Pharma hack ([* spam *] in Google descriptions)

Discussion regarding Joomla! 1.5 security issues.
Joomla! Vulnerable Extensions: http://feeds.joomla.org/JoomlaSecurityV ... Extensions

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
esark3333
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Tue Jul 17, 2012 12:41 am

Pharma hack ([* spam *] in Google descriptions)

Post by esark3333 » Tue Jul 17, 2012 1:51 am

Hi all,

Our website has been pharma hacked. We recently upgraded from version 1.5.15 to 1.5.26, however I'm unsure when the hack happened.

I tried following posting instructions. Here are the results of the FPA:
Problem Description :: Forum Post Assistant (v1.2.1) : 16th July 2012 wrote:pharma hack
Last PHP Error(s) Reported :: Forum Post Assistant (v1.2.1) : 16th July 2012 wrote:[30-Jan-2012 14:11:50] PHP Fatal error: Call to undefined method ::() in /home/husonusa/public_html/libraries/joomla/session/session.php on line 135
Forum Post Assistant (v1.2.1) : 16th July 2012 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 1.5.26-Stable (senu takaa ama busani) 27-March-2012
Joomla! Configured :: Yes | Read-Only (644) | Owner: husonusa (uid: 804/gid: 800) | Group: husonusa (gid: 800) | Valid For: 1.5
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 0 | .htaccess/web.config: Yes | GZip: 0 | Cache: 0 | FTP Layer: 1 | SSL: 0 | Error Reporting: -1 | Site Debug: 0 | Language Debug: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.18-194.32.1.el5 | Technology: x86_64 | Web Server: Apache | Encoding: gzip,deflate,sdch | Doc Root: /home/husonusa/public_html | System TMP Writable: Yes

PHP Configuration :: Version: 5.2.17 | PHP API: apache2handler | Session Path Writable: Unknown | Display Errors: 1 | Error Reporting: 6135 | Log Errors To: error_log | Last Known Error: 28th May 2012 07:53:41. | Register Globals: 0 | Magic Quotes: 1 | Safe Mode: 0 | Open Base: /home/husonusa:/usr/lib/php:/usr/local/lib/php:/tmp | Uploads: 1 | Max. Upload Size: 32M | Max. POST Size: 32M | Max. Input Time: 240 | Max. Execution Time: 120 | Memory Limit: 512M

MySQL Configuration :: Connection Error: 1045:Access denied for user 'jiworklc_husonup'@'localhost' (using password: YES) : Database Credentials Present? in Configuration...
Detailed Environment :: wrote:PHP Extensions :: date (5.2.17) | libxml () | openssl () | pcre () | zlib (1.1) | bcmath () | bz2 () | calendar () | ctype () | curl () | dbase () | dom (20031129) | hash (1.0) | filter (0.11.0) | ftp () | gd () | gettext () | session () | iconv () | standard (5.2.17) | json (1.2.1) | mbstring () | mcrypt () | mhash () | mime_magic (0.1) | mysql (1.0) | SimpleXML (0.1) | pgsql () | posix () | pspell () | Reflection (0.1) | imap () | SPL (0.2) | mysqli (0.1) | soap () | sockets () | exif (1.4 $Id: exif.c 293036 2010-01-03 09:23:27Z sebastian $) | tidy (2.0) | tokenizer (0.1) | wddx () | xml () | xmlreader (0.1) | xmlrpc (0.51) | xmlwriter (0.1) | xsl (0.1) | zip (1.8.11) | apache2handler () | timezonedb () | PDO (1.0.4dev) | pdo_sqlite (1.0.1) | SQLite (2.0-dev) | pdo_mysql (1.0.2) | uploadprogress (1.0.1) | ffmpeg (0.6.0-svn) | SourceGuardian (8.2) | ionCube Loader () | Zend Optimizer () | Zend Engine (2.2.0) |
Potential Missing Extensions :: suhosin |

Switch User Environment (Experimental) :: PHP CGI: No | Server SU: No | PHP SU: No | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No

Apache Modules :: core | mod_authn_file | mod_authn_default | mod_authz_host | mod_authz_groupfile | mod_authz_user | mod_authz_default | mod_auth_basic | mod_cache | mod_mem_cache | mod_include | mod_filter | mod_deflate | mod_log_config | mod_logio | mod_env | mod_mime_magic | mod_expires | mod_headers | mod_usertrack | mod_unique_id | mod_setenvif | mod_version | mod_proxy | mod_proxy_connect | mod_proxy_ftp | mod_proxy_http | mod_proxy_scgi | mod_proxy_ajp | mod_proxy_balancer | mod_ssl | prefork | http_core | mod_mime | mod_dav | mod_status | mod_autoindex | mod_asis | mod_info | mod_suexec | mod_cgi | mod_dav_fs | mod_negotiation | mod_dir | mod_actions | mod_speling | mod_userdir | mod_alias | mod_rewrite | mod_so | mod_auth_passthrough | mod_bwlimited | mod_fpcgid | mod_php5 | mod_security2 | Apache |
Potential Missing Modules :: mod_security | mod_evasive | mod_dosevasive | mod_qos | mod_userdir |
Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

