Support

Site Restoration

#27763 Strategy to restore a hacked site

Posted in ‘Site restoration’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

PHP version
n/a
CMS Type
Other
CMS Version
n/a
Backup Tool Version
n/a
Kickstart version
n/a

Latest post by RakataTech on Thursday, 18 May 2017 06:00 CDT

RakataTech
 Hi

We have a hacked site which we want to restore to a previous Akeeba backup.

I can still access the admin / back-end of Joomla and can kick off a restoration from within Akeeba. However, I think I am right in saying that this sort of restoration wont wipe the filesystem clean of all files / folders and do the restoration?

If the filesystem has had extra files or folders added as part of the hack, these will still exist after the Akeeba restoration has been done wont they? The restoration will only replace files on the filesystem, but not remove files/folders that shouldnt be there - is that correct?

If this is the case then would the only procedure be to take down the whole filesystem and then upload the kickstart and jpa files and do the restoration that way. Could the Akeeba system include an option to check for then delete files and folders that are on the live system that are not within the backup so that the resultant resotred system is a clone of the system that was backed up?

Your thoughts would be appreciated.

Many thanks

Ben

nicholas
Akeeba Staff
Manager
However, I think I am right in saying that this sort of restoration wont wipe the filesystem clean of all files / folders and do the restoration?


Correct. Files are never deleted during restoration.

If the filesystem has had extra files or folders added as part of the hack, these will still exist after the Akeeba restoration has been done wont they?


Correct.

The restoration will only replace files on the filesystem, but not remove files/folders that shouldnt be there - is that correct?


Absolutely correct.

If this is the case then would the only procedure be to take down the whole filesystem and then upload the kickstart and jpa files and do the restoration that way.


Correct again.

Could the Akeeba system include an option to check for then delete files and folders that are on the live system that are not within the backup so that the resultant resotred system is a clone of the system that was backed up?


No, never. This was a feature we explored but decided to not implement. When you think hard about it you can see that a convoluted feature of deleting all files and folders under every subfolder unless it exists in the backup is operationally the same as STEP 1 delete all files and folders STEP 2 restore a backup. It took me 3 hours of planning the convoluted way until I realized how pointless it is.

Moreover, such a feature would cause inadvertent data loss because Kickstart cannot know what you think belongs to your site. Does the subdomain root belong to the site? If not, how could Kickstart know that this folder is a subdomain root? Should the folder you excluded from the backup be exempt? If so, how can Kickstart know what your backup options were before extracting the backup? And what about permissions, ownership, network issues, timeout settings and a million other things which could leave your site in a half-broken state?

Overall it makes no sense implementing this feature since it will never work as efficiently as you deleting what you know belongs to "your site" and is in your backup.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

RakataTech
Many thanks Nicholas. At least it confirms the approach we need to implement for hacked sites. Have a great day

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!