Pharma hack (for the first time)

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, PhilD, fcoulter, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
RC1029
Joomla! Apprentice
Joomla! Apprentice
Posts: 8
Joined: Sat Nov 05, 2016 10:13 am

Pharma hack (for the first time)

Postby RC1029 » Sat Aug 12, 2017 1:40 pm

Hi guys!

Our website is suffering from Pharma attack for some time now. I've reinstalled and TOTALLY remade our website 2 times already, then made a 3rd chance by following this tutorial as well. Yet the viagra and drug advertisements are still in our google page. Could you help me please where should I take a look? :'( I totally have no clue right now. :(

Thank you!

Here's my FPA:

Forum Post Assistant (v1.3.1) : 12th August 2017 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 3.7.4-Stable (Amani) 25-July-2017
Joomla! Configured :: Yes | Read-Only (444) | Owner: --protected-- . (uid: 1/gid: 1) | Group: --protected-- (gid: 1) | Valid For: 3.7
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 1 | .htaccess/web.config: Yes | GZip: 0 | Cache: 0 | CacheTime: 15 | CacheHandler: file | CachePlatformPrefix: 0 | FTP Layer: 0 | Proxy: 0 | LiveSite: | Session lifetime: 15 | Session handler: database | Shared sessions: 0 | SSL: 0 | FrontEdit: 1 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 3.2.54.MaXer-c6-2 | Technology: x86_64 | Web Server: Apache/2.4.10 (Debian) | Encoding: gzip, deflate | Doc Root: --protected-- | System TMP Writable: Yes

PHP Configuration :: Version: 7.0.20-1~dotdeb+8.1 | PHP API: fpm-fcgi | Session Path Writable: Yes | Display Errors: | Error Reporting: 4177 | Log Errors To: /var/hosting/web/mysite.com/website/www/maxer_php_error.log | Last Known Error: | Register Globals: | Magic Quotes: | Safe Mode: | Open Base: /var/userdata/web/mysite.com/website:/var/hosting/web/mysite.com/website:/var/hosting/conf/:/var/userdata/conf/:/var/lib/php5:/var/lib/php:/tmp:/var/userdata/tmp | Uploads: 1 | Max. Upload Size: 60M | Max. POST Size: 60M | Max. Input Time: 120 | Max. Execution Time: 120 | Memory Limit: 256M

MySQL Configuration :: Version: 5.6.32 (Client:mysqlnd 5.0.12-dev - 20150407 - $Id: b5c5906d452ec590732a93b051f3827e02749b83 $) | Host: --protected-- (--protected--) | Collation: latin2_hungarian_ci (Character Set: latin2) | Database Size: 11.01 MiB | #of Tables: 108
Detailed Environment :: wrote:PHP Extensions :: Core (7.0.20-1~dotdeb+8.1) | date (7.0.20-1~dotdeb+8.1) | libxml (7.0.20-1~dotdeb+8.1) | openssl (7.0.20-1~dotdeb+8.1) | pcre (7.0.20-1~dotdeb+8.1) | zlib (7.0.20-1~dotdeb+8.1) | filter (7.0.20-1~dotdeb+8.1) | hash (1.0) | Reflection (7.0.20-1~dotdeb+8.1) | SPL (7.0.20-1~dotdeb+8.1) | session (7.0.20-1~dotdeb+8.1) | standard (7.0.20-1~dotdeb+8.1) | cgi-fcgi () | mysqlnd (mysqlnd 5.0.12-dev - 20150407 - $Id: b5c5906d452ec590732a93b051f3827e02749b83 $) | PDO (7.0.20-1~dotdeb+8.1) | xml (7.0.20-1~dotdeb+8.1) | bz2 (7.0.20-1~dotdeb+8.1) | calendar (7.0.20-1~dotdeb+8.1) | ctype (7.0.20-1~dotdeb+8.1) | curl (7.0.20-1~dotdeb+8.1) | dom (20031129) | mbstring (7.0.20-1~dotdeb+8.1) | fileinfo (1.0.5) | ftp (7.0.20-1~dotdeb+8.1) | gd (7.0.20-1~dotdeb+8.1) | gettext (7.0.20-1~dotdeb+8.1) | iconv (7.0.20-1~dotdeb+8.1) | imagick (3.4.3) | imap (7.0.20-1~dotdeb+8.1) | intl (1.1.0) | json (1.4.0) | exif (1.4 $Id: 8bdc0c8f27c2c9dd1f7551f1f9fe3ab57a06a4b1 $) | mcrypt (7.0.20-1~dotdeb+8.1) | mysqli (7.0.20-1~dotdeb+8.1) | pdo_mysql (7.0.20-1~dotdeb+8.1) | Phar (2.0.2) | posix (7.0.20-1~dotdeb+8.1) | readline (7.0.20-1~dotdeb+8.1) | shmop (7.0.20-1~dotdeb+8.1) | SimpleXML (7.0.20-1~dotdeb+8.1) | sockets (7.0.20-1~dotdeb+8.1) | sysvmsg (7.0.20-1~dotdeb+8.1) | sysvsem (7.0.20-1~dotdeb+8.1) | sysvshm (7.0.20-1~dotdeb+8.1) | tokenizer (7.0.20-1~dotdeb+8.1) | wddx (7.0.20-1~dotdeb+8.1) | xmlreader (7.0.20-1~dotdeb+8.1) | xmlwriter (7.0.20-1~dotdeb+8.1) | xsl (7.0.20-1~dotdeb+8.1) | zip (1.13.5) | ionCube Loader () | Zend OPcache (7.0.20-1~dotdeb+8.1) | Zend Engine (3.0.0) |
Potential Missing Extensions :: mysql | suhosin |