Elevated Permissions (First 10) :: None attachments/ (777) | attachments/article/ (777) | attachments/article/334/ (777) | attachments/article/334/.svn/ (777) | attachments/article/334/.svn/prop-base/ (777) | attachments/article/334/.svn/text-base/ (777) | attachments/article/334/.svn/tmp/ (777) | attachments/article/334/.svn/tmp/prop-base/ (777) | attachments/article/334/.svn/tmp/props/ (777) |
Extensions Discovered :: wrote:Components :: SITE :: User (1.5.0) | User (1.5.0) | Wrapper (1.5.0) | Wrapper (1.5.0) | MailTo (1.5.0) | MailTo (1.5.0) |
Components :: ADMIN :: Mass Mail (1.5.0) | Mass Mail (1.5.0) | Weblinks (1.5.0) | Weblinks (1.5.0) | Content Page (1.5.0) | Module Manager (1.5.0) | Module Manager (1.5.0) | User Manager (1.5.0) | User Manager (1.5.0) | Contact Items (1.0.0) | Contact Items (1.0.0) | Contact (1.5.0) | Attachments (2.1.2) | Attachments (2.1.2) | Content - Attachments (2.1.2) | Content - Attachments (2.1.2) | Attachments - For Content (2.1.2) | Attachments - For Content (2.1.2) | Editor Button - Add Attachment (2.1.2) | Editor Button - Add Attachment (2.1.2) | System - Show attachments in e (2.1.2) | System - Show attachments in e (2.1.2) | Search - Attachments (2.1.2) | Search - Attachments (2.1.2) | Attachments - For Components P (2.1.2) | Attachments - For Components P (2.1.2) | Editor Button - Insert Attachm (2.1.2) | Editor Button - Insert Attachm (2.1.2) | Plugin Manager (1.5.0) | Plugin Manager (1.5.0) | Newsfeeds (1.5.0) | Newsfeeds (1.5.0) | Installation Manager (1.5.0) | Installation Manager (1.5.0) | Template Manager (1.5.0) | Template Manager (1.5.0) | Configuration Manager (1.5.0) | Configuration Manager (1.5.0) | Search (1.5.0) | Search (1.5.0) | Control Panel (1.5.0) | Control Panel (1.5.0) | Messaging (1.5.0) | Messaging (1.5.0) | Content Page (1.5.0) | Content Page (1.5.0) | Language Manager (1.5.0) | Language Manager (1.5.0) | Attachments (2.1.2) | Content - Attachments (2.1.2) | Attachments - For Content (2.1.2) | Editor Button - Add Attachment (2.1.2) | System - Show attachments in e (2.1.2) | Search - Attachments (2.1.2) | Attachments - For Components P (2.1.2) | Editor Button - Insert Attachm (2.1.2) | Polls (1.5.0) | Polls (1.5.0) | Menus Manager (1.5.0) | Menus Manager (1.5.0) | Banners (1.5.0) | Banners (1.5.0) | pi_admin_user_access (2.0.6) | pi_admin_user_access (2.0.6) | Cache Manager (1.5.0) | Cache Manager (1.5.0) | Service (1.5.0) | Service (1.5.0) | Trash (1.0.0) | Trash (1.0.0) | JCE (1.5.7.4) | JCE (1.5.7.4) | Frontpage (1.5.0) | Frontpage (1.5.0) | Media Manager (1.5.0) | Media Manager (1.5.0) | JoomlaPack (2.4) | JoomlaPack Backup Notification (1.0) | JoomlaPack Backup Notification (1.0) | JoomlaPack (2.4) |

Modules :: SITE :: Poll (1.5.0) | Poll (1.5.0) | Search (1.0.0) | Search (1.0.0) | Most Read Content (1.5.0) | Most Read Content (1.5.0) | Random Image (1.5.0) | Random Image (1.5.0) | BLOG (1.0.0) | BLOG (1.0.0) | Banner (1.5.0) | Banner (1.5.0) | Newsflash (1.5.0) | Newsflash (1.5.0) | Sign Up (1.0.0) | Sign Up (1.0.0) | Latest News (1.5.0) | Latest News (1.5.0) | Syndicate (1.5.0) | Syndicate (1.5.0) | Who\'s Online (1.0.0) | Who\'s Online (1.0.0) | Breadcrumbs (1.5.0) | Breadcrumbs (1.5.0) | Media Search (1.0.0) | Media Search (1.0.0) | Huson Menu (1.0.0) | Huson Menu (1.0.0) | Media Search List (1.0.0) | Media Search List (1.0.0) | Related Items (1.0.0) | Related Items (1.0.0) | Feed Display (1.5.0) | Feed Display (1.5.0) | Archived Content (1.5.0) | Archived Content (1.5.0) | Wrapper (1.0.0) | Wrapper (1.0.0) | Custom HTML (1.5.0) | Custom HTML (1.5.0) | Contact Us (1.0.0) | Contact Us (1.0.0) | LATEST NEWS (1.5.0) | LATEST NEWS (1.5.0) | Title (1.0.0) | Title (1.0.0) | Key Facts (1.0.0) | Key Facts (1.0.0) | Sections (1.5.0) | Sections (1.5.0) | Login (1.5.0) | Login (1.5.0) | Footer (1.5.0) | Footer (1.5.0) | Services (1.0.0) | Services (1.0.0) | Single Item (1.0.0) | Single Item (1.0.0) | Statistics (1.5.0) | Statistics (1.5.0) | Menu (1.5.0) | Menu (1.5.0) | Child menu (1.5.23) | Child menu (1.5.23) | Admin user access (frontend) (2.0.6) | Admin user access (frontend) (2.0.6) | Media Search (1.0.0) | Media Search (1.0.0) |
Modules :: ADMIN :: Admin Submenu (1.0.0) | Admin Submenu (1.0.0) | Logged in Users (1.0.0) | Logged in Users (1.0.0) | Online Users (1.0.0) | Online Users (1.0.0) | Toolbar (1.0.0) | Toolbar (1.0.0) | Popular Items (1.0.0) | Popular Items (1.0.0) | Unread Items (1.0.0) | Unread Items (1.0.0) | Feed Display (1.5.0) | Feed Display (1.5.0) | Custom HTML (1.5.0) | Custom HTML (1.5.0) | User Status (1.5.0) | User Status (1.5.0) | Admin Menu (1.0.0) | Admin Menu (1.0.0) | JoomlaPack Backup Notification (1.0) | JoomlaPack Backup Notification (1.0) | Title (1.0.0) | Title (1.0.0) | Login Form (1.0.0) | Login Form (1.0.0) | Latest News (1.0.0) | Latest News (1.0.0) | Footer (1.0.0) | Footer (1.0.0) | Items Stats (1.0.0) | Items Stats (1.0.0) | Admin user access (backend) (2.0.9) | Admin user access (backend) (2.0.9) | Quick Icons (1.0.0) | Quick Icons (1.0.0) |

