How does it work?
Obviously the site had been hacked. The hack was modifying the title tag and the site meta description so that the Google search results no longer showed what the site owner intended.
But the site had been hacked in a way that allowed the hack to show the normal page to human users and the hacked page to the Google search bot. This could indicate that it checked the User Agent setting of the visiting browser and only showed the hacked content if the User Agent was equal to “Googlebot”. But that was apparently not the only check. Even if a clever user like myself would use the User Agent Switcher add-on for Firefox and force the User Agent of the browser to be “Googlebot” the normal content would still show up.
So the hack must be using additional checks, most likely checking that the browser IP address matches well-known addresses used by Googlebot. Sneaky bastards.
How to detect the Pharma Hack
Luckily there is a foolproof way to determine how Googlebot sees your site, namely by using the Google Webmaster Tools. You will obviously have to create a Google account to use this but chances are that you have this already. Then you can activate the use of the Webmaster Tools and add your site to the Webmaster Tools homepage.
Once you have added the site you will need to verify that you are indeed the owner or at least a person who controls the website. I find that the easiest way is to use the “meta tag” option. Google will provide you with a custom meta tag that you need to insert in the main site template file.
With that out of the way you can start taking advantage of the Webmaster Tools. Select your site on the Webmaster Tools homepage. This will take you to the Dashboard for that site. You should now head straight to the “Diagnostics” menu item and select the “Fetch as Googlebot” submenu. Here you should just press the “Fetch” button next to the site URL editbox.
The page will now inform you that the request is in progress. You will need to update the page status manually so wait a few seconds and press F5. If the request has completed the status for the request should be “Success”. To view the result you must now press the “Success” link. Note that if you press the site URL link you will be taken to the site itself which is not what you want.
What you see now is the raw and unprocessed webpage. This may be a bit daunting if you are not a techie but not to worry – you only need to locate a few specific items. Scroll down a bit and try to locate a section that starts with the “title” tag (or use the browser search function to locate it). The line should look like this:
<title>A website title</title>
If the text between the and the tags matches the site title you have setup in the Joomla administration interface then all is good and your site is most likely not suffering from the Pharma Hack. But if you see anything else here (like, a suggestion to go buy a pharmaceutical product), then my friend, your site has been pwned.
Another thing to check is the site meta description. This will typically be listed close to the title tag and will look something like this:
<meta name="description" content="A longer site description" />
Again this text should match the site description you have setup in the Joomla administration interface. If not, then my friend, … (OK, you get the point by now).
How to remove the Pharma Hack
Once you have established that you are in fact suffering from the Pharma Hack you need to take steps to remove it.
First, you need to take a backup of your hacked site. I recommend that you use the Akeeba Backup component as this is probably the best and most stable solution for Joomla! sites available today (well, that’s my opinion anyway and I’m sticking to it. YMMV.). Once your backup has completed you should download it to your local PC.
Next, you need to change the password for the FTP account on your webhost. If you are too lazy to create and remember good strong passwords and you are also working on a Windows platform then I can heartily recommend the free and excellent KeePass 2 utility which enables you to generate and store individual passwords for all your sites in a central location, protected by a master password. It also offers auto-type options so that you don’t have to type in the long and cryptic passwords.
Once that has been dealt with you can proceed to cleanup your site. There are basically two ways to go about it, the hard but safe way and the slightly easier but less safe way.
The Hard Way
The Hard Way basically consist of deleting your whole site (files and databases all), installing a fresh site using the latest versions of Joomla! and any components. modules and plugins you may be using, and then re-loading your content from a backup.
I fully understand why you don’t want to go that route but it is important that you understand that this is the only method that will fully guarantee that you are getting rid of the hack.
The Easier Way
If the full rebuild is not an option you can try to get rid of the hack in a less radical way. Please note that I provide absolutely no guarantee that the following steps will work 100%. They may either have no effect or they may render your website inaccessible. You will assume all responsibilities for this yourself.
- Set your site offline in the Joomla administrator interface.
- Change the passwords of all your Joomla administrator accounts (see the comments for the KeePass 2 utility above).
- Go seek out the files listed in the table below and perform the actions listed for each file. When editing a file is called for you may need to download the file to your local PC using FTP, edit the file using a text editor like Notepad (but not Microsoft Word) and upload the corrected file again.
- Set your site online again.
- Check your site using Google Webmaster tools again. If the infection has been successfully removed your site title and meta description should have reverted to the original values.
| Filename |
Action |
| includes/def.php |
Delete this file! |
| includes/defines.php |
Delete first line (starts with “() …” but keep the rest of the file. |
| components/com_wrapper/views/wrapper/.wrap.php |
Delete this file! |
| libraries/tcpdf/config/lang/.default.php |
Delete this file! |
Additional things to check for
The files mentioned in the table above may not be the only infected files on your system. To perform a more thorough test you can extract the backup you created as the first step to a temporary directory. Then you can use a good text search utility like Agent Ransack to search the files for certain strings.
Hackers usually try to hide their code by encoding them using something called base64 encoding. This will translate an otherwise meaningful text into gibberish. An additional twist often used is to compress the encoded data to add another layer of obfuscation.
Some good strings to search for are (only use the parts inside the quote-signs):
- “eval(gzinflate(base64_decode(”
- “eval(base64_decode(”
The part after the “base64_decode(“ will typically consist of a long string of gibberish, like “’7b17VxtH8gD6N3tOvkMzq81IsRCSsLOOQNgYg41 …”. If you find any occurrences of such strings there’s a good chance that the containing file has been infected. The cure is either to remove the text line or delete the file completely.
How to avoid getting hacked again (or be able to live with the consequences)
The first order on the agenda is to always keep your Joomla site updated with the latest security fixes. Sign up to the Joomla! Security News on this page and receive emails whenever a new security patch has been released. I find that the easiest way to apply Joomla! patches to a remote Linux host is to use the Akeeba Kickstart utility. If you just copy the raw files using FTP from a Windows PC you risk screwing up the file permissions.
Secondly you need to have a viable backup strategy. Make a habit of making full site backups for instance using the Akeeba Backup component mentioned above. Akeeba also offers a Windows utility called Akeeba Remote Control that allows you to easily perform site backups from your Windows PC.
