you are. This is because the average Joomla site has thousands of files to hide their attack in. It's like trying to find a single tree in an entire forest. So what you do if you just can't figure it out?

You have a couple of options:

• You can hire someone else.
• You can create a 100% clean version of your site.
• You can create a 90% clean version with a new Joomla install and old database.

Hire Someone to Clean it

For paid cleanup, a cost-effective service for many Joomla users is Sucuri. They also offer ongoing protection and have an excellent reputation. However, you'll still need to do some work to patch the vulnerabilities and improve Joomla's security if you use Sucuri.  The section on How to Secure Joomla is helpful for this.

Full disclosure: we are a Sucuri referral partner. We are a referrer because we've used them for monitoring sites and have been impressed with their service and software.

Create a 100% Clean Version of Your Site

The point of doing all this work is not so that you can no how you were compromised or what files were affected. The point is to get back on your feet. So, if you absolutely cannot figure out what is going on, you can still get to a secure position by simply rebuilding your site with clean files. This is incredibly labor-intensive because you have to rebuild everything piece by piece, but you can be sure that everything that you don't transfer over directly is clean.

You still need to be careful because you will need to bring in items from the old site to the new site. For example, you'll likely want to copy over images, articles, and your template. You'll want to go over any of this with a fine toothed comb before copying it into your brand-new site. Once you have your new site set up, you'll also want to make sure everything is up to the current version (see "Secure Your Joomla Site To Keep from Being Hacked Again".)

Create a 90% Clean Version

Remember: do not attempt this on your production site, but in a staging environment first and with a backup!

1. In a development environment, setup a copy of your hacked site.
2. In a separate directory, download and install Joomla at the same version as your hacked site.
3. Install clean versions of your extensions in the new version of Joomla.
4. Install your template from the provider if you purchased the template. If the template is custom developed, you'll have to examine it by hand to make sure that none of its files have been hacked before copying it over.
5. In your new site, change the configuration.php file to point to the hacked site database (see below for more information.)
6. Now your new site should be exactly like your old site, except with a clean file system.
7. Update your Joomla! core and all your extensions to their latest version.
8. Follow the instructions to Secure Your Joomla Site To Keep from Being Hacked Again
9. Delete all the files from your live hacked website and replace it with your new clean version.  Important!!! You cannot simply overwrite your old site because most hacker scripts will litter your file system with additional files and backdoors. Everything must be removed before you update your server with your new, clean, site.

What variables to change in the configuration.php file to point to your old site's database:

In the new site you have built, at the root level, is a file named configuration.php

You want to change your database credentials to the old hacked site database. There are three variables that you change to do this:

public $db = 'change_to_your_old_db;
public $user = 'change_to_your_old_db_user';
public $password = 'change_to_your_old_db_password';

You change the values encapsulated in the single quotes to connect to the old database where all your data resides (old username, password, and database)

Once you've done that, you have essentially a clean new body (the files) and an old brain (the database).

This will eliminate most problems on most hacked sites. However, if your database has been compromised, this will do nothing to address it because only the file system is changing.

In the next section, we will cover how to scan for malware in your file system.

The Windows Task Scheduler is a useful tool for automating various tasks within the Windows operating system.  It provides a simple graphical interface and is much easier to navigate than command prompt or Powershell.  Though it does have some limitations when compared to the aforementioned options, there are still numerous actions that can be automated using the Task Scheduler.

One of the most useful tasks that can be automated, at least from my perspective as a Database Administrator, is the ability to perform automated file deletion.  In the example outlined below, I will be creating a scheduled task to run daily which will delete files from a specified directory that are older than 90 days.

To provide a little background on this, the example I will be working with pertains to an automated SQL runtrace Agent Job that I have running on the server.  The job runs daily and runs a continual trace logging any transactions that take longer than 3 seconds.  As a result, a new file is added to the directory every day. Though each file is only around 11MB, over time this can begin to add up and deleting these files eventually becomes a necessity.

The steps outlined below will walk you through the steps of creating a new scheduled task which will call the ForFiles command to handle automatically deleting the older files.

The first step is to log into the server containing the directory from which you want to automate file deletion.

Once logged in, launch the Task Scheduler.

Once the Task Scheduler window appears, right-click Task Scheduler Library and select New Folder.  Though this step is not technically necessary, I find putting related tasks into their own folder provides better organization when searching for a particular task.

In this example I will call the folder DBA.

Once the folder has been created you will see it listed under the default Microsoft folder.  The next step is to right-click the newly created folder and select Create Task.

The Create Task window will open.  On the General tab you’ll want to provide a Name for the task.  Here you can also change the User assigned to run the task.  In this example I am using my account but best practice would suggest using a proper service account which has sufficient permissions on the server.

You will also want to select the radio button next to Run whether user is logged on or not.  This will make sure that the task will be called regardless of the the user’s connectivity to the server.

