• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1370
  • Last Modified:

How to find the pharmacy hack in a Joomla installation?

We've discovered today that our Joomla website has been hacked by a pharmacy trojan.

It was difficult to discover because most users don't see it when visiting our website.

One user reported about 2 weeks ago that our site contains viagra/pharmacy spam.
We've looked into it, but found nothing. The conclusion was that the users computer was infected.

Yesterday another user reported this problem, so I've started to investigate again.

One hour later I've discovered that the site is indeed infected.

When I visit this webpage with my web browser all if fine:

http://www.outertech.com/en/bookmark-manager

But, if I do a google translate of this webpage I see the infection (viagra and cialis links):

http://translate.google.com/translate?sl=en&tl=de&js=n&prev=_t&hl=de&ie=UTF-8&u=http%3A%2F%2Fwww.outertech.com%2Fen%2Fbookmark-manager

The same happens if I use curl:

curl -L -A "Googlebot/2.1 (+http://www.google.com/bot.html)" http://www.outertech.com/en/bookmark-manager

As a next step I made a backup (Akeeba) of the website and transferred it to a local xampp installation for further investigation.

The local xampp installation with the website has also the same problem, so indeed the Joomla installation is infected.

a visit of http://localhost/en/bookmark-manager shows no problems, but a

curl -L -A "Googlebot/2.1 (+http://www.google.com/bot.html)" http://localhost/en/bookmark-manager

contains the viagra links.

I've looked for hours at the files, did a lot of greps etc, but I cannot find anything suspicious.

Virus Total and Google Webmaster report the site as clean.

I did an audit on myjoomla.com, but no malware was found.

I would be really grateful if someone could point me in the right direction.

Where to look inside my Joomla installation for this hack?
0
Casady
Asked:
Casady
  • 7
  • 5
  • 3
5 Solutions
 
joomla_phpCommented:
it's in .htaccess
0
 
Rowby GorenCommented:
Here is another scanner.

http://sitecheck.sucuri.net/scanner/

But, of course it will only find the public viewed infected locations, and joomla has lots of other files that often "create" the final page.

I've found that simple infections can be in these files:

index.php in the root folder, index.php in the default template folder (check the other files there too.,



Use windows grep to look for phrases such as javascript   or iframe

And then sort by date.  Often the infection will be in files with recent modified dates.

Hopefully you have an UNinfected backup and in theory you can "simply" overwrite those files.  

In fact, as a test, if you have what you think is a clean  backup (i.e. akeebabackup from a month or so (or week or so) before the infection, you can "simply" overwirte those and maybe even EVERY file on your site with your clean version.  (Of course it is possible that your mysql database file was infected, but I doubt it.)

Once you clean the site it is really essential that you install admintools professional.  Especially activate the admintools professional .htaccess maker.  (Read carefully the documentation on the way htacess maker works, because you may have to adjust some parameters to allow for certain joomla programs to continue to work under the modified htaccess file.

Rowby
0
 
Rowby GorenCommented:
Also once you are disinfected, make sure you have upgraded to the most recent joomla updates.  And check this site:  http://vel.joomla.org/

It's the vulnerable extensions list.  Sometimes very popular extensions end up on the list before the developers fix them.  Even the popular extension "xmap": is on it - but fixed with by the developer with a updated version.   A version of the popular SH404sef is listed -- and fixed by the developer.

Also uninstall any extensions or plugins or modules you no longer use.  And delete any templates that you don't use.

BTW I have a client who found his site was "attacked" by using his "AVG" antivirus software.  I had checked his site via google webmasters and it had not "found" the infection yet.  Perhaps AVG is more aggressive at looking for infections.

So I am considering getting AVG software for myself.  http://www.avg.com/us-en/homepage

Rowby
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
CasadyAuthor Commented:
@joomla_php

no, it's not. I've checked it three times.

