How I Recovered After Pharma Hacking on My Site : Steps

Attention: Pl. update JCE Editor(Joomla). It contained open vulnerability in the earlier versions. Also change your PHP handler to DSO to prevent such infections.

Recovering my site

Here I want to list the steps I took when recovering from the Pharma hacking attempt for my websites. In fact I'm not expert nor do I have any earlier experience in handling Pharma hack attack in websites.

Terms Used

  • SERP: Search Engine Result Pages
  • SE: Search Engines(Google/Bing/Yahoo/Ask etc)

The hacking attack was done due to un-updated Joomla version site and I guess it was mod_joomla.php which was placed exploiting some vulnerability.

Since then I've done quite a bit net surfing and I want to narrate all that I know now.

Pharma attack has matured now after 4 years since it first started(today is: 15 Oct 2012). The motive isn't destruction but revenue making in a nefarious way. It finds vulnerabilities especially in Joomla and Wordpress sites.

After the hack exploit the script first places many other files in unsuspecting places through which hacker can gain access again if you don't remove it now the hack will attack again. The script contacts some central server(in mine I found one in Netherlands) and download newer exploits or scripts.

The scripts modify .htaccess of sites.

I found the following infections:

  1. mod_joomla.php
  2. 2012.php
  3. bourne.php
  4. common.php
  5. gymnastics.php
  6. lakers.php
  7. leryn.php
  8. medal.php
  9. rss.php
  10. story.php
  11. tom.php

Shockingly I found infection named LICESNE.php since 2009 which could not run - don't know why. I've found another infection hidden in connect_95.zip ! It was uploaded through an upload place in the site.

Recovery from pharma hack in your website is not so simple and will require your careful attention and it is possible to get it back again.

How it works out

The hacking code modifies the .htaccess files so whenever the file is accessed by directly typing the url shows the genuine unmodified page but if that URL is reached from search results of Google/Bing etc, it is recognized using for example HTTP_REFERER .htaccess directive and instead of index.php running some other file takes control of it and redirects the user to an affiliate pharma or p-o-r-n site.

I've observed that search engines are served different content than others. If you change your browser identification to say Googlebot and then visit an infected site, you can see those "inserted" affiliate site's links. Also some pharma terminology pages are served when search engines visit so you'll find in Google searches containing 'V-1-a-g-r-a/-C-i-a-1-i-s' terms in the description of search results.

In other cases it modifies the content of the html by appending pharma/p-o-r-n site links below the content. This is to increase search engine rankings of those affiliate sites. In some sites I've found pharma links with a div with hidden attribute just to affect the site rankings in the eyes of Google/Bing etc.

At the same time it continues to download new infectious code/data from hacker's server. The data contains list of changing affiliate sites and newly infected sites whose links will be placed in the. New pages are generated using the genuine page modified with bad links and also linking to other infected sites. In similar fashion your site will be back linked from other infected sites.

Purpose of Hacking

It is done to redirect traffic to pharma/porn sites when visitors click on the search results in Google/Yahoo/Bing search results. Upon clicking Google sends them to the infected site and using compromised .httaccess they are then redirected to some pharma or p-o-r-n site where they make little money using affiliate links.

What is the side affect?

Search engines regularly get such infected sites so they figure out('oogle wasn't so quick) that the site has been compromised. They will start showing as "site compromised" to visitors. Since search engines will see modified version of pages containing pharma etc content and links - your site ranking will be geared towards those terms by 'oogle/Bing etc. Your site will start plunging in the search for the actual products/services you may be selling.

Once you lose the ranking it'll take months to recover. In competitive environment you may permanently lose against your trailing competitors.

Soon expect an email from 'oogle WMT about site compromised message. You can also see the message in WMT. In my case I think infection started on 17th but only on 29th 'oogle showed me the message in WMT. At the same time 'oogle was already showing "Site compromised" in 'oogle search results to visitors.

How I came to know about it

By chance and due to bug in the hacking code, for a site whenever I clicked from 'oogle SERP after redirection from 'oogle my site was giving Internal Server Error. But upon pressing F5 from browser the same url it was working. That means by 29th all clicks from 'oogle SERP gave this error.

