If you suspect that your Joomla has been hacked, the first thing to check are the raw weblogs. Try searching them for suspicious client requests such as:
192.168.0.1 - - [29/Oct/2008:06:07:30 -0500] "GET /index.php?live_site=domain.com/1.txt?? HTTP/1.1" 200 10864 "-" "Firefox"
Unfortunately, it is not always that easy to find traces of a web attack and to decode it. Such a task may require an advanced developer to devote quite a lot of time. That's why you should know the most common reasons for a Joomla to be compromised:
1. The core Joomla installation is outdated. Previous versions have serious security vulnerabilities which can be easily exploited.
You can check your Joomla version by logging in your admin panel. There your current Joomla version will be specified.
2. Additionally installed components / modules are outdated.
This is a very common but, unfortunately, neglected problem. It is essential to keep track of all extra components / modules and make sure they are up to date. Check the addon's homepage for information about recent security issues and upgrade instructions.
3. Common misconfigurations which are known to open security holes:
- register_globals turned on in PHP's configuration - if turned on this directive allows easy variable poisoning; make sure to turn it off;
- allow_url_include turned on in PHP's configuration - if turned on it allows remote code to be included in your scripts; make sure to turn it off;
- using the default table prefix _jos. This opens the door for all MySQL injections; make sure you change your table prefix to something harder to guess using this component;
- RG_EMULATION turned on in Joomla 1.0.* - this directive emulates register_globals locally, a dangerous option; if enabled, you will see a warning right after you log in to your admin panel; you can switch it off by adding somewhere in the middle of the configuration.php file:
if(!defined('RG_EMULATION')) { define( 'RG_EMULATION', 0 ); }
If your Joomla has been hacked, do not hesitate to get help from your web host.