Joomla Pharma Hack: Causes, Detection, & Fixes

Joomla is the second most widely used open source Content Management System based on PHP and MySQL. It offers advantageous features such as better user management, flexibility in displaying non-standard content and built-in multilingual support. But every popular thing on this web attracts security risks. And, Joomla is no exception. Hence in this article, we shall discuss in detail about one such security issue associated with Joomla website – the Joomla pharma hack.

There are many articles available on the web which sparsely tell you about how to go about this hack. But after reading this article, you shall be benefited as you shall get a comprehensive overview of Joomla pharma hack.

Related article – Joomla Hacked: Symptoms, Vulnerabilities & Fixes

What is Joomla Pharma Hack?

Pharma hack is basically a black hat SEO done on legitimate websites to promote pharmaceutical products, especially erectile dysfunction related treatments. The hack promotes these things on websites in a way that it skips the attention of the website’s legitimate owner. Lately, scores of Joomla websites were also found to be infected by this attack. The hack appears to be concealed from the visitors of the website but it poisons the cache results of the search engine result pages (SERPs). Thus, it becomes a little problematic to report it to the owner of the website leading to further aggressive exploitation of the website.

Like a ‘parasite hosting’, it is something that has been termed beyond the capabilities of black hat SEO and is also simply termed as ‘illegal hacking’.

Is your Joomla website hacked? Leave us a message here or chat with an Astra agent now, and we will be happy to help you 😊

 

How does Joomla Pharma Hack work?

  1. The Joomla Pharma Hack targets only those CMS websites which are using outdated add-ons or plugins.
  2. The hacker gains access to your Joomla website through the uploading of web-shell or force one to load through remote file inclusion vulnerability.
  3. Once inside the Joomla website, they perform black hat SEO techniques and insert the keywords that are to be associated with Joomla pharma hack.
  4. Since the browsers display the title as they did before, hence the changes go unnoticed for few weeks by website visitors. Alternatively, a new folder is created and populated within the file system.
  5. When Google crawlers recrawl the affected website, the website gains search engine rankings for its new keywords.
  6. The hyperlinks are embedded within the website and malicious links to a hacked website are also added. This deepens the Joomla pharma hack.

Now as the user is not able to perceive the new changes, they continue to see the website maintain its normalcy. The interlinking and inter-promotion of hacked websites using the new keywords promote the whole network. The hackers build potential future traffic for all the malicious website. However, it takes a lot of time to reap the direct benefits out of this new inter-linking.

A code snippet from one of the hacked website is as follows:

<script>

// <![CDATA[

function bl(){x = document.referrer;if ( (x.indexOf('viagra')!=-1)||(x.indexOf('VIAGRA')!=-1)||(x.indexOf('buy')!=-1)||(x.indexOf('Viagra')!=-1)||(x.indexOf('Buy')!=-1)||(x.indexOf('viagra')!=-1)) {location.replace("http://www.megarxpills.com/viagra.php?affid=34582011");}}bl();

// ]]>

</script>

The code looks in for any details that a web browser brings with it about the referring website. If words such as ‘Viagra’ or ‘Buy’ is found in the URL of the webpage that sent the website visitor here then traffic is sent to megarxpills.com’s Viagra page and the credit goes to the affiliate with the id of 34582011.

Is your Joomla website hacked? Leave us a message here or chat with an Astra agent now, and we will be happy to help you 😊

Intention behind Joomla Pharma Hack

The motivation for this kind of hack is mainly the increased traffic, visibility and monetary gains to the hacker. The criminals look out for ignorant web developers who are upgrading their content and in the process, disclosing security loopholes in their Joomla website. As a result, the compromised legitimate website face a loss of fame in their respective fields and potentially incur significant costs associated with removing the hack from their website. But now that we have companies like Astra offering security solutions for your Joomla website, you may feel confident about the security of your website. So how do we go about finding the symptoms of Joomla pharma hack?

Detection of Joomla Pharma Hack

Since the Joomla pharma hack poisons the search engine results, hence a simple Google search might reveal potential information whether your Joomla website has been compromised or not. The tell-tale signs would be mention of erectile dysfunction medicines or treatments appearing in the text of the search results’ content.

Impersonate the search engine bot

Since the search engine is throwing you results that predict the eventuality of Joomla pharma hack, hence you can impersonate as a Google bot and try looking from their eyes about how they see your Joomla website. You can modify the user-agent string – a text that browser sends to identify itself to the website you’re visiting. Let me explain through the Firefox browser. In the Firefox browser, the user-agent string appears to be something like:

Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0.1

You need to use this add-on of Firefox to change this user-agent string and then browse the results as a search engine bot. If this seems a troublesome option for you, then you can use the ‘Fetch as Googlebot’ option within Google Webmaster Tools and check for keywords associated with Joomla Pharma Hack.

View Source Page

In any of the web browser, you can search for your Joomla website and detect the Joomla pharma hack by right-clicking and viewing the source of the search engine results page.

Spam found in a Joomla Pharma Hack affected website
Spam found in a Joomla Pharma Hack affected website

If you find that the whole source page is getting filled with SPAM content like this, then it is likely that your source code has loopholes in it which are causing the SPAM file to get injected anywhere in your Joomla website. You will find Joomla Pharma Hack keywords such as Viagra, Cialis or Regalis present in the source code of the page.