Switch User Environment (Experimental) :: PHP CGI: No | Server SU: No | PHP SU: No | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No
Folder Permissions :: wrote:Core Folders :: images/ (770) | components/ (770) | modules/ (770) | plugins/ (770) | language/ (770) | templates/ (770) | cache/ (770) | logs/ (---) | tmp/ (770) | administrator/components/ (770) | administrator/modules/ (770) | administrator/language/ (770) | administrator/templates/ (770) |

Elevated Permissions (First 10) :: components/ (770) | components/com_sigpro/ (770) | components/com_users/ (770) | components/com_users/controllers/ (770) | components/com_users/helpers/ (770) | components/com_users/helpers/html/ (770) | components/com_wrapper/ (770) | components/com_wrapper/views/ (770) | components/com_wrapper/views/wrapper/ (770) | components/com_wrapper/views/wrapper/tmpl/ (770) |
Database Information :: wrote:Database statistics :: Uptime: 1996159 | Threads: 3 | Questions: 72472717 | Slow queries: 8 | Opens: 181993 | Flush tables: 1 | Open tables: 2000 | Queries per second avg: 36.306 |
Extensions Discovered :: wrote:Components :: SITE :: com_wrapper (3.0.0) 1 | com_mailto (3.0.0) 1 |
Components :: ADMIN :: com_joomlaupdate (3.6.2) 1 | COM_SIGPRO (3.1.0) 1 | com_users (3.0.0) 1 | com_languages (3.0.0) 1 | com_search (3.0.0) 1 | com_tags (3.1.0) 1 | com_installer (3.0.0) 1 | com_media (3.0.0) 1 | com_newsfeeds (3.0.0) 1 | com_docman (3.0.9) 1 | com_content (3.0.0) 1 | com_fields (3.7.0) 1 | JMap (4.3.5) 1 | com_config (3.0.0) 1 | com_cpanel (3.0.0) 1 | com_postinstall (3.2.0) 1 | com_modules (3.0.0) 1 | com_redirect (3.0.0) 1 | com_ajax (3.2.0) 1 | com_banners (3.0.0) 1 | com_login (3.0.0) 1 | com_plugins (3.0.0) 1 | com_messages (3.0.0) 1 | plg_editors-xtd_twojtoolboxbut (1.0.0) 1 | plg_system_twojtoolbox (1.6.0) 1 | 2JToolBox Module (1.0.0) 1 | TwoJToolBox (1.0.21) 1 | com_menus (3.0.0) 1 | Responsivizer (2.4.3) 1 | com_templates (3.0.0) 1 | com_checkin (3.0.0) 1 | com_cache (3.0.0) 1 | com_finder (3.0.0) 1 | 2J Gallery (1.0.5) 1 | com_categories (3.0.0) 1 | com_associations (3.7.0) 1 | com_admin (3.0.0) 1 | com_contenthistory (3.2.0) 0 |

