Avatar of Casady
Casady asked on

How to find the pharmacy hack in a Joomla installation?

We've discovered today that our Joomla website has been hacked by a pharmacy trojan.

It was difficult to discover because most users don't see it when visiting our website.

One user reported about 2 weeks ago that our site contains viagra/pharmacy spam.
We've looked into it, but found nothing. The conclusion was that the users computer was infected.

Yesterday another user reported this problem, so I've started to investigate again.

One hour later I've discovered that the site is indeed infected.

When I visit this webpage with my web browser all if fine:

http://www.outertech.com/en/bookmark-manager

But, if I do a google translate of this webpage I see the infection (viagra and cialis links):

http://translate.google.com/translate?sl=en&tl=de&js=n&prev=_t&hl=de&ie=UTF-8&u=http%3A%2F%2Fwww.outertech.com%2Fen%2Fbookmark-manager

The same happens if I use curl:

curl -L -A "Googlebot/2.1 (+http://www.google.com/bot.html)" http://www.outertech.com/en/bookmark-manager

As a next step I made a backup (Akeeba) of the website and transferred it to a local xampp installation for further investigation.

The local xampp installation with the website has also the same problem, so indeed the Joomla installation is infected.

a visit of http://localhost/en/bookmark-manager shows no problems, but a

curl -L -A "Googlebot/2.1 (+http://www.google.com/bot.html)" http://localhost/en/bookmark-manager

contains the viagra links.

I've looked for hours at the files, did a lot of greps etc, but I cannot find anything suspicious.

Virus Total and Google Webmaster report the site as clean.

I did an audit on myjoomla.com, but no malware was found.

I would be really grateful if someone could point me in the right direction.

Where to look inside my Joomla installation for this hack?
JoomlaWeb-Based CMSVulnerabilities

Avatar of undefined
Last Comment
Casady

8/22/2022 - Mon
Member_5340450

it's in .htaccess
SOLUTION
Rowby Goren

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
Casady

@joomla_php

no, it's not. I've checked it three times.

@rowby

I've used this scanner several hours ago, and it says infected with spam right away, but does not show where.

in my original statement I've explained that I did a lot of greps and looked at the major php files, but cannot find anything suspicious.

I've also checked in the files modified in the last 3 months, and nothing suspicious there.

I guess that the trojan is very sophisticated here. myjoomla audit shows even all the files that have been modified from standard Joomla 1.5.26 installation and nothing suspicious was there.

I've disabled also all Plugins, Components etc. The problem remains.

Upgrade to 2.5 or 3.5 is/was not an option at this moment as it needs an insane amount of work, because there is no simple update path. Many component need to be rewritten for 2.5 compatibility.
Rowby Goren

Another thing I do. Not really sure it helps, is to go into the website's CPANEL and change permissions to fixed files (index.php)  any .js files etc. to 444 permissions.  

(also take a look at the media subfolders for js files)

You might consider migrating your site to siteground.com  The developer of admintools recommends their site, and if you look at siteground you will see they appear to specialize in increased security for joomla (and wordpress) sites.  

I consider the developer of admintools (and akeeba backup) an ethical person who would not recommend siteground if he didn't feel it offered a better security solution.  I will be moving at least one site to siteground in the near future.

Rowby
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
Member_5340450

You won't see a difference in Google after making a fix as it takes Google time to reindex the site. You can accelerate that process via webmaster tools.
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Rowby Goren

If you are totally stumped, you might consider Phil Taylor's services. I haven't used them but he has been in  Joomla since the beginning. I think he was one of the original core developers.  He used to sell Joomla components. Not sure if he still does.

Phil has this site. http://myjoomla.com/    You sign up with him for a fee and he says he will audit etc a hacked joomla site.

Just something to consider. I have not used it.  But, as I said he's been a part of joomla since the beginning.

Phil offers one free audit here: https://manage.myjoomla.com/signup


Rowby
ASKER
Casady

Yes, I have a working akeeba backup (3 months old). My idea was to compare all the 1000s of files between the uninfected backup and the current state. Do you know any Windows utility that may accomplish it without selecting each file individually? I suspect some obscure php file with encrypted content.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Rowby Goren

I don't know of one.  Perhaps open a question in one of the windows Experts Exchange forums.

Perhaps tell them you are looking for a utility that will compare one set of files with another.

Rowby
ASKER
Casady

Rowby Goren

Looks good, Casady.   Let us know how it works.

Rowby
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
ASKER CERTIFIED SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
Casady

Some suggestions were helpful (so I have points to them), but provided no solution.