Use Commands to Scan Files on Website Server Directory

You can run the following commands to check for the Joomla pharma hack in your website’s directory:

  • Identify zip, gzip, rar and other files which seem unnatural. You can use the following command to search for the same:

find /home/user_account/public_html/ ( -iname "*.zip" -o -iname "*.gz" -o -iname "*.tar" -o -iname "*.jpa" -o -iname "*.rar" ) -exec ls -hog {} ;

  • Check for the location and content of .htaccess files for any anomalies. The command to look up for .htaccess files across your Joomla website is:

find /home/user_account/public_html/ ( -name ".htaccess" ) -type f -print

  • Find all .cgi, .pl, .sh files using the following command:

find /home/user_account/public_html/ ( -iname "*.cgi" -o -iname "*.pl" -o -iname "*.sh" ) -exec ls -hog {} ;

  • Check for PHP files where they might not usually reside on the locations where they should.
  • A specific command that you may use to scan for Joomla Pharma Hack files is:

find /home/user_account/public_html/ ( -name "*xmloem*.*" -o -name "*pharma*.*" -o -name "mod_joomla" -o -name "com_article" -o -name "LICESNE.php" ) -print

  • Using grep command, search for file patterns associated with hacker files – base64_decode, eval, preg_replace, utilizing a/e modifier, gunzip, rot13, etc. A sample command to scan for lines containing ‘base64_decode’ is as follows:

find /home/user_account/public_html/ ( -name "*.php" ) -type f -print0 | xargs -0 grep --binary-files=without-match -ir "base64_decodes*("

  • Find the IP addresses of the files that were accessing these malicious files from the network log
  • Scan for IP addresses for any connections to .php files other than index.php in the root of your site
  • Scan your network log for past 2-3 months to check for connections from any unknown IPs to your web server
  • Scan for POST requests in a 200 ‘okay’ message. You will identify by the first contact with a known hacker file – the POST is basically the upload. The IP address making the POST request will make a single request to the newly uploaded hacker script. Consequently, other websites also start making contact with the same file. As a result, you shall now be able to detect the location of the file that was being compromised and remove it before uploading your website back to the web.

Is your Joomla website hacked? Leave us a message here or chat with an Astra agent now, and we will be happy to help you 😊

Joomla Pharma Hack Removal

Before you start modifying your Joomla website’s server to remove the hack files, it is recommended to take a proper backup of your website so that no loss of information takes place. Then you must also ensure that the computer system that is hosting your website is not infected with a potentially unwanted software such as virus, spyware or other malware. Scan the PCs that have any administrative privileges granted to them.

After performing all the scans, it is necessary to check for the security of the credentials for your FTP accounts, email accounts, and database. It is recommended to turn off SSH access for FTP users and lockdown SSH access to specific white-listed IP addresses.

Post this, it is recommended to take down your Joomla website from the web and perform the following actions for the Joomla pharma hack  removal files in your website’s directory:

Clean Database Tables

Remove any spammy keywords, content, payloads that you find in the scan from the database tables.

Clean Core Files

Review all modifications that are flagged in core files in the scan results. Compare the files with good copies and make the necessary changes.

Audit User Logs

Delete unknown users/admins, if any. It is possible that the attacker created multiple profiles as users or added himself as admin. Do a careful audit of the user and admin logs and remove them to block any access.

Remove Backdoors

Eliminate Possible backdoors. Hackers tend to leave backdoors behind to get access to the website repeatedly. Some of the common places where you can find backdoors are- base64, str_rot13, gzuncompress, gzinflate, eval, exec, create_function, location.href, curl_exec, stream, etc.

Block Entries

Additionally, we would typically put in place a script which-

  • Blocks connections from suspicious user-agents
  • Detect attempts by the hacker to access files and permanently block those visitors
  • Blacklist malicious IP address

Prevention of Joomla Pharma Hack: Summing It Up

Nothing available in the World Wide Web is secure. It has either been hacked or is waiting to be hacked. As a website administrator, you can take a few reasonable steps to prevent Joomla pharma hack. They are:

  • Minimize the chances of a successful hack, in our case, the Joomla pharma hack.
  • Hasten the recovery process when you succumb at some point

Updated your CMS

The most important thing that a Joomla web admin can do is to keep their content management site up-to-date. They must remember that its neither the articles nor the images help build your Joomla website but the content management website that This is how you can prevent your Joomla website from getting hacked.

Keep an eye on the add-ons

Apart from this, it is important that you check the working of your add-ons. Update all the add-ons, themes, and templates to their latest and safest versions.

Eliminate Loopholes

Existence of anomalies or bug in your Joomla website can give a hacker window to plant files and execute Joomla pharma hack. Monitor the add-ons which allow a visitor to upload a file. Ensure that it is intelligent enough to detect that the right type file is being uploaded or not.

Use a Web Application Firewall Utility like Astra

In the end, you can rely on a web application firewall utility like Astra’s and be tension-free about the security of your Joomla website. This utility safeguards your website from multiple types of malware by scanning and removing them on a real-time basis. It performs a regular check on spam files that are being generated in your website directory and attempt to remove them without causing any damage to your Joomla website.

Click here to get an Astra demo now!

For more articles on Joomla Security, visit Astra Security blog’s this section. You will find other vulnerabilities or security issues that could befall on your Joomla website.

Was this post helpful?



Waiting to Get Hacked?

Get security tips & latest vulnerability fixes right in your inbox:

About The Author

Naman Rastogi

Naman is a Digital Marketer & Growth Hacker at Astra. A technology enthusiast with focused interest in website security.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close