Next, click on the Triggers tab. This is where we will configure when the scheduler will run.  Once on the Triggers tab click the New… button at the bottom of the window.

The New Trigger window will be displayed.

As seen in the screenshot below, I have configured this trigger to begin on a schedule and to run on a Daily basis at 7:00PM.

Once you have configured your trigger click OK.

You should now see your newly created trigger listed.

Next, click on the Actions tab and click New… at the bottom of the window.

The New Action window will be displayed.  This is where you will call the ForFiles script and configure the command line argument to delete the files.  This is the most important step.

Make sure the Action being called is set to Start a program.  This should be the default setting but if not, just select it from the drop-down.

Next enter ForFiles into the Program/script text box.

The final step requires you to specify the argument that you want to pass to the ForFiles script.

In this example I am passing the following argument:

/p "C:\DBA\SQLTrace" /s /d -90 /c "cmd /c del @file"

Depending on your specific needs, you will need to change the directory being specified as well as the number of days back.  The above argument will remove files older than 90 days from the C:\DBA\SQLTrace folder.

Once you have configured the argument click OK.

You will now see the newly created action listed.

There are two additional tabs, Conditions and Settings.  Though it is not necessary to change any of the default configuration options on these two tabs, they are worth reviewing.  Depending on the scheduled task you are creating, some changes may be beneficial.

Though I rarely do anything with the Conditions tab, the Settings tab does have a couple options that I find to be useful.  Though I am not selecting them for the purposes of this example, the highlighted options below can be useful depending on the task being scheduled.  You can also instruct the Task Scheduler to self-delete if it has not been called for a particular number of days.

Once you have fully configured the task and any additional options click OK.

You will be prompted to enter the necessary credentials based on the account you selected to run the task when configuring the General tab.  Once the credentials are entered you will see the newly created scheduled task listed under the task library folder you created.

If you wish to manually execute the task to test and make sure it performs as intended you can do this by right-clicking the task and select Run.

Here I have compiled a list of free software to automatically delete files that are older than X number of days. These freeware will help you in deleting files/folders that are older than X days. These free software can save you time from manually searching for old files and then deleting them. Some of these also let you copy or move files older than x days.

You just need to specify the age and location of files and action to be performed on these files. Then these software will automatically perform the action specified by you. You can set the criterion to calculate the age of a file on the basis of creation, modification, last accessed time of a file. We will see how a particular software in this list performs deletion of old files. We will also take a look at the additional tasks they have to offer. Let us now take an in depth look on these software one by one.

Cyber D’s Autodelete

Cyber D’s Autodelete is a free software available for Windows. You can use this software to delete and move files automatically that are older than X days. You can precisely delete older files by applying name filters and date filters.

Apply date filter if you want to delete a file according to its age. Cyber D’s Autodelete gives you the option to specify age of file in years, days, hours, and minutes, and deletes files which are older than that. It also provides you various delete options, like move the deleted files into recycle bin, securely delete the files, move the files to a particular folder, include subfolders, and delete empty subfolders.

In addition to Date filter, it has Name filter as well, which lets you specify name or name pattern of files to be deleted. You can also choose the extension of the files that you want to be deleted.

Read the complete review of Cyber D’s Autodelete.

Download Cyber D’s Autodelete from here.

Remove Old Files

Remove Old Files also serves the same purpose of deleting old files like Cyber D’s Autodelete, but it also provides additional features like archiving old files, moving and copying of files, etc. Let us see how to automatically delete files old files using Remove Old Files.

I have installed the latest stable version of this software. After you have installed the software, click on New Item, and a Keep Folder Attributes dialog box will appear.In Keep Folder Attributes dialog box, you have to specify the following details:

• Description: Specify the general description of your task in this field.
• Kept Folder: Location of target folder that you want to consider for scanning.
• File Mask: Specify file extensions that you want to consider for deletion
• Action Task: Specify the particular action task that you want to perform on kept folder. Various action tasks offered by Removing Old Files are as follows:
  • Delete old files immediately.
  • Delete old files and move them to Recycle Bin.
  • Make an archive at the work folder and delete an original file.
  • Move to a specified folder.
  • Copy to a specified folder.
  • Search for the old files without actions. You can see the results in log file.
• Keep time: Keep time refers to the maximum time for retaining the old files in your PC. After the expiration of keep time, your files will be auto-deleted.
• Date of each file: You can consider either Creation, Modified, or Last access time for calculating the age of files
   
  
   

Other options it provides:

• Include/exclude subdirectories.
• Archive files while copying/moving.
• Delete empty folders.
• Add formatter to keep file organized.
• Set the process priority to idle, normal, or time critical.
• You can also add a ignore list. The files and folders specified in the ignore list will not be considered while performing the action specified on kept folder.
• You can also schedule an action to be performed automatically. And at last, click on Ok button to set the task that will be performed as per your configuration settings.
  

