Joomla Website Hacked Viagra

Where to look in my Joomla installation for the pharmacy hack?

We’ve discovered today that our Joomla website has been hacked by a pharmacy trojan.

It was difficult to discover because most users don’t see it when visiting our website.

One user reported about 2 weeks ago that our site contains viagra/pharmacy spam. We’ve looked into it, but found nothing. The conclusion was that the users computer was infected.

Yesterday another user reported this problem, so I’ve started to investigate again.

One hour later I’ve discovered that the site is indeed infected.

When I visit this webpage with my web browser all if fine:

But, if I do a google translate of this webpage I see the infection (viagra and cialis links):

The same happens if I use curl:

As a next step I made a backup (Akeeba) of the website and transferred it to a local xampp installation for further investigation.

The local xampp installation with the website has also the same problem, so indeed the Joomla installation is infected.

shows no problems, but a

contains the viagra links.

I’ve looked for hours at the (mostly php) files, did a lot of greps etc, but I cannot find anything suspicious.

Virus Total and Google Webmaster report the site as clean.

I did an audit on myjoomla.com, but no malware was found.

I would be really grateful if someone could point me in the right direction.

Where to look inside my Joomla installation for this hack?

4 Answers 4

I’ve restored an older backup that was not infected to a local Xampp installation. Did a backup of the current site and installed into to another local Xampp instanced. Made a diff of all files between the two installations and found the hack in the application.php file (it was only one line). Removed the line and the hack died. I still don’t know how the site got infected (all addons are the latest versions). I’ve changed the password as a security measure and monitoring for this hack once a week.

edit: myJoomla.com report did actually find the hack, I didn’t read the report carefully enough.

We recently recovered and migrated a Joomla 1.5 site to 2.5 and the hack was found in the template files ( index.php and various override files in the templates html/ directory).

The surprising thing was we also found that about 1 in 10 of the articles had been infected. i.e. when we searched the jos_content table we found the fulltext column had Javascript embedded in it. So, I would suggest also looking there.

Your best bet is to use a tool like myJoomla as it was specifically created for this sort of thing for Joomla.

I also had this problem where if I’m visiting a sub page, the home page would load instead and show a lot of Pharmacy gibberish. But this only happened when I had Firefox Firebug opened. It turned out in my template under /html there was a mysql.php file that shouldn’t be there. Luckily, I created this template so I deleted the template on the server and uploaded my original version and the problem went away. Hope this helps.

Not the answer you're looking for? Browse other questions tagged security joomla or ask your own question.

Related
Hot Network Questions

Subscribe to RSS

To subscribe to this RSS feed, copy and paste this URL into your RSS reader.

site design / logo © 2022 Stack Exchange Inc; user contributions licensed under cc by-sa. rev 2022.3.18.41718

By clicking “Accept all cookies”, you agree Stack Exchange can store cookies on your device and disclose information in accordance with our Cookie Policy.