Plugins :: SITE :: Search - Categories (1.5) | Search - Weblinks (1.5) | Search - Contacts (1.5) | Search - Sections (1.5) | Search - Content (1.5) | Search - Attachments (2.1.2) | Search - Attachments (2.1.2) | Search - Content (1.5) | Search - Sections (1.5) | Search - Categories (1.5) | Search - Weblinks (1.5) | Search - Newsfeeds (1.5) | Search - Contacts (1.5) | Search - Newsfeeds (1.5) | Attachments - For Content (2.1.2) | Attachments - For Content (2.1.2) | Attachments - For Components P (2.1.2) | Attachments - For Components P (2.1.2) | Content - Pagebreak (1.5) | Content - Email Cloaking (1.5) | Content - Code Highlighter (Ge (1.5) | Content - Page Navigation (1.5) | Content - Load Modules (1.5) | Content - Vote (1.5) | Content - Attachments (2.1.2) | AllVideos (by JoomlaWorks) (3.1) | Content - Attachments (2.1.2) | AllVideos (by JoomlaWorks) (3.1) | Content - Email Cloaking (1.5) | Content - Page Navigation (1.5) | Content - Code Highlighter (Ge (1.5) | Content - Pagebreak (1.5) | Content - Example (1.0) | Content - Vote (1.5) | Content - Load Modules (1.5) | Content - Example (1.0) | Authentication - Joomla (1.5) | Authentication - OpenID (1.5) | Authentication - GMail (1.5) | Authentication - LDAP (1.5) | Authentication - LDAP (1.5) | Authentication - OpenID (1.5) | Authentication - GMail (1.5) | Authentication - Joomla (1.5) | Authentication - Example (1.5) | Authentication - Example (1.5) | Button - Readmore (1.5) | Button - Pagebreak (1.5) | Button - Image (1.0.0) | Editor Button - Add Attachment (2.1.2) | Editor Button - Insert Attachm (2.1.2) | Button - Image (1.0.0) | Button - Readmore (1.5) | Editor Button - Insert Attachm (2.1.2) | Button - Pagebreak (1.5) | Editor Button - Add Attachment (2.1.2) | User - Joomla! (1.5) | User - Joomla! (1.5) | User - Example (1.0) | User - Example (1.0) | Editor - TinyMCE 3 (3.2.6) | Editor - JCE 1.5.7.4 (1.5.7.4) | Editor - XStandard Lite for Jo (1.0) | Editor - None (1.0) | Editor - XStandard Lite for Jo (1.0) | Editor - JCE 1.5.7.4 (1.5.7.4) | Editor - TinyMCE 3 (3.2.6) | Zoo2 Links for Advanced Link (1.0.0) | Joomla! Links for Advanced Lin (1.2.1) | Zoo2 Links for Advanced Link (1.0.0) | Joomla! Links for Advanced Lin (1.2.1) | Advanced Link (1.5.7.4) | Advanced Link (1.5.7.4) | Advanced Code Editor (1.5.7.4) | Advanced Code Editor (1.5.7.4) | Paste (1.5.7.4) | Paste (1.5.7.4) | Paste (1.5.7.4) | Paste (1.5.7.4) | File Browser (1.5.7.4) | File Browser (1.5.7.4) | JCE SPELLCHECKER TITLE (1.5.7.4) | JCE SPELLCHECKER TITLE (1.5.7.4) | Image Manager (1.5.7.4) | Image Manager (1.5.7.4) | Media Object support (1.5.7.4) | Media Object support (1.5.7.4) | XML-RPC - Joomla API (1.0) | XML-RPC - Blogger API (1.0) | XML-RPC - Blogger API (1.0) | XML-RPC - Joomla API (1.0) | System - Legacy (1.5) | System - Debug (1.5) | System - Remember Me (1.5) | System - Cache (1.5) | System - Show attachments in e (2.1.2) | System - Mootools Upgrade (1.5) | System - SEF (1.5) | System - Backlinks (1.5) | System - Show attachments in e (2.1.2) | System - Legacy (1.5) | System - SEF (1.5) | System - Mootools Upgrade (1.5) | System - Cache (1.5) | System - Debug (1.5) | System - Log (1.5) | System - Remember Me (1.5) | System - Log (1.5) | System - Backlinks (1.5) | Search - Categories (1.5) | Search - Weblinks (1.5) | Search - Contacts (1.5) | Search - Sections (1.5) | Search - Content (1.5) | Search - Attachments (2.1.2) | Search - Content (1.5) | Search - Sections (1.5) | Search - Categories (1.5) | Search - Weblinks (1.5) | Search - Newsfeeds (1.5) | Search - Contacts (1.5) | Search - Newsfeeds (1.5) | Attachments - For Content (2.1.2) | Attachments - For Components P (2.1.2) | Content - Pagebreak (1.5) | Content - Email Cloaking (1.5) | Content - Code Highlighter (Ge (1.5) | Content - Page Navigation (1.5) | Content - Load Modules (1.5) | Content - Vote (1.5) | Content - Attachments (2.1.2) | AllVideos (by JoomlaWorks) (3.1) | Content - Email Cloaking (1.5) | Content - Page Navigation (1.5) | Content - Code Highlighter (Ge (1.5) | Content - Pagebreak (1.5) | Content - Example (1.0) | Content - Vote (1.5) | Content - Load Modules (1.5) | Content - Example (1.0) | Authentication - Joomla (1.5) | Authentication - OpenID (1.5) | Authentication - GMail (1.5) | Authentication - LDAP (1.5) | Authentication - LDAP (1.5) | Authentication - OpenID (1.5) | Authentication - GMail (1.5) | Authentication - Joomla (1.5) | Authentication - Example (1.5) | Authentication - Example (1.5) | Button - Readmore (1.5) | Button - Pagebreak (1.5) | Button - Image (1.0.0) | Editor Button - Add Attachment (2.1.2) | Editor Button - Insert Attachm (2.1.2) | Button - Image (1.0.0) | Button - Readmore (1.5) | Button - Pagebreak (1.5) | User - Joomla! (1.5) | User - Joomla! (1.5) | User - Example (1.0) | User - Example (1.0) | Editor - TinyMCE 3 (3.2.6) | Editor - JCE 1.5.7.4 (1.5.7.4) | Editor - XStandard Lite for Jo (1.0) | Editor - None (1.0) | Editor - XStandard Lite for Jo (1.0) | Editor - TinyMCE 3 (3.2.6) | Zoo2 Links for Advanced Link (1.0.0) | Joomla! Links for Advanced Lin (1.2.1) | Advanced Link (1.5.7.4) | Advanced Code Editor (1.5.7.4) | Paste (1.5.7.4) | Paste (1.5.7.4) | File Browser (1.5.7.4) | JCE SPELLCHECKER TITLE (1.5.7.4) | Image Manager (1.5.7.4) | Media Object support (1.5.7.4) | XML-RPC - Joomla API (1.0) | XML-RPC - Blogger API (1.0) | XML-RPC - Blogger API (1.0) | XML-RPC - Joomla API (1.0) | System - Legacy (1.5) | System - Debug (1.5) | System - Remember Me (1.5) | System - Cache (1.5) | System - Show attachments in e (2.1.2) | System - Mootools Upgrade (1.5) | System - SEF (1.5) | System - Backlinks (1.5) | System - Legacy (1.5) | System - SEF (1.5) | System - Mootools Upgrade (1.5) | System - Cache (1.5) | System - Debug (1.5) | System - Log (1.5) | System - Remember Me (1.5) | System - Log (1.5) | System - Backlinks (1.5) |
Templates Discovered :: wrote:Templates :: SITE :: beez (1.0.0) | beez (1.0.0) | huson (1.0.0) | huson (1.0.0) | rhuk_milkyway (1.0.2) | rhuk_milkyway (1.0.2) | JA_Purity (1.2.0) | JA_Purity (1.2.0) |
Templates :: ADMIN :: Khepri (1.0) | Khepri (1.0) |
Thanks,
Ed
Top
User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15152
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Pharma hack ([* spam *] in Google descriptions)