Modules :: SITE :: mod_articles_news (3.0.0) 1 | mod_tags_similar (3.1.0) 1 | mod_languages (3.5.0) 1 | mod_docman_categories (3.0.9) 1 | mod_articles_archive (3.0.0) 1 | mod_docman_documents (3.0.9) 1 | S5 Image and Content Fader v4 (4.3.0) 1 | mod_articles_categories (3.0.0) 1 | mod_footer (3.0.0) 1 | mod_search (3.0.0) 1 | mod_breadcrumbs (3.0.0) 1 | Responsivizer slideshow (2.4.3) 1 | mod_tags_popular (3.1.0) 1 | mod_wrapper (3.0.0) 1 | mod_articles_category (3.0.0) 1 | mod_feed (3.0.0) 1 | Shape 5 Live Search (3.0) 1 | mod_stats (3.0.0) 1 | mod_syndicate (3.0.0) 1 | mod_finder (3.0.0) 1 | mod_login (3.0.0) 1 | mod_users_latest (3.0.0) 1 | mod_banners (3.0.0) 1 | mod_whosonline (3.0.0) 1 | mod_articles_latest (3.0.0) 1 | 2JToolBox Module (1.0.0) 1 | mod_related_items (3.0.0) 1 | JSitemap module (4.3.5) 1 | mod_articles_popular (3.0.0) 1 | Responsivizer mobile switcher (2.4.3) 1 | mod_random_image (3.0.0) 1 | mod_menu (3.0.0) 1 | mod_custom (3.0.0) 1 |
Modules :: ADMIN :: mod_title (3.0.0) 1 | mod_multilangstatus (3.0.0) 1 | mod_popular (3.0.0) 1 | mod_quickicon (3.0.0) 1 | mod_feed (3.0.0) 1 | mod_latest (3.0.0) 1 | mod_submenu (3.0.0) 1 | mod_status (3.0.0) 1 | mod_login (3.0.0) 1 | mod_toolbar (3.0.0) 1 | mod_stats_admin (3.0.0) 1 | mod_version (3.0.0) 1 | JSitemap Quickicons (4.3.5) 1 | mod_menu (3.0.0) 1 | mod_custom (3.0.0) 1 | mod_logged (3.0.0) 1 |

