When it comes to cleaning up hacked websites, the reality is that a lot of the companies that offer to do that don’t know how to do it properly or are intentionally cutting corners. We know this because we are often hired to re-clean hacked website after they get re-hacked and the first thing we always ask when somebody mentions that they perviously had someone else try to clean it, is if the previous company was able to determine how the website was hacked. Trying to determine how the website was hacked is one of the three main components of a proper hack cleanup, so the answer to that question should always be that they were or the reason that they were unable to determine how it was hacked (which is often the case due to poor log archiving practices at many web hosts). In almost all cases the response we get back is some variation of of that the issue of how the website was hacked was never even brought up by the cleanup company. When companies are not doing basic parts of the cleanup it really isn’t all that surprising that the website doesn’t get fully fixed and it needs to be re-cleaned.
Since it is hard to for someone to determine whether a company they don’t have prior experience with is on the level or if they will make claims that about what they do and their level of expertise (as so many companies offering to clean up hacked website seem to do) working with a web developer or similar person you already have a relationship would seem to be a fairly good idea. The reality is that it can lead to poor handling of a hack cleanup, so you should at least get a second opinion on what to do, if you are considering having them handle it.
A recent example of them handling that in a less that ideal way involves a situation we were contacted about recently. A web developer contacted us about the possibility of us doing an upgrade of a Joomla 1.0 installation on a customer’s business website ASAP. When we went to take a look at the website we noticed it was serving up malware and was being blocked by Google. At that point we suggested that the website be cleaned and then seeing as moving from Joomla 1.0 is major migration, to then take their time doing the migration instead of rushing it. At that point they replied that they were aware that the website was hacked and that moving to the new version was their solution.
Doing an upgrade or migration usually not a good way to try to deal with a hacked website, since that may not remove much, if any, of the malicious items added by the hacker and the hack may be unrelated to the software being changed, so the website may just as vulnerable to exploitation after doing the upgrade or migration. For a major upgrade or migration it is also going to takes longer then a hack cleanup and it you rush that there could be even more problems that need to be dealt with down the road. In this case, when we went to see if things had been resolved a week later, the website was still hacked and had not been moved to a newer version, whereas with a hack cleanup things can usually be resolved in a matter of hours, so the business had lost at least a weeks worth of business brought in by their website.
Also concerning to us in this case was the fact that the web developer had said they wanted to move to Joomla 2.5 or Joomla 3, despite the fact that support for that version had ended back in December of 2014.