Post by mandville » Tue Jul 17, 2012 8:09 am

this could be a big clue as to how

Code: Select all

Elevated Permissions (First 10) :: None attachments/ (777) | attachments/article/ (777) | attachments/article/334/ (777) | attachments/article/334/.svn/ (777) | attachments/article/334/.svn/prop-base/ (777) | attachments/article/334/.svn/text-base/ (777) | attachments/article/334/.svn/tmp/ (777) | attachments/article/334/.svn/tmp/prop-base/ (777) | attachments/article/334/.svn/tmp/props/ (777) |

[ ] Use proper permissions on files and directories. They should never be 777, ideal is 644 for files and 755 for directories. The configuration file can be set to 444 which is read only.

[ ] Review and action Security Checklist 7 Make sure you've gone through all of the steps.

[ ] Scan all machines with FTP, Joomla super admin, and Joomla admin access for malware, virus, trojans, spyware, etc. Checklist 7 contains a list or recommended scanners.

[ ] Change all passwords and if possible user names for the website host control panel. Change the Joomla database user name and password.

[ ] Check your htaccess for for any odd code (i.e. code which is not in the standard htaccess supplied as part of the Joomla installation).

[ ] Check the crontab or Task Scheduler for unexpected jobs/tasks.

[ ] Ensure you do not have anonymous ftp enabled.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Top
User avatar
Slackervaara
Joomla! Ace
Joomla! Ace
Posts: 1115
Joined: Sat Aug 13, 2011 6:27 am

Re: Pharma hack ([* spam *] in Google descriptions)

Post by Slackervaara » Tue Jul 17, 2012 3:48 pm

Just a question. I have a phpBB3 forum on my Joomla site. Some folders of phpBB3 have permissions 777, but still phpBB3 is hack-safe. Maybe it is safe because of the -htaccess in those folders with this:

<Files *>
Order Allow,Deny
Deny from All
</Files>
Top
User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 44093
Joined: Sat Apr 05, 2008 9:58 pm

Re: Pharma hack ([* spam *] in Google descriptions)

Post by Webdongle » Tue Jul 17, 2012 9:04 pm

Slackervaara wrote:... but still phpBB3 is hack-safe....
No it is not.

And it looks like files have been uploaded to the OP' site.
Last edited by Webdongle on Wed Jul 18, 2012 12:12 am, edited 1 time in total.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
Top
User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15152
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Pharma hack ([* spam *] in Google descriptions)

Post by mandville » Tue Jul 17, 2012 9:30 pm

slackervaara, i do not see what your question on a non joomla script has to do with the original posters issue.
You are confusing things at least and hijacking at the most.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Top
User avatar
PhilD
Joomla! Hero
Joomla! Hero
Posts: 2737
Joined: Sat Oct 21, 2006 10:20 pm
Location: Wisconsin USA
Contact:
Contact PhilD

Re: Pharma hack ([* spam *] in Google descriptions)

Post by PhilD » Wed Jul 18, 2012 3:59 pm

elevated permissions and especially 777 permissions are bad for any website and it is never Ok no matter what you put in place to compensate (deny all) for the elevated permissions. It does not matter what the 'brand' of software that is being used on the site is. It is just bad, like leaving the keys in the car in the bad section of the city.
PhilD
Top
esark3333
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Tue Jul 17, 2012 12:41 am

Re: Pharma hack ([* spam *] in Google descriptions)

Post by esark3333 » Thu Jul 19, 2012 12:26 am

Thank you Mandville, I will follow your helpful instructions.

Many thanks!
Ed
Top
bastywebb
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Mon Oct 12, 2009 9:32 am

Re: Pharma hack ([* spam *] in Google descriptions)

Post by bastywebb » Fri Jul 27, 2012 2:02 pm

I think I've come across the same exploit you're referring to. And seeing as no one has mentioned where the exploit files are and how to fix them I thought I'd pitch in.

For me, the problem files were as follows:
includes/defines.php
modules/mod_banners/tmpl/banner.php
modules/mod_banners/tmpl/banner.css

You need to delete banner.php and banner.css and remove the following line from the bottom of defines.php

@include JPATH_BASE.DS.'modules'.DS.'mod_banners'.DS.'tmpl'.DS.'banner.php';

This "Pharma" hack is quite well known. The follow resources are very useful:
http://redleg-redleg.[URL banned].co.uk/201 ... -hack.html
http://redleg-redleg.[URL banned].co.uk/201 ... hacks.html

The hack doesn't actually change the meta description tag. It adds content immediately after the <body> tag, which then shows up in the Google descriptions. It only serves the [* spam *] keywords to Google Bot, which makes it hard to spot.

Do the following search in Google to see how many of your web pages have been indexed with [* spam *] terms:

site:www.your-domain.com/ ([* spam *])

I hope this helps!
Top
User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15152
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Pharma hack ([* spam *] in Google descriptions)

Post by mandville » Fri Jul 27, 2012 2:39 pm

bastywebb wrote:I think I've come across the same exploit you're referring to. And seeing as no one has mentioned where the exploit files are and how to fix them I thought I'd pitch in.
please dont fall into the common trap of thinking that deleteing the two obvious files are the cure all for the issue
please go back to the checklist, and follow it, while working out HOW the files got there in the first place
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Top
bastywebb
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Mon Oct 12, 2009 9:32 am

Re: Pharma hack ([* spam *] in Google descriptions)

Post by bastywebb » Fri Jul 27, 2012 2:56 pm

I appreciate your remarks. And I'm sure that security needs to be tightened up in order to prevent the same thing happening in future. I'm also aware that there may be other less obvious exploit files. However, doing the actions I suggested has at least improved matters.

Before deleting/amending the affected files, fetching website files as Google Bot in web master tools showed the presence of the [* spam *] keywords. Immediately after deleting/amending the affected files, fetching website files as Google Bot showed that the [* spam *] keywords were no longer there.

