Pharma hacks explained – How to fix
There has been an increase in the number of Pharma Hacks on Joomla sites.
Many of the hosting companies are scanning their user’s sites and sending notices if the Joomla install is not up to the latest version. They are threatening to take the sites down if the updates aren’t done.
In several cases, I’ve found that the sites have been Pharma Hacked.
Update December 2019 – Revised and edited. We have moved to WordPress buy much of the Joomla based content in this post translates to other platforms.
What is a Pharma Hack?
- Hackers find an exploit in a site and own the site and then the hosting
- The hackers plant an app that creates pages such as www.site.com/drugname
- The hackers then go to sites with poor controls and comment spam with links back to the drug pages on the hacked sites .
- The search engines begin to rank the hacked site as a pharmaceutical site.
- Users are drawn to the hack pages either by following the links in the comment or because the hacked site is starting to rank in the search engines for that particular word.
- When the visitor comes to the page either an auto download of malware is attempted or it attempts to download malware when the order button is clicked.
- If the hackers are successful, they have now added another computer to their stable of bots.
How does this hurt the site and site owner?
- The search engine rankings are corrupted due to the incoming pharma related links
- The site may be tagged as a spam site in the search engines.
- If the search engines detect the malware, which they often do not, then they will tag the site as a malware site…. goodbye rankings for a long long time. ..
- The site and hosting are thoroughly corrupted.
- Emails may be compromised. Since most small business email lives on the same server as the hosting, the hackers could read ALL of your emails.
- You could be sued by someone who got infected by your site. This is difficult to prove and a good defense attorney could rip the plaintiff for not having proper security on their machine.
How do you identify if your site was Pharma Hacked?
- One of the first things to do is a simple site search. Search google for site:www.yoursite.com . Look at the results. If you see results that are pharma or sex related and that is not the focus of your site, then you have probably been hacked. If you do see links to Pharma products DO NOT CLICK THE LINK. Your machine could get infected. I use a virtual machine to test sites I think are infected. The virtual machine is a machine within your machine. If that gets infected, you simply delete it and build a new one. Take a look at the url which will give you a hint as to how the hack is occurring.
- The other thing you can do is FTP everything from the server’s public html root to a pc. When you do the download look for failed downloads. If you see failed downloads with weird file names, those are probably malware payloads. Once you have the site downloaded, then run a couple of antivirus apps against the downloaded files. It would be a good idea to set up a separate machine for this or consider doing it inside a virtual machine. If you see malware, then you have almost certainly been hacked.
- Look at google and Bing webmaster tools. Look at the incoming links to your site. Suppose you have a local site but there are lots of overseas links from bulletin boards. Then that means that someone is creating those links and that you probably have been hacked.
How do you fix this??
The process is fairly involved. Let’s assume you have a Joomla site although the process would be the same for other sites such as those done with WordPress, Drupal or any other platform.
- Back up the existing site with both Akeeba Backup and an FTP download.
- You will need to get new hosting. Once the hackers have entered your site and host, it is almost impossible to ensure that they are completely gone. You could wipe everything out but there are still back doors they could plant. Any host can be hacked. However, you can not stay with your same plan. Some clients want to just get another hosting plan with the same host but I advise against that.
- You need to inventory the functionality of the site. All of this will have to be redone from scratch. :
- What extensions are installed?
- What forms are used?
- Do we need to bring user lists over?
- What template was used and can I get an installable version. DO NOT copy over the template files as the template folders are often used for malware.
- You need to check your new hosting
- Are the PHP and SQL versions up to date?
- You will need to rebuild the site from a clean install of Joomla. You CAN NOT install from a backup as you will almost certainly bring over malware.
- You need to install the templates and any extensions. In addition, I strongly recommend SecurityCheck Pro. That is a firewall for your site that will protect against SQL injection and other attacks. SCP also shows you, when properly configured, if there are security issues with your extensions.
- Note that you need to make sure that all of your extensions are up to date.
- You need to pick a date for migration. This will also involve migrating the email. The client’s email clients will all need to be updated to the new host’s email configuration. There will be a small window where incoming emails will be lost. Also, you need to make sure that the client has all of their email. For example, if they are only using an IMAP connection, then there is a possibility that all of their old email will be lost during the migration..