Features of Remove Old File:

• It lets you automatically perform the deletion of older files, copying, or moving of older files.
• It also lets you compress files while transferring, as it supports external file compressors like WinZip and 7-Zip.
• It also allows you to create multiple job queues. Multiple job queues perform  various action tasks simultaneously. This makes execution faster when the list of kept folder is big.
  
• Supports multiple languages: English, Chinese, Dutch, French, German, Spanish, and Russian.

Get Remove Old Files from here.

SubDirectory Cleanup

It is a free portable software which lets you automatically delete older files by generating a script that you can run in Command Prompt. It provides a graphical user interface to generate script to delete old files from command prompt. Let us see how to delete older files using SubDirectory Cleanup.

Click on Configure Settings button to specify the parameters for auto deletion of older files. Then Set Settings dialog box will appear.

 

Here you need to specify following parameters:

• Initial folder location: Specify the path of the folder that you want to scan for older files.
• Max File Age: Specify the maximum file age (in days) that you want to get deleted.
• location of log file: Specify the path where you want the log file to be generated.
• Maximum size of log file: Specify the maximum size (in bytes) of log file that will be generated after auto deletion of older files.
• Delete all old files: Select this option if you want to delete all older files.
• Log Only: Select this option if you want to preview list of files older than number of days as specified in Max File Age field. You can view list of older files in log file.

After configuring all settings, click on Generate CLI string button. Clicking on it will generate a script. Execute the generated script in Command Prompt in this way. Step 1: Specify the path of .exe file of SubDirectory Cleanup. You can easily specify the path of .exe file by dragging and dropping it onto Command Prompt.

Step 2: Copy and paste rest of CLI string (only which is highlighted with blue color) in Command Prompt. Now, you can execute the CLI command and the files will be automatically deleted by SubCleaner Directory.

You, can also use this CLI command in your batch file. So, SubDirectory cleanup is a good software to delete files older than X days, as its execution speed is fast.

Download SubDirectory cleanup from here.

Delete Files Older Than

Delete Files Older Than is a free software available for Windows that performs exactly what its name suggests. This software can be efficiently used to delete files of all types or specific type, that are older/newer than X days. You can filter files according to date and size specified. Like other software in the list, this software also gives you option to calculate age of files on the basis of  creation date, last modified date, or last accessed date of the file. And another handy feature that it provide is, it lets you set password that will protect any unauthorized access to the software.

Let us now see how we can use this software to delete older files.

First select whether you want to search all files or files with a particular extension, like doc, pdf, or txt files. After that, specify the criterion factors to be considered to select files for deletion. You can set it to Created Date, Modified Date, or Accessed Date. You can also apply size filter which will delete files according to size specified (in MB). After configuring all the settings, you need to add folders for scanning. After adding folders, click on Find button to scan older files as per the criterion set. After scanning, it will list all the files matched in Search Result section. Then you can click on Delete button to delete all the files listed in Search Results section.

If you want to protect Delete Files Older Than with password, then click on Lock button on the top.

But if you forget the password, then there is no way to recover it back.

Download this Delete Files Older Than from here.

DelAge32

DelAge32 is a command line tool for deleting or moving files older than X number of days. DelAge32 provides a list of commands that you can execute in Command Prompt in order to move or delete older files as per your requirements.

How to execute DelAge32 commands in Command Prompt.

Step 1: Specify path of exe file of delage.exe. If you have downloaded 64 bit version of this program then specify the path of delage64.exe.

Step 2: Specify path of folder from which you want to delete older files.

Step 3: Specify age of file (in number of days). Files will be deleted older than specified age.

The general syntax of command is given below:

C:\Users\YourPCNAME>source location of delage32.exe “source location of folder of files which you want to delete\*.file type*" Age (in number of days) 

 

Step 4: Other important options that you can specify in DelAge32 execute command are:

• /preview: It will just list all the files with their age on console output window, and no action will be performed.
• /move target: Specify this option if you want to move older files to a target folder.
• /accessed: Last access time of a file for calculation of its age is taken for calculation of its age.
• /created: Creation time of a file is taken for calculation of its age.
• /modified: Last modification time of a file is taken for calculation of its age.

NOTE: 

• By default in DelAge32, last modified time of files are taken to calculate their age. You can change this default file stamp by specifying other options like /created, /modified, or /accessed.
• Files will be permanently deleted from your PC. It does not provide any option to move deleted files into recycle bin.
• Options are case insensitive.
• In case of any syntax error in your command, no action will be performed.

Read the full review of DelAge32 here.

Get DelAge32 from here.

Final Verdict:

All the above listed software can fulfill your requirement to auto delete older files than X days. Some of theses software like Cyber D’s Autodelete, SubDirectory Cleanup, Delete Older Files Than, DelAge32 simply lets you delete older files. I personally like Remove Old Files, as it provides more features as compared to other software mentioned in this article.