troubleshooting Question

How to find the pharmacy hack in a Joomla installation?

Avatar of Casady
Casady asked on
VulnerabilitiesWeb-Based CMSJoomla
15 Comments1 Solution1521 ViewsLast Modified:
We've discovered today that our Joomla website has been hacked by a pharmacy trojan.

It was difficult to discover because most users don't see it when visiting our website.

One user reported about 2 weeks ago that our site contains viagra/pharmacy spam.
We've looked into it, but found nothing. The conclusion was that the users computer was infected.

Yesterday another user reported this problem, so I've started to investigate again.

One hour later I've discovered that the site is indeed infected.

When I visit this webpage with my web browser all if fine:

http://www.outertech.com/en/bookmark-manager

But, if I do a google translate of this webpage I see the infection (viagra and cialis links):

http://translate.google.com/translate?sl=en&tl=de&js=n&prev=_t&hl=de&ie=UTF-8&u=http%3A%2F%2Fwww.outertech.com%2Fen%2Fbookmark-manager

The same happens if I use curl:

curl -L -A "Googlebot/2.1 (+http://www.google.com/bot.html)" http://www.outertech.com/en/bookmark-manager

As a next step I made a backup (Akeeba) of the website and transferred it to a local xampp installation for further investigation.

The local xampp installation with the website has also the same problem, so indeed the Joomla installation is infected.

a visit of http://localhost/en/bookmark-manager shows no problems, but a

curl -L -A "Googlebot/2.1 (+http://www.google.com/bot.html)" http://localhost/en/bookmark-manager

contains the viagra links.

I've looked for hours at the files, did a lot of greps etc, but I cannot find anything suspicious.

Virus Total and Google Webmaster report the site as clean.

I did an audit on myjoomla.com, but no malware was found.

I would be really grateful if someone could point me in the right direction.

Where to look inside my Joomla installation for this hack?
Join the community to see this answer!
Join our exclusive community to see this answer & millions of others.
Unlock 1 Answer and 15 Comments.
Join the Community
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 15 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros