Sunday, March 18, 2012

Removing Pharmacy Hack/Spam from Joomla/PHP website

Hi,

I recently got a chance to fix a site that was related to coffee stuff but was full with some pharmacy, anthrax and medicine links. They showed at the header, footer, completely on pages and made site totally spammy and destroyed its searching ranking. Here is how I removed it:

I would first go through key points how they target and then define in details where I found them:

Key points:
To start of let me tell you that it happens because they somehow get access to your site and change your files, now where to look for changes having so many files:
1. Main index files like /root/index.php, root/templates/my_template/index.php
2. Include files that called by index files or framework and almost always called, in Joomla you can look for /root/includes folder
3. Since generally you don't have changes in files other than components so always look for 'date modified' field of files, that can really help.. all the files will have same date on which you installed joomla, and some will have different, that can mean they are infected
4. Once you point or suspect a file to be infected look for the following things:
    i) files included e.g. include('includes/defaults.php');
       Make sure you compare your code with some other uninfected Joomla installation, preferably fresh before removing any such thing because it can be part of your code.
   ii) eval(gzinflate(base64_decode('9saf45vs64.....'));
       This string be very long and go beyond 100 char easily, it is put so you can't trace for words from source code like the spammy website links or url.


Now following are the issues I found, note you can have many different ones:

- First i see index.php on the root folder and see the following changes/additions:
include('includes/defaults.php');
define ( 'T_TEXT',getlinks());
eval(gzinflate(base64_decode('7VpZk9w4c.....OlzG+fa6++UVvPrt1db5V99eo/AA==')));
(not together)

Then I find a replacement, you have to look for such changes so that you don't mess up Joomla core code.
echo JResponse::toString($mainframe->getCfg('gzip'));
replaced with
echo str_replace('</body>',file_get_contents('includes/footer_t.php').'</body>',JResponse::toString($mainframe->getCfg('gzip')));

I removed the second line and replaced with first.

The first line above including defaults.php which was spam, I looked in first to it before removing it and found it linked to includes/js/extra folder which was full of .htm spammy links so i removed the whole folder.. or u can rename first to make sure it doesn't move something imp

Another found in includes by tracing the date change and then contents of the file it was a jquery.dist.js or something file and looking at the content it was again eval(gzinflate()) sort of content which was definitely not a jQuery file so removed that as well

Then again tracing the dates I find a 'models.php' file inside 'modules' folder, almost all modules do have model files but not on modules main so I looked inside it and found it to be spam as well.

And the last one I found was a defines.php file, also in includes folder which I removed and site was good as before.

Note:
1. This is Joomla specific but you can apply same knowledge on your any PHP website. Wordpress, Drupal etc.
2. Once you are done, make sure you open your infected pages, right click and go to 'view source' and check there is no hidden links inside your html as well.

Hope it helps :)

3 comments:

  1. Thanks for this post. This was very helpful and much appreciated.

    ReplyDelete
  2. I've been struggling for ages with some dodgy links in my footer I finally found the issue after finding this article. Thank you so much!

    ReplyDelete
  3. Thank you really helpfull

    ReplyDelete