Is it dangerous if I store a copy of an infected website on my local disk?

First, I'm not into HTML and PHP programming.

A friend's Joomla site was hacked by some sort of html injection, and now every php and html file has an iframe which is linked to some sort of malware page. And now I want to copy the infected files from the server to my machine and "clean" them. Is this dumb and dangerous?


Solution 1:

No, it's not dangerous to store. What you intend to do with them might or might not be dangerous.

If you open these local files in a web browser, it will likely visit those addresses specified in iframes. Or JavaScipt in those files could do something bad like checking for browser security holes.

  • Open these files in some editor which will not attempt to render the page. Any stupid non-HTML editor will do.

  • Disable JavaScript in your browser when opening the files

  • Tell your browser not to open any links not coming from the main domain (will be the local file system in your case). Actually, this is prudent security measure for daily browsing as well.


You can store something poisonous like certain mushrooms for years in your house, but if you don't intend to eat them, you're safe.

Solution 2:

As long as you download the files using classic FTP, and open/edit the files in a text or HTML editor only (no WYSIWYG/preview function!) this is totally harmless. Looking at the file in a text editor isn't dangerous, executing it in a browser is.

Get the latest security updates for the browser you will be using to look at the pages - through Windows Update for IE, or by just downloading the latest Version of Firefox, Chrome or whatnot. I'd recommend Firefox because of its Web Developer toolbar.

To be 100% safe during editing in a WYSIWYG editor, and to test the cleaned pages in a browser (if you have a local Joomla to test), you could disconnect the computer from the Internet while editing.

To test a page that you're cleaning, also consider turning off JavaScript, for example using the Web Developer Toolbar in Firefox.

Also, having a virus scanner running in the background is not a bad idea.

Note that you really need to check every single resource on the site, every HTML page and JavaScript file.

However, don't forget to fix the actual problem first - the vulnerability that made the injection possible! I assume from what you're writing that that has been already sorted but make sure you find out where the break-in occurred.

As a minimum measure, change all passwords to all web hosting related accounts (FTP, Control Panel, etc.).

The Google Webmaster Blog's article My Site's been hacked - now what? is always good reading as well. It also describes how to get the site re-indexed with Google fast.

Solution 3:

You should be just fine storing and editing the files; however, be careful about executing them (actually serving them up with php and a web server). Only do that once you're sure they're clean, and have the correct permissions.

Solution 4:

It's not necessarily dangerous, as long as you don't attempt to load any of the infected pages into anything that would follow the links. That said, if I was doing it, I'd probably do it inside a virtual machine -- that way if an accident should happen, restoring to an earlier state, or just throwing it away and building a new VM when/if needed is relatively trivial.