@rowby

I've used this scanner several hours ago, and it says infected with spam right away, but does not show where.

in my original statement I've explained that I did a lot of greps and looked at the major php files, but cannot find anything suspicious.

I've also checked in the files modified in the last 3 months, and nothing suspicious there.

I guess that the trojan is very sophisticated here. myjoomla audit shows even all the files that have been modified from standard Joomla 1.5.26 installation and nothing suspicious was there.

I've disabled also all Plugins, Components etc. The problem remains.

Upgrade to 2.5 or 3.5 is/was not an option at this moment as it needs an insane amount of work, because there is no simple update path. Many component need to be rewritten for 2.5 compatibility.
0
 
Rowby GorenCommented:
Another thing I do. Not really sure it helps, is to go into the website's CPANEL and change permissions to fixed files (index.php)  any .js files etc. to 444 permissions.  

(also take a look at the media subfolders for js files)

You might consider migrating your site to siteground.com  The developer of admintools recommends their site, and if you look at siteground you will see they appear to specialize in increased security for joomla (and wordpress) sites.  

I consider the developer of admintools (and akeeba backup) an ethical person who would not recommend siteground if he didn't feel it offered a better security solution.  I will be moving at least one site to siteground in the near future.

Rowby
0
 
joomla_phpCommented:
You won't see a difference in Google after making a fix as it takes Google time to reindex the site. You can accelerate that process via webmaster tools.
0
 
Rowby GorenCommented:
Just saw your comment.

Perhaps a good test is to, as I suggested, overwrite ALL of your most recent web based files with a backup from a month or so ago.  No guarantees, but if those files are clean (and you haven't done any recent web based updates) maybe that could work.  Don't update the mysql database, just the files in the web director itself.

Is your site a basic "article" site or are there forums or shopping cart, etc?

Rowby
0
 
joomla_phpCommented:
It could be base64 encoded so a simple search won't find it.
It could be the offending words spelled backwards.
If the hacker has current access to the site, it could be replacing the infected file with a good one periodically, so that when you search you don't see it.
Look for HTTP_REFERRER in PHP.
There are quite a few examples of searchable hacks here
http://blog.aw-snap.info/2011/02/pharmacy-hack.html
Search for files modified within the last day.
Look for eval, gzinflate, base64 in both the file system and the database.
0
 
Rowby GorenCommented:
If you are totally stumped, you might consider Phil Taylor's services. I haven't used them but he has been in  Joomla since the beginning. I think he was one of the original core developers.  He used to sell Joomla components. Not sure if he still does.

Phil has this site. http://myjoomla.com/    You sign up with him for a fee and he says he will audit etc a hacked joomla site.

Just something to consider. I have not used it.  But, as I said he's been a part of joomla since the beginning.

Phil offers one free audit here: https://manage.myjoomla.com/signup


Rowby
0
 
CasadyAuthor Commented:
Yes, I have a working akeeba backup (3 months old). My idea was to compare all the 1000s of files between the uninfected backup and the current state. Do you know any Windows utility that may accomplish it without selecting each file individually? I suspect some obscure php file with encrypted content.
0
 
Rowby GorenCommented:
I don't know of one.  Perhaps open a question in one of the windows Experts Exchange forums.

Perhaps tell them you are looking for a utility that will compare one set of files with another.

Rowby
0
 
CasadyAuthor Commented:
0
 
Rowby GorenCommented:
Looks good, Casady.   Let us know how it works.

Rowby
0
 
CasadyAuthor Commented:
MyJoomla didn't detect anything. I've restored an older backup that was not infected to a local Xampp installation. Did a backup of the current site and installed into to another local Xampp instanced. Made a diff of all files between the two installations and found the hack in the application.php file (it was only one line). Removed the line and the hack died. I still don't know how the site got infected (all addons are the latest versions). I've changed the password as a security measure and monitoring for this hack once a week.
0
 
CasadyAuthor Commented:
Some suggestions were helpful (so I have points to them), but provided no solution.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

  • 7
  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now