Pharma hacks explained – How to fix
I’ve noticed an increase in the number of Pharma Hacks on Joomla sites.
Many of the hosting companies are scanning their user’s sites and sending notices if the Joomla install is not up to the latest version. They are threatening to take the sites down if the updates aren’t done.
In several cases, I’ve found that the sites have been Pharma Hacked.
What is a Pharma Hack?
- Hackers find an exploit in a site and own the site and then the hosting
- The hackers plant an app that creates pages such as www.site.com/drugname
- The hackers then go to sites with poor controls and comment spam with links back to the drug pages on the hacked sites .
- The search engines begin to rank the hacked site as a pharmaceutical site.
- Users are drawn to the hack pages either by following the links in the comment or because the hacked site is starting to rank in the search engines for
- When the visitor comes to the page either an auto download of malware is attempted or it attempts to download malware when the order button is clicked.
- If the hackers are successful, they have now added another computer to their stable of bots.
How does this hurt the site and site owner?
- The search engine rankings are corrupted due to the incoming pharma related links
- The site may be tagged as a spam site in the search engines.
- If the search engines detect the malware, which they often do not, then they will tag the site as a malware site…. goodbye rankings for a long long time. ..
- The site and hosting is thoroughly corrupted.
- Emails may be compromised. Since most small business email lives on the same server as the hosting, the hackers could read ALL of your emails.
- You could possibly be sued by someone who got infected by your site. This is difficult to prove and a good defense attorney could rip the plaintiff for not having proper security on their machine.
How do you identify if your site was Pharma Hacked?
- One of the first things to do is a simple site search. Search google for site:www.yoursite.com . Look at the results. If you see results that are pharma or sex related and that is not the focus of your site, then you have probably been hacked. If you do see links to Pharma products DO NOT CLICK THE LINK. Your machine could get infected. I use a virtual machine to test sites I think are infected. The virtual machine is a machine within your machine. If that gets infected, you simply delete it and build a new one. Take a look at the url which will give you a hint as to how the hack is occurring.
- The other thing you can do is FTP everything from the server’s public html root to a pc. When you do the download look for failed downloads. If you see failed downloads with weird file names, those are probably malware payloads. Once you have the site downloaded, then run a couple of antivirus apps against the downloaded files. It would be a good idea to set up a separate machine for this or consider doing it inside a virtual machine. If you see malware, then you have almost certainly been hacked.
- Look at google and bing webmaster tools. Look at the incoming links to your site. Suppose you have a local site but there are lots of overseas links from bulletin boards. Then that means that someone is creating those links and that you probably have been hacked.
How do you fix this??
The process is fairly involved. Let’s assume you have a Joomla site although the process would be the same for other sites such as those done with WordPRess or Drupal.
- Back up the existing site with both Akeeba Backup and an FTP download.
- You will need to get new hosting. Once the hackers have entered your site and host, it is almost impossible to ensure that they are completely gone. You could wipe everything out but there are still back doors they could plant. Any host can be hacked. However, you can not stay with your same plan. Some clients want to just get another hosting plan with the same host but I advise against that.
- You need to inventory the functionality of the site.All of this will have to be redone from scratch. :
- What extensions are installed?
- What forms are used?
- Do we need to bring user lists over?
- What template was used and can I get an installable version. DO NOT copy over the template files as the template folders are often used for malware.
- You need to check you new hosting
- Are the PHP and SQL versions up to date?
- You will need to rebuild the site from a clean install of Joomla. You CAN NOT install from a backup as you will almost certainly bring over malware.
- You need to install the templates and any extensions. In addition, I strongly recommend SecurityCheck Pro. That is a firewall for your site that will protect against SQL injection and other attacks. SCP also shows you, when properly configured, if there are security issues with your extensions.
- Note that you need to make sure that all of your extensions are up to date.
- You need to pick a date for migration. This will also involve migrating the email. The client’s email clients will all need to be updated to the new host’s email configuration. There will be a small window where incoming emails will be lost. Also, you need to make sure that the client has all of their email. For example, if they are only using an IMAP connection, then there is a possibility that all of their old email will be lost during the migration..
- Once the site is up and running, populated with content and migrated, you should also check the .htaccess file. Joomla’s htaccess needs some tweaking to be secure. The htaccess remarks will show you where you need to look.
- Make sure that SecurityCheck Pro is enabled and configured.
- SCP has a tool to change the url for the admin control panel from www.yoursite.com/administrator to www.yoursite.com/administrator/?index.php/yoursecretword. That slows down brute force password hack attempts.
- Determine how much damage was done to your domain name. In almost all cases you will want to keep your existing domain which means that you will have to fix the bad incoming links.
- Go to the incoming links to your site section in google webmaster tools.
- Download the list. You can also mouse over a link to see a preview of a page without going to the page.
- Look at the links. Do they make sense? If you have a local site such as a restaurant with a lot of overseas incoming links, they most likely have to be killed. Remember, the advice from Google’s Matt Cutts as of Jan 2014 is to “Use the disavow tool like a machete”. You want to kill the bad incoming links. In the process you will probably kill some good incoming links. Don’t worry about that. Be sure you are killing all the bad guys.
- With Google, you can upload a file. With Bing, you currently have to disavow the links one at a time.
- With both google and bing, I disavow the whole domain.
- It will take time for the disavow to work and you won’t get direct feedback on the process.
How do sites get hacked?
- The hackers try exploits such as
- Brute force password guessing. Almost all joomla sites use a URL of www.yoursite.com/administrator. The hackers try one password after another. Admin exile or SCP can change this link to prevent this type of attack. As alway, strong passwords help
- Your host might have security holes. There isn’t much you can do about this until after the fact
- Some web designers have several sites on their hosting. If one gets hacked, the hackers can expand the exploit to other sites on the same host.
- Your Joomla version could have an exploit. It is important to keep your site up to date. If you are running Joomla 1.5 you have holes that you could sail an aircraft carrier through.
- Your php versions could be out of date.
- Your extensions, including your templates can have flaws. You need to keep all of your extensions up to date. Ideally you should check once a week.
- SQL injection – If you have ANY input forms, even one asking for an email address, hackers can inject code into that form. If they are successful, then they own your site. You need to be running a firewall and to make sure that your form generator software is constantly up to date.
- Developer errors. I’ve come across far too many sites where the previous developer made serious errors such as:
- Not protecting against brute force attacks
- Not updating the Joomla core, php, or extensions
- Not running a firewall.
- LEAVING OLD COPIES OF THE SITE UP.. I have come across sites where there are 5 or more copies of Joomla sitting on the host. These were copies that the developers installed to test out the site or changes to the site. Even if the main site was being updated, these old copies are not being updated. Therefore, they are susceptible to hacking.
What is the cost to recover from a hacked site?
- Monthly maintenance for Joomla (and other) sites.
- Finding a bad extension in chrome
- Bing is focusing on the ‘mobile readiness’ of sites.
- Removing obsolete database tables from your Joomla site.
- J-Google-Adsense extension for Joomla showing wrong publisher ID
- Xmap for joomla is being replaced with OSMap
- Mass manipulation of the target and nofollow attributes in joomla
- Getting the USER AGENT and Current page for Fabrik Forms in Joomla