- Once the site is up and running, populated with content and migrated, you should also check the .htaccess file. Joomla’s htaccess needs some tweaking to be secure. The htaccess remarks will show you where you need to look.
- Make sure that SecurityCheck Pro is enabled and configured.
- SCP has a tool to change the url for the admin control panel from www.yoursite.com/administrator to www.yoursite.com/administrator/?index.php/yoursecretword. That slows down brute force password hack attempts.
Now, in the meantime,, you need to be working on getting rid of the bad incoming links. You need to go to Google and Bing Webmaster tools and look at the incoming links. You are supposed to contact the webmasters to remove spammy links. However, I seriously down that it would be worth trying to contact a webmaster in Japan to take down a link to my client’s site in their sex forums..
Google and Bing both have a Disavow tool. The disavow tool will allow you to tell the search engines that you do not want to be associated with the incoming links. The basic process is as follows although I will be posting a more detailed article shortly.
- Determine how much damage was done to your domain name. In almost all cases you will want to keep your existing domain which means that you will have to fix the bad incoming links.
- Go to the incoming links to your site section in google webmaster tools.
- Download the list. You can also mouse over a link to see a preview of a page without going to the page.
- Look at the links. Do they make sense? If you have a local site such as a restaurant with a lot of overseas incoming links, they most likely have to be killed. Remember, the advice from Google’s Matt Cutts as of Jan 2014 is to “Use the disavow tool like a machete”. You want to kill the bad incoming links. In the process you will probably kill some good incoming links. Don’t worry about that. Be sure you are killing all the bad guys.
- With Google, you can upload a file. With Bing, you currently have to disavow the links one at a time.
- With both google and Bing, I disavow the whole domain.
- It will take time for the disavow to work and you won’t get direct feedback on the process.
How do sites get hacked?
- The hackers try exploits such as
- Brute force password guessing. Almost all Joomla sites use a URL of www.yoursite.com/administrator. The hackers try one password after another. Admin exile or SCP can change this link to prevent this type of attack. As always, strong passwords help
- Your host might have security holes. There isn’t much you can do about this until after the fact
- Some web designers have several sites on their hosting. If one gets hacked, the hackers can expand the exploit to other sites on the same host.
- Your Joomla version could have an exploit. It is important to keep your site up to date. If you are running Joomla 1.5 you have holes that you could sail an aircraft carrier through.
- Your php versions could be out of date.
- Your extensions, including your templates can have flaws. You need to keep all of your extensions up to date. Ideally you should check once a week.
- SQL injection – If you have ANY input forms, even one asking for an email address, hackers can inject code into that form. If they are successful, then they own your site. You need to be running a firewall and to make sure that your form generator software is constantly up to date.
- Developer errors. I’ve come across far too many sites where the previous developer made serious errors such as:
- Not protecting against brute force attacks
- Not updating the Joomla core, php, or extensions
- Not running a firewall.
- LEAVING OLD COPIES OF THE SITE UP.. I have come across sites where there are 5 or more copies of Joomla sitting on the host. These were copies that the developers installed to test out the site or changes to the site. Even if the main site was being updated, these old copies are not being updated. Therefore, they are susceptible to hacking.
What is the cost to recover from a hacked site?
Since I don’t feel that you can safely remain on pwned hosting, you need to move to a new host. In order to be absolutely sure that no malware comes over, you need to build the site from scratch. The cost will depend on the complexity of the site and the extent of the incoming link spam. A minimum price for a small site with a couple of hundred inbound links would be about $1500. A larger site with a lot of bad incoming links could cost $10,000 or more before it is back to normal.
- Monthly maintenance for Joomla (and other) sites.
- Removing obsolete database tables from your Joomla site.
- Finding a bad extension in chrome
- Mass manipulation of the target and nofollow attributes in joomla
- A backdoor in a youtube plugin could compromise your Joomla site.
- Dealing with comment spam in WordPress.
- J-Google-Adsense extension for Joomla showing wrong publisher ID
- Redirecting a folder using Apache redirects