StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POWhere to look in my Joomla installation for the pharmacy hack?
primarykey
Id
18500412
data
AcceptedAnswerId
19751668
AnswerCount
4
ClosedDate
CommentCount
2
CommunityOwnedDate
CreationDate
2013-08-29T00:22:06.510
FavoriteCount
0
LastActivityDate
2014-04-23T08:49:58.680
LastEditDate
2013-08-29T01:05:15.900
LastEditorUserId
102937
OwnerUserId
2009629
ParentId
0
PostTypeId
1
Score
0
ViewCount
1998
LastEditorDisplayName
text
Body
We've discovered today that our Joomla website has been hacked by a pharmacy trojan. It was difficult to discover because most users don't see it when visiting our website. One user reported about 2 weeks ago that our site contains viagra/pharmacy spam. We've looked into it, but found nothing. The conclusion was that the users computer was infected. Yesterday another user reported this problem, so I've started to investigate again. One hour later I've discovered that the site is indeed infected. When I visit this webpage with my web browser all if fine: <a href="http://www.outertech.com/en/bookmark-manager" rel="nofollow">http://www.outertech.com/en/bookmark-manager</a> But, if I do a google translate of this webpage I see the infection (viagra and cialis links): <a href="http://translate.google.com/translate?sl=en&tl=de&js=n&prev=_t&hl=de&ie=UTF-8&u=http%3A%2F%2Fwww.outertech.com%2Fen%2Fbookmark-manager" rel="nofollow">http://translate.google.com/translate?sl=en&tl=de&js=n&prev=_t&hl=de&ie=UTF-8&u=http%3A%2F%2Fwww.outertech.com%2Fen%2Fbookmark-manager</a> The same happens if I use curl: <pre><code>curl -L -A "Googlebot/2.1 (+http://www.google.com/bot.html)" http://www.outertech.com/en/bookmark-manager </code></pre> As a next step I made a backup (Akeeba) of the website and transferred it to a local xampp installation for further investigation. The local xampp installation with the website has also the same problem, so indeed the Joomla installation is infected. a visit of <pre><code>http://localhost/en/bookmark-manager </code></pre> shows no problems, but a <pre><code>curl -L -A "Googlebot/2.1 (+http://www.google.com/bot.html)" http://localhost/en/bookmark-manager </code></pre> contains the viagra links. I've looked for hours at the (mostly php) files, did a lot of greps etc, but I cannot find anything suspicious. Virus Total and Google Webmaster report the site as clean. I did an audit on myjoomla.com, but no malware was found. I would be really grateful if someone could point me in the right direction. Where to look inside my Joomla installation for this hack?
Tags
<security><joomla>
Title
Where to look in my Joomla installation for the pharmacy hack?
singulars
PostAcceptedAnswerId
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
PostParentId
1. This table or related slice is empty.
PostTypePostTypeId
1. PTQuestion
UserLastEditorUserId
1. USRobert Harvey
UserOwnerUserId
1. USCasady
plurals
PostLinksPostIdRelatedPostId
1. This table or related slice is empty.
PostLinksRelatedPostIdPostId
1. This table or related slice is empty.
PostsAcceptedAnswerId
1. This table or related slice is empty.
PostsParentIdCreationDate
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
2. PO
 singulars
 PostTypePostTypeId
 PTAnswer
3. PO
 singulars
 PostTypePostTypeId
 PTAnswer
VotesPostIdCreationDate
1. This table or related slice is empty.
CommentsPostId
1. COKind of a longshot, but are you using a cache extension such as JotCache? Some keep user-agent specific data, so you could try and empty the googlebot-specific cache, if any. As to the reason it got poisoned in the first place, that is an interesting thing to investigate, although it appears that you are using Joomla! 1.5, which is no longer supported and does no longer gets security fixes.
 singulars
 PostPostId
 POWhere to look in my Joomla installation for the pharmacy hack?
 UserUserId
 USMasterAM
2. COare you using any extensions for the frontend of the site that allow users to upload files such as a Gallery? It is possible that a 3rd party extensio has exploited your site
 singulars
 PostPostId
 POWhere to look in my Joomla installation for the pharmacy hack?
 UserUserId
 USLodder

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.