Getting [* spam *] web pages out of Google's index as quickly as possible is surely an important goal here.
Top
User avatar
Slackervaara
Joomla! Ace
Joomla! Ace
Posts: 1115
Joined: Sat Aug 13, 2011 6:27 am

Re: Pharma hack ([* spam *] in Google descriptions)

Post by Slackervaara » Fri Jul 27, 2012 3:13 pm

bastywebb,

Very interesting! Did you look at the time stamp of the changed files and then in the access logs to figure out how the files were changed. Maybe it was some sort of file injection? File injection can be stopped by an entry in .htaccess.
Top
User avatar
PhilD
Joomla! Hero
Joomla! Hero
Posts: 2737
Joined: Sat Oct 21, 2006 10:20 pm
Location: Wisconsin USA
Contact:
Contact PhilD

Re: Pharma hack ([* spam *] in Google descriptions)

Post by PhilD » Fri Jul 27, 2012 3:34 pm

Slackervaara wrote:bastywebb,

File injection can be stopped by an entry in .htaccess.
With most of the currently available hack scripts, Hacks may not (and likely won't be) be stopped by an htaccess file. Mandville is pointing out that while the obvious issue appears to be gone, there is likely several backdoor scripts inserted in the site for easy future hacking access and possibly a root kit script installed on the site again for easy future access and to cause more damage. Google bot webmaster tools won't show these files.
PhilD
Top
vincepro
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Wed Mar 12, 2014 10:34 pm

Re: Pharma hack ([* spam *] in Google descriptions)

Post by vincepro » Wed Mar 12, 2014 10:40 pm

Hi,

it seems that my trouble is quite the same...
Any idea to remove that hack?

Thx in advance,
Vince
Problem Description :: Forum Post Assistant (v1.2.4) : 12th March 2014 wrote:Hack by a [* spam *] site
Forum Post Assistant (v1.2.4) : 12th March 2014 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 1.5.22-Stable (senu takaa ama woi) 04-November-2010
Joomla! Configured :: Yes | Read-Only (444) | Owner: www-data (uid: 1/gid: 1) | Group: www-data (gid: 1) | Valid For: 1.5
Configuration Options :: Offline: 0 | SEF: 0 | SEF Suffix: 0 | SEF ReWrite: 0 | .htaccess/web.config: Yes | GZip: 1 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: -1 | Site Debug: 0 | Language Debug: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.27-gandi-2777 | Technology: i686 | Web Server: Apache/2.2.12 (Ubuntu) | Encoding: gzip, deflate | Doc Root: /srv/d_expodurable/www/pepinieres-elan.fr/htdocs | System TMP Writable: Yes

PHP Configuration :: Version: 5.2.10-2ubuntu6.10 | PHP API: apache2handler | Session Path Writable: Yes | Display Errors: 1 | Error Reporting: 64 | Log Errors To: | Last Known Error: | Register Globals: | Magic Quotes: 1 | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 10M | Max. POST Size: 8M | Max. Input Time: 600 | Max. Execution Time: 600 | Memory Limit: 24M

MySQL Configuration :: Version: 5.1.37-1ubuntu5.5-log (Client:5.1.37) | Host: --protected-- (--protected--) | Collation: latin1_swedish_ci (Character Set: latin1) | Database Size: 21.35 MiB | #of Tables: 180
Detailed Environment :: wrote:PHP Extensions :: date (5.2.10-2ubuntu6.10) | libxml () | openssl () | pcre () | zlib (1.1) | bcmath () | bz2 () | calendar () | ctype () | dba () | dom (20031129) | session () | filter (0.11.0) | ftp () | gettext () | hash (1.0) | iconv () | json (1.2.1) | mbstring () | mime_magic (0.1) | posix () | Reflection (0.1) | standard (5.2.10-2ubuntu6.10) | shmop () | SimpleXML (0.1) | soap () | sockets () | SPL (0.2) | exif (1.4 $Id: exif.c,v 1.173.2.5.2.28 2009/05/28 14:03:09 pajoye Exp $) | sysvmsg () | sysvsem () | sysvshm () | tokenizer (0.1) | wddx () | xml () | xmlreader (0.1) | xmlwriter (0.1) | zip (1.8.11) | apache2handler () | apc (3.0.19) | curl () | gd () | mcrypt () | mysql (1.0) | mysqli (0.1) | PDO (1.0.4dev) | pdo_mysql (1.0.2) | pdo_sqlite (1.0.1) | SQLite (2.0-dev) | ionCube Loader () | Zend Engine (2.2.0) |
Potential Missing Extensions :: suhosin |

Switch User Environment (Experimental) :: PHP CGI: No | Server SU: No | PHP SU: No | Custom SU (LiteSpeed/Cloud/Grid): No
Potential Ownership Issues: Maybe

Apache Modules :: core | mod_log_config | mod_logio | prefork | http_core | mod_so | mod_alias | mod_auth_basic | mod_authn_file | mod_authz_default | mod_authz_groupfile | mod_authz_host | mod_authz_user | mod_autoindex | mod_cache | mod_cgi | mod_dav | mod_dav_svn | mod_authz_svn | mod_dir | mod_disk_cache | mod_mem_cache | mod_mime | mod_php5 | mod_rewrite | mod_status | Apache/2.2.12 (Ubuntu) |
Potential Missing Modules :: mod_expires | mod_deflate | mod_security | mod_evasive | mod_dosevasive | mod_ssl | mod_qos | mod_userdir |
Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (777) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

Elevated Permissions (First 10) :: components/com_minisite/ (777) | components/com_minisite/assets/ (777) | components/com_minisite/assets/icones/ (777) | components/com_minisite/helpers/ (777) | components/com_minisite/models/ (777) | components/com_minisite/tables/ (777) | components/com_minisite/views/ (777) | components/com_minisite/views/config_droits/ (777) | components/com_minisite/views/config_droits/tmpl/ (777) | components/com_minisite/views/recherche/ (777) |
Extensions Discovered :: wrote:Components :: SITE :: Wrapper (1.5.0) | CB Mamblog Tab (1.2) | Yanc Integration (1.2) | CB Mambo Author Tab (1.2) | CB Registration Form (1.0) | comprofiler (1.2.3) | default (1.0.0) | blueface (1.0.0) | default (1.0.0) | Unknown (-) | Unknown (-) | Unknown (-) | Unknown (-) | Unknown (-) | Unknown (-) | Unknown (-) | Unknown (-) | Unknown (-) | Unknown (-) | Default (1.4.0) | User (1.5.0) | MailTo (1.5.0) |
Components :: ADMIN :: Chrono Forms (4.0 RC1.9) | Installation Manager (1.5.0) | Plugin Manager (1.5.0) | Cache Manager (1.5.0) | comprofiler (1.2.3) | Polls (1.5.0) | User Manager (1.5.0) | Menus Manager (1.5.0) | Ozio Gallery 2 (2.6) | Ninja RSS Syndicator (1.1.7) | Trash (1.0.0) | Language Manager (1.5.0) | Add user Frontend (1.2.8) | minisite (2.0) | sql2excel (2.1.3) | minisite (2.0) | Mass Mail (1.5.0) | Contact Items (1.0.0) | Configuration Manager (1.5.0) | CK Forms (1.3.5) | docman (1.4.0rc1) | Content Page (1.5.0) | Media Manager (1.5.0) | Ninja RSS Syndicator (1.5.0) | AceSEF (1.5.1) | Search (1.5.1) | User (1.5.1) | Polls (1.5.0) | Web Links (1.5.1) | Contact (1.5.3) | Banners (1.5.2) | Content (1.5.12) | News Feeds (1.5.1) | Community Builder (1.5.2) | Mail To (1.5.1) | AcyMailing (1.5.2) | Wrapper (1.5.0) | CK Forms (1.5.1) | AceSEF (1.5.18) | Module Manager (1.5.0) | JCE (1.5.7.9) | Search (1.5.0) | Weblinks (1.5.0) | Messaging (1.5.0) | AcyMailing Tag : Insert a Modu (2.0.0) | AcyMailing : share on social n (1.0.0) | AcyMailing : (auto)Subscribe d (2.0.0) | AcyMailing Tag : CB User infor (2.0.0) | AcyMailing Tag : JomSocial Use (2.0.0) | AcyMailing Tag : Subscriber in (2.0.0) | AcyMailing table of contents g (1.0.0) | AcyMailing Tag : insert Virtue (1.2.1) | AcyMailing Tag : content inser (2.0.0) | AcyMailing Tag : Joomla User I (2.0.0) | AcyMailing Tag : VirtueMart pe (2.0.0) | AcyMailing Manage text (1.0.0) | AcyMailing Module (2.0.0) | AcyMailing Tag : Date / Time (2.0.0) | AcyMailing : Handle Click trac (2.0.0) | AcyMailing : Statistics Plugin (2.0.0) | AcyMailing Tag : Website links (2.0.0) | AcyMailing Template Class Repl (2.0.0) | AcyMailing : trigger Joomla Co (2.0.0) | AcyMailing Tag : Manage the Su (2.0.0) | AcyMailing (2.0.0) | Banners (1.5.0) | Frontpage (1.5.0) | francemap (1.0.0) | community_builder (1.0.0) | phpbb3 (1.0.0) | France Map (1.0.0) | Seminar (1.21) | Template Manager (1.5.0) | Newsfeeds (1.5.0) | Control Panel (1.5.0) | extensions (0.7) |

