Casady
asked on
How to find the pharmacy hack in a Joomla installation?
We've discovered today that our Joomla website has been hacked by a pharmacy trojan.
It was difficult to discover because most users don't see it when visiting our website.
One user reported about 2 weeks ago that our site contains viagra/pharmacy spam.
We've looked into it, but found nothing. The conclusion was that the users computer was infected.
Yesterday another user reported this problem, so I've started to investigate again.
One hour later I've discovered that the site is indeed infected.
When I visit this webpage with my web browser all if fine:
http://www.outertech.com/en/bookmark-manager
But, if I do a google translate of this webpage I see the infection (viagra and cialis links):
http://translate.google.com/translate?sl=en&tl=de&js=n&prev=_t&hl=de&ie=UTF-8&u=http%3A%2F%2Fwww.outertech.com%2Fen%2Fbookmark-manager
The same happens if I use curl:
curl -L -A "Googlebot/2.1 (+http://www.google.com/bot.html)" http://www.outertech.com/en/bookmark-manager
As a next step I made a backup (Akeeba) of the website and transferred it to a local xampp installation for further investigation.
The local xampp installation with the website has also the same problem, so indeed the Joomla installation is infected.
a visit of http://localhost/en/bookmark-manager shows no problems, but a
curl -L -A "Googlebot/2.1 (+http://www.google.com/bot.html)" http://localhost/en/bookmark-manager
contains the viagra links.
I've looked for hours at the files, did a lot of greps etc, but I cannot find anything suspicious.
Virus Total and Google Webmaster report the site as clean.
I did an audit on myjoomla.com, but no malware was found.
I would be really grateful if someone could point me in the right direction.
Where to look inside my Joomla installation for this hack?
It was difficult to discover because most users don't see it when visiting our website.
One user reported about 2 weeks ago that our site contains viagra/pharmacy spam.
We've looked into it, but found nothing. The conclusion was that the users computer was infected.
Yesterday another user reported this problem, so I've started to investigate again.
One hour later I've discovered that the site is indeed infected.
When I visit this webpage with my web browser all if fine:
http://www.outertech.com/en/bookmark-manager
But, if I do a google translate of this webpage I see the infection (viagra and cialis links):
http://translate.google.com/translate?sl=en&tl=de&js=n&prev=_t&hl=de&ie=UTF-8&u=http%3A%2F%2Fwww.outertech.com%2Fen%2Fbookmark-manager
The same happens if I use curl:
curl -L -A "Googlebot/2.1 (+http://www.google.com/bot.html)" http://www.outertech.com/en/bookmark-manager
As a next step I made a backup (Akeeba) of the website and transferred it to a local xampp installation for further investigation.
The local xampp installation with the website has also the same problem, so indeed the Joomla installation is infected.
a visit of http://localhost/en/bookmark-manager shows no problems, but a
curl -L -A "Googlebot/2.1 (+http://www.google.com/bot.html)" http://localhost/en/bookmark-manager
contains the viagra links.
I've looked for hours at the files, did a lot of greps etc, but I cannot find anything suspicious.
Virus Total and Google Webmaster report the site as clean.
I did an audit on myjoomla.com, but no malware was found.
I would be really grateful if someone could point me in the right direction.
Where to look inside my Joomla installation for this hack?
Last Comment
it's in .htaccess
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
@joomla_php
no, it's not. I've checked it three times.
@rowby
I've used this scanner several hours ago, and it says infected with spam right away, but does not show where.
in my original statement I've explained that I did a lot of greps and looked at the major php files, but cannot find anything suspicious.
I've also checked in the files modified in the last 3 months, and nothing suspicious there.
I guess that the trojan is very sophisticated here. myjoomla audit shows even all the files that have been modified from standard Joomla 1.5.26 installation and nothing suspicious was there.
I've disabled also all Plugins, Components etc. The problem remains.
Upgrade to 2.5 or 3.5 is/was not an option at this moment as it needs an insane amount of work, because there is no simple update path. Many component need to be rewritten for 2.5 compatibility.
no, it's not. I've checked it three times.
@rowby
I've used this scanner several hours ago, and it says infected with spam right away, but does not show where.
in my original statement I've explained that I did a lot of greps and looked at the major php files, but cannot find anything suspicious.
I've also checked in the files modified in the last 3 months, and nothing suspicious there.
I guess that the trojan is very sophisticated here. myjoomla audit shows even all the files that have been modified from standard Joomla 1.5.26 installation and nothing suspicious was there.
I've disabled also all Plugins, Components etc. The problem remains.
Upgrade to 2.5 or 3.5 is/was not an option at this moment as it needs an insane amount of work, because there is no simple update path. Many component need to be rewritten for 2.5 compatibility.
Another thing I do. Not really sure it helps, is to go into the website's CPANEL and change permissions to fixed files (index.php) any .js files etc. to 444 permissions.
(also take a look at the media subfolders for js files)
You might consider migrating your site to siteground.com The developer of admintools recommends their site, and if you look at siteground you will see they appear to specialize in increased security for joomla (and wordpress) sites.
I consider the developer of admintools (and akeeba backup) an ethical person who would not recommend siteground if he didn't feel it offered a better security solution. I will be moving at least one site to siteground in the near future.
Rowby
(also take a look at the media subfolders for js files)
You might consider migrating your site to siteground.com The developer of admintools recommends their site, and if you look at siteground you will see they appear to specialize in increased security for joomla (and wordpress) sites.
I consider the developer of admintools (and akeeba backup) an ethical person who would not recommend siteground if he didn't feel it offered a better security solution. I will be moving at least one site to siteground in the near future.
Rowby
You won't see a difference in Google after making a fix as it takes Google time to reindex the site. You can accelerate that process via webmaster tools.
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
If you are totally stumped, you might consider Phil Taylor's services. I haven't used them but he has been in Joomla since the beginning. I think he was one of the original core developers. He used to sell Joomla components. Not sure if he still does.
Phil has this site. http://myjoomla.com/ You sign up with him for a fee and he says he will audit etc a hacked joomla site.
Just something to consider. I have not used it. But, as I said he's been a part of joomla since the beginning.
Phil offers one free audit here: https://manage.myjoomla.com/signup
Rowby
Phil has this site. http://myjoomla.com/ You sign up with him for a fee and he says he will audit etc a hacked joomla site.
Just something to consider. I have not used it. But, as I said he's been a part of joomla since the beginning.
Phil offers one free audit here: https://manage.myjoomla.com/signup
Rowby
ASKER
Yes, I have a working akeeba backup (3 months old). My idea was to compare all the 1000s of files between the uninfected backup and the current state. Do you know any Windows utility that may accomplish it without selecting each file individually? I suspect some obscure php file with encrypted content.
I don't know of one. Perhaps open a question in one of the windows Experts Exchange forums.
Perhaps tell them you are looking for a utility that will compare one set of files with another.
Rowby
Perhaps tell them you are looking for a utility that will compare one set of files with another.
Rowby
ASKER
I've found this: http://kdiff3.sourceforge.net/
Looks good, Casady. Let us know how it works.
Rowby
Rowby
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Some suggestions were helpful (so I have points to them), but provided no solution.
Vulnerabilities
A vulnerability is a weakness which allows an attacker to reduce a system's information assurance. Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness, known as the attack surface. Vulnerability management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities. Other vulnerabilities include security risks, security defects and constructs in programming languages that are difficult to use properly.
8K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