As I waited to complain to my web host about the internal server error, I by chance peeked into the web server log and error files and I found one common.php getting called instead of index.php.

It was the same day when finally 'oogle dropped some of my sites' traffic heavily.

How to prevent such attack from happening?

  1. Keep your site updated with latest releases and patches
  2. Run site monitoring utilities which can inform you of attack and vulnerabilities ASAP - I've developed myself two utilities to monitor .htaccess files and also find base encoded64infections and then email/Sms me warnings immediately- you can use them free.
  3. Remove all those plugins/modules and components which you don't need. I've heard that Jumi had some vulnerabilities so I've removed it - moreover I wasn't using it at all.
  4. Always disallow writing permission by others in your site directories/files. Ideally on Linux you should better set it to 755 on all files but 555 to important configuration and .htaccess files.
  5. Regularly change passwords of all your ftp/site/hosting accounts. Don't leave your passwords in your FTP client and try to use secured ftp if it is available.
  6. Regularly scan your site with a good anti virus program. When I ran ESET Nod32 with my site files it at least figured out correctly one vulnerability injected by hacker: story.php. Best way is to run against 19 antivirus on all your php files at least.
  7. Regularly check your web server logs and error logs.
  8. Set up 'oogle Alert for your sites so if any pharmacy keywords are indexed by Googlebot - you'll be notified. Here is a nice post about it.

Useful Steps

  1. Keep plenty of regular backups of your sites. I regularly take complete Cpanel backups and I've a script which runs daily in early morning when load is less and takes a backup of databases of all sites and email to different accounts.
  2. Beware of extensions/plugins developed and used at small scale - they can contain vulnerabilities
  3. Even bigger third party extension have can vulnerabilities but in this case - it will be well advertised so a hacker will probably use this to gain access.

Recovering from Pharma Attack - Steps I had taken

  1. Take your sites offline. For example you can move your site directory into a new folder name "j" or xyz and start working within it.
  2. I analyzed the web server raw and error logs to know what was happening
  3. Using ps -eafl or top commands ( on Linux/Unix/Centos etc) I could see plenty of php processes( named mod_joomla.php) being spawned and which was already hogging the CPU. I located the file and ran this command from bash shell:
    % > mod_joomla.php; chmod 555 mod_joomla.php

    Just removing the file was not working since it was able to come back again. I did this to make the file size 0 as wells as remove it's write permission - an unthinkable thing to do from Hacker's perspective. I did the same for all other infectious files like common.php.

  4. Restore and clean up all the .htaccess files, you'll find redirection settings for search engines.
  5. Go to 'oogle and search the undesirable terms your site has been hacked into and see the URL's. Request deletion of cache of pages which have been inserted spammy content. For newly generated spammy URL's file site page removal requests at WMT.
  6. Scan your sites with one or two good anti virus. Learn how to run 19 anti-virus for free on your site.
  7. Scan your site with my script Identifying malicious base64 encoded script. And remove the infections.
  8. Try to ascertain the date of start of attack. Get the backup just before it and now compare all the files using a good folder comparison tool and find threats and newly added files. I used Araxis merge to compare.
  9. Check for new tables in database if inserted by the infections
  10. Now go 'oogle WMT in and check :
    • Health->Crawl Errors
    • Health->Malware
    • Optimization -> Content Keywords - see if any unusual words( like v-1-a-g-r-a) are found.
  11. If you find any notice in WMT about hacking attack and that you need to submit a reconsideration request, then after clean up do it. Without this notice don't file reconsideration request and I think it'll be rejected by a bot.
  12. Common hacking trick is to insert spammy text only when search engines fetch the web page so it'd appear normal to you otherwise visible to 'oogle/Bing etc. Install thisUserAgent Switcher and set you agent to Googlebot, now you'll be able to see those spammy text in some cases. The catch is that sometimes those scripts also check IP addresses of search engines and then only insert that text. To see the text in this case you must use Google's Fetch as Googlebot tool from WMT as then it'd be Google's IP a page will be accessed.