Plugins :: SITE :: plg_extension_joomla (3.0.0) 1 | plg_installer_packageinstaller (3.6.0) 1 | PLG_INSTALLER_FOLDERINSTALLER (3.6.0) 1 | PLG_INSTALLER_URLINSTALLER (3.6.0) 1 | plg_search_contacts (3.0.0) 1 | plg_search_content (3.0.0) 1 | plg_search_tags (3.0.0) 1 | plg_search_categories (3.0.0) 1 | plg_search_docman (3.0.9) 1 | plg_search_newsfeeds (3.0.0) 1 | plg_quickicon_joomlaupdate (3.0.0) 1 | plg_quickicon_phpversioncheck (3.7.0) 1 | plg_quickicon_extensionupdate (3.0.0) 0 | plg_fields_radio (3.7.0) 1 | plg_fields_textarea (3.7.0) 1 | plg_fields_list (3.7.0) 1 | plg_fields_color (3.7.0) 1 | plg_fields_url (3.7.0) 1 | plg_fields_media (3.7.0) 1 | plg_fields_calendar (3.7.0) 1 | plg_fields_checkboxes (3.7.0) 1 | plg_fields_integer (3.7.0) 1 | plg_fields_editor (3.7.0) 1 | plg_fields_sql (3.7.0) 1 | plg_fields_usergrouplist (3.7.0) 1 | plg_fields_user (3.7.0) 1 | plg_fields_text (3.7.0) 1 | plg_fields_imagelist (3.7.0) 1 | plg_finder_contacts (3.0.0) 1 | plg_finder_content (3.0.0) 1 | plg_finder_tags (3.0.0) 1 | plg_finder_categories (3.0.0) 1 | plg_finder_docman (3.0.9) 0 | plg_finder_newsfeeds (3.0.0) 1 | plg_content_loadmodule (3.0.0) 1 | plg_content_emailcloak (3.0.0) 1 | plg_content_fields (3.7.0) 1 | plg_content_finder (3.0.0) 0 | Content - JSitemap Pingomatic (4.3.5) 1 | plg_content_joomla (3.0.0) 1 | PLG_PWEB_FBARTICLEIMAGES_PRO (2.0.27PRO) 1 | plg_content_doclink (3.0.9) 1 | AllVideos (by JoomlaWorks) (4.7.0) 1 | AllVideos (by JoomlaWorks) (4.7.0) 1 | Content - Simple Image Gallery (3.1.0) 1 | plg_content_pagenavigation (3.0.0) 1 | plg_content_pagebreak (3.0.0) 1 | plg_content_vote (3.0.0) 0 | Content - Responsivizer Social (2.4.3) 1 | PLG_CONTENT_OSEMBED (1.3.3) 1 | Unknown (-) 1 | plg_captcha_recaptcha (3.4.0) 0 | plg_authentication_ldap (3.0.0) 0 | plg_authentication_joomla (3.0.0) 1 | plg_authentication_gmail (3.0.0) 0 | plg_authentication_cookie (3.0.0) 1 | plg_twofactorauth_totp (3.2.0) 0 | plg_twofactorauth_yubikey (3.2.0) 0 | K2 - Simple Image Gallery Pro (3.1.0) 1 | plg_user_joomla (3.0.0) 1 | plg_user_profile (3.0.0) 0 | plg_user_contactcreator (3.0.0) 0 | plg_editors-xtd_fields (3.7.0) 1 | plg_editors-xtd_article (3.0.0) 1 | plg_editors-xtd_menu (3.7.0) 1 | plg_editors-xtd_image (3.0.0) 1 | plg_editors-xtd_twojtoolboxbut (1.0.0) 1 | plg_editors-xtd_doclink (3.0.9) 1 | Button - Simple Image Gallery (3.1.0) 1 | plg_editors-xtd_module (3.5.0) 1 | plg_editors-xtd_pagebreak (3.0.0) 1 | plg_editors-xtd_readmore (3.0.0) 1 | plg_system_remember (3.0.0) 1 | plg_system_joomlatools (3.1.0-beta.4) 1 | plg_system_fields (3.7.0) 1 | System - Responsivizer NoToolb (2.4.3) 1 | plg_system_cache (3.0.0) 0 | plg_system_sef (3.0.0) 1 | plg_system_ossystem (1.2.6) 1 | System - Responsivizer Light I (2.4.3) 1 | plg_system_p3p (3.0.0) 0 | plg_system_redirect (3.0.0) 0 | plg_system_joomlatoolsupdater (1.0.0) 1 | System - JSitemap utilities (4.3.5) 1 | plg_system_logout (3.0.0) 1 | plg_system_twojtoolbox (1.6.0) 1 | plg_system_highlight (3.0.0) 1 | plg_system_debug (3.0.0) 1 | System - Responsivizer Templat (2.4.3) 1 | Responsivizer Drag Modules (2.4.3) 1 | plg_system_stats (3.5.0) 1 | System - Responsivizer Router (2.4.3) 1 | plg_system_updatenotification (3.5.0) 1 | plg_system_languagefilter (3.0.0) 0 | System - Responsivizer Languag (2.4.3) 1 | plg_system_languagecode (3.0.0) 0 | plg_system_scheduler (1.0.0) 1 | plg_system_log (3.0.0) 1 | plg_editors_codemirror (5.25.2) 1 | plg_editors_tinymce (4.5.7) 1 |
Templates Discovered :: wrote:Templates :: SITE :: outdoor_life (1.0) 1 | beez3 (3.1.0) 1 | Responsivizer (2.4.3) 1 | protostar (1.0) 1 |
Templates :: ADMIN :: hathor (3.0.0) 1 | isis (1.0) 1 |

User avatar
JAVesey
Joomla! Ace
Joomla! Ace
Posts: 1381
Joined: Tue May 14, 2013 1:21 pm
Location: Cardiff, Wales, UK
Contact:

Re: Pharma hack (for the first time)

Postby JAVesey » Sat Aug 12, 2017 2:43 pm

You are being re-hacked because of your elevated folder permissions. You need to follow the advice in this thread to clean your site:
viewtopic.php?f=714&t=946026

When you rebuild your site please ensure the following:

Your folder permissions should be 755.
Your file permissions should be 644.
configuration.php (file in your Joomla! root) should be 444.
John V
Cardiff, Wales, UK
Website: http://www.llanmon.org.uk (Joomla 3.8.1)

RC1029
Joomla! Apprentice
Joomla! Apprentice
Posts: 8
Joined: Sat Nov 05, 2016 10:13 am

Re: Pharma hack (for the first time)

Postby RC1029 » Sat Aug 12, 2017 3:19 pm

Thank you so much JAVesey! ;)


Return to “Security in Joomla! 3.x”

Who is online

Users browsing this forum: No registered users and 4 guests