Modules :: SITE :: CB Login (1.2.3) | CB Workflows (1.2.3) | Statistics (1.5.0) | Footer (1.5.0) | Carbon Pub (1.0) | Simple Page Options (1.5.16) | J!Analytics (2.0.0) | Rokdownloads Latest Downloads (1.0.2) | Syndicate (1.5.0) | Random Image (1.5.0) | Newsflash (1.5.0) | Who\'s Online (1.0.0) | Module CKforms (1.3.4) | Accordion FAQ (1.0.10) | CB Online (1.2.3) | Wrapper (1.0.0) | Feed Display (1.5.0) | Login (1.5.0) | Minisite (1.0) | Banner (1.5.0) | SQL 2 Excel Module (1.1.4) | Minisite (1.0) | Minisite Entete (1.0) | Minisite Onglet (1.0) | Custom HTML (1.5.0) | Follow Me (1.5.7) | Follow Me (1.5.7) | Numeric-Hall (1.0) | Related Items (1.0.0) | Amination Lastnews (1.0.0) | Poll (1.5.0) | AcyMailing Module (2.0.0) | Menu (1.5.0) | Rokdownloads Recently Updated (1.0.2) | Minisite sous-menu (1.0) | Sections (1.5.0) | RokDownloads Most Downloaded (1.0.2) | Minisite logo (1.0) | Most Read Content (1.5.0) | Latest News (1.5.0) | Archived Content (1.5.0) | RSS Reader (1.0) | Renat running text (1.5) | Search (1.0.0) | Breadcrumbs (1.5.0) | GoboSlide (1.5.3) |
Modules :: ADMIN :: Unapproved Documents - admin m (1.4.0) | Items Stats (1.0.0) | Footer (1.0.0) | Popular Items (1.0.0) | Admin Menu (1.0.0) | Latest added documents - admin (1.4.0) | Latest news from http://www.joomlatoo (1.4.0) | User Status (1.5.0) | Feed Display (1.5.0) | Latest News (1.0.0) | Login Form (1.0.0) | Quick Icons (1.0.0) | Custom HTML (1.5.0) | Toolbar (1.0.0) | Most downloaded documents - ad (1.4.0) | AceSEF - Quick Icons (1.5.0) | Latest logged downlods - admin (1.4.0) | Title (1.0.0) | Unread Items (1.0.0) | Logged in Users (1.0.0) | Admin Submenu (1.0.0) | Online Users (1.0.0) |

Plugins :: SITE :: System - Cache (1.5) | System - Mootools Upgrade (1.5) | System - Log (1.5) | System - SEF (1.5) | Component as Content (1.5.7) | System - Legacy (1.5) | System - Autologin plugin (1.3) | System - AceSEF (1.5.0) | System - Debug (1.5) | System - Backlinks (1.5) | System - AceSEF Meta Manager ( (1.5.0) | System - Remember Me (1.5) | AcyMailing : (auto)Subscribe d (2.0.0) | Button - Pagebreak (1.5) | Button - Image (1.0.0) | Button - Readmore (1.5) | XML-RPC - Blogger API (1.0) | XML-RPC - Joomla API (1.0) | AcyMailing : share on social n (1.0.0) | AcyMailing : Statistics Plugin (2.0.0) | AcyMailing table of contents g (1.0.0) | AcyMailing Tag : insert Virtue (1.2.1) | AcyMailing : Handle Click trac (2.0.0) | AcyMailing : trigger Joomla Co (2.0.0) | AcyMailing Tag : Website links (2.0.0) | AcyMailing Tag : JomSocial Use (2.0.0) | AcyMailing Tag : Insert a Modu (2.0.0) | AcyMailing Tag : VirtueMart pe (2.0.0) | AcyMailing Tag : content inser (2.0.0) | AcyMailing Tag : Subscriber in (2.0.0) | AcyMailing Tag : Date / Time (2.0.0) | AcyMailing Tag : CB User infor (2.0.0) | AcyMailing Template Class Repl (2.0.0) | AcyMailing Tag : Manage the Su (2.0.0) | AcyMailing Tag : Joomla User I (2.0.0) | AcyMailing Manage text (1.0.0) | Editor - TinyMCE 3 (3.2.6) | Paste (1.5.7.9) | Media Object support (1.5.7.9) | Advanced Code Editor (1.5.7.9) | JCE SPELLCHECKER TITLE (1.5.7.9) | File Browser (1.5.7.9) | Paste (1.5.7.9) | Joomla! Links for Advanced Lin (1.2.1) | Advanced Link (1.5.7.9) | Image Manager (1.5.7.9) | Editor - XStandard Lite for Jo (1.0) | Editor - JCE (1.5.7.9) | Search - Weblinks (1.5) | Search - Sections (1.5) | Search - Contacts (1.5) | Search - Content (1.5) | Search - Categories (1.5) | Search - Newsfeeds (1.5) | User - Artof User (1.1.1) | User - Joomla! (1.5) | User - Example (1.0) | Authentication - LDAP (1.5) | Authentication - GMail (1.5) | Authentication - OpenID (1.5) | Authentication - Joomla (1.5) | Authentication - Example (1.5) | Content - Page Navigation (1.5) | Content - OzioGallery2 (1.0) | Content - RSS feed (2.0) | Content - CKforms Affichage en (1.3.4) | Content - Accordion FAQ (1.0.10) | Edocs - Embed Documents (1.0) | Content - CK Forms (1.3.4) | Content - Vote (1.5) | Content - Pagebreak (1.5) | Content - Load Modules (1.5) | chronoforms (V4 RC1.8) | Content - Email Cloaking (1.5) | Content - Code Highlighter (Ge (1.5) | Content - Example (1.0) |
Templates Discovered :: wrote:Templates :: SITE :: JA_Purity (1.2.0) | elan201107_1 (1.1) | elan201106 (1.1) | rhuk_milkyway (1.0.2) | elan20101230 (1.0) | elan20101224 (1.0) | elan201107 (1.1) | elan20101231 (1.0) | beez (1.0.0) | elan (2.0.0) | elan201106_1 (1.1) |
Templates :: ADMIN :: Khepri (1.0) |
Top
Locked

Return to “Security in Joomla! 1.5”