How To Tell If Your Site is Hacked with The Pharma Hack

In a previous article we have detailed what the Pharma hack is and provided some background information on how the process works and even some information that can be used to cleanse your site and 'fix the pharma hack'.  Whilst our particular expertise is providing support and security help to people running Joomla websites many of our skills are transferable and can be used to help you no matter what system powers your website.

Four Five quick ways to tell if your site is a victim of a pharmaceutical hack (pharma hack)

In this article I'm going to show you how to check whether your site has been compromised and is being used to display pharamaceutical products. One of the most difficult aspects of this kind of website hack is that it is invisible to the site owner / operator. Sometimes we discover hacked sites because they are linked to from other sites we have identified as being hacked. Trying to tell a website owner their site is hacked when all they see is their normal website is difficult.

If you have been directed to this page by our team under these circumstances it is critical that you follow the procedures outlined below to gain independent confirmation that what you have been told is correct. Please read this article and related articles on this site and any other referenced materials.

We fully understand that you must do your due dilligence to be confident that we aren't the bad guys trying to take advantage of you.
We understand that it is important that you familiarise yourself with who we are, what we do, who we do it for and confirm our credentials. With this in mind we provide the following information.

METHOD 5: User our own Hacked or Not website scanner to tell whether your website is 'Hacked or Not'

Since first writing this article in September of 2012 we have been doing a lot of thinking about how to help people easily identify whether their site is suffering from the Pharma hack - or indeed any form of hacker activity.

Since early 2014 we've been developing our own scanning tool to help website owners and operators uncover whether their site is hacked.

Please see our new site (still under early beta testing really) at

METHOD 1: To see what Google sees - you have to become Googlebot

If you use a modern browser such as Firefox or Google Chrome install an add-on that allