Where to look in my Joomla installation for the pharmacy hack?

Question

We've discovered today that our Joomla website has been hacked by a pharmacy trojan.

It was difficult to discover because most users don't see it when visiting our website.

One user reported about 2 weeks ago that our site contains viagra/pharmacy spam. We've looked into it, but found nothing. The conclusion was that the users computer was infected.

Yesterday another user reported this problem, so I've started to investigate again.

One hour later I've discovered that the site is indeed infected.

When I visit this webpage with my web browser all if fine:

http://www.outertech.com/en/bookmark-manager

But, if I do a google translate of this webpage I see the infection (viagra and cialis links):

http://translate.google.com/translate?sl=en&tl=de&js=n&prev=_t&hl=de&ie=UTF-8&u=http%3A%2F%2Fwww.outertech.com%2Fen%2Fbookmark-manager

The same happens if I use curl:

curl -L -A "Googlebot/2.1 (+http://www.google.com/bot.html)" http://www.outertech.com/en/bookmark-manager

As a next step I made a backup (Akeeba) of the website and transferred it to a local xampp installation for further investigation.

The local xampp installation with the website has also the same problem, so indeed the Joomla installation is infected.

a visit of

http://localhost/en/bookmark-manager

shows no problems, but a

curl -L -A "Googlebot/2.1 (+http://www.google.com/bot.html)" http://localhost/en/bookmark-manager

contains the viagra links.

I've looked for hours at the (mostly php) files, did a lot of greps etc, but I cannot find anything suspicious.

Virus Total and Google Webmaster report the site as clean.

I did an audit on myjoomla.com, but no malware was found.

I would be really grateful if someone could point me in the right direction.

Where to look inside my Joomla installation for this hack?

Answer 1

I've restored an older backup that was not infected to a local Xampp installation. Did a backup of the current site and installed into to another local Xampp instanced. Made a diff of all files between the two installations and found the hack in the application.php file (it was only one line). Removed the line and the hack died. I still don't know how the site got infected (all addons are the latest versions). I've changed the password as a security measure and monitoring for this hack once a week.

edit: myJoomla.com report did actually find the hack, I didn't read the report carefully enough.

Answer 2

I also had this problem where if I'm visiting a sub page, the home page would load instead and show a lot of Pharmacy gibberish. But this only happened when I had Firefox Firebug opened. It turned out in my template under /html there was a mysql.php file that shouldn't be there. Luckily, I created this template so I deleted the template on the server and uploaded my original version and the problem went away. Hope this helps.

Answer 3

Your best bet is to use a tool like myJoomla as it was specifically created for this sort of thing for Joomla.

Answer 4

We recently recovered and migrated a Joomla 1.5 site to 2.5 and the hack was found in the template files (index.php and various override files in the templates html/ directory).

The surprising thing was we also found that about 1 in 10 of the articles had been infected. i.e. when we searched the jos_content table we found the fulltext column had Javascript embedded in it. So, I would suggest also looking there.