Hmei7 is a common hack on Joomla sites. This hack is executed using security gaps of the Joomla JCE plugin. If you are running JCE you need to either disable and delete it or upgrade it to fix the problem.
Typically you will find a text file located in several directories named “x.txt”, that had “hacked by Hmei7″ in it. This x.txt file is not a dangerous to the website.

Joomla hacked by hmei7

How to fix Joomla site hacked by Hmei7?

These steps can be used to fix this hack…

  • Usually malicious code of the Hmei7 hack is hidden in fake GIF files. These GIF files have a valid header of GIF image file. But after the GIF file header is placed malicious PHP code instead of binary data of GIF image. This can be viewed by opening the fake GIF file with a text editor. Easiest way to find malicious code is to search in all images of the web site for phrases such as reserved PHP words, for eg.: <?php, eval,base64_decode and so on. These files should be deleted.
  • Now In the Joomla administration screen, go to: Site/Global Configuration/Site Settings and check option value of the field: Default WYSIWYG Editor. If there is selected the JCE editor in this field, choose some another editor from the list.
  • After that go to Extensions/Plugin Manager find Editor – JCE plugin and disable it:
  • And in the last now it is safe to remove all JCE related files from the web server hard disk. Joomla site will run fine after all files are deleted from those directories.

/plugins/editors/jce/
/components/com_jce/
/administrator/components/com_jce/ and
/administrator/components/com_joomfish/editors/jce.php

We can see the following files are potentially affected by this Hmei7 attack:

images/x.txt

tmp/x.txt

x.txt

images/stories/x.php

images/stories/susu.php

images/stories/s.php

images/stories/a7a.php

includes/gacl_api_clss.php

libraries/databse.mysqli.php

templates/system/feedreator.class.php

xmlrpc/includes/fotter.php

/configuration.php

/index.php

/index.htm

/index.html

Not all files will be affected on every site. Only those files and directories with write permission will be changed by the hacker’s script.

To fix the hack and restore your web site:

  1. Remove the files susu.php and x.txt.
  2. Check the configuration.php and index.php files to see if they have been changed by the hacker.
  3. If configuration.php or index.php has been changed, delete them.
  4. If index.htm or index.html exist, delete them.
  5. If your configuration.php file was changed by the hacker, restore the file from a backup or from scratch if needed.
  6. If your index.php or .htaccess file was changed, restore the file from a backup.

Once you’ve cleaned your site, we recommend that you migrate your joomla old version to latest version. This isn’t a simple upgrade as most of Joomla has been re-written so you should first set-up a staging area where you can test migrating your site. DO NOT DO IT ON A LIVE PRODUCTION SITE.

The safest way is to make a backup of the site (files and database) AFTER having done all other steps mentioned, then do the update of Joomla in a test environment then upload the changed files and import the new database. Joomla provides detailed information here: http://docs.joomla.org/Migrating_from_Joomla_1.5_to_Joomla_2.5

If you need an assistance to fix the Joomla hacked by hmei7 website, Omkarsoft can reduce the impact and prevent further damage quickly. We can have the typical site cleaned and secured in just a few hours. Check out our Pricing (http://totalwebsecurity.com/pricing-signup.html)page for details on our professional, reliable malware removal services.

Leave a Reply

Your email address will not be published. Required fields are marked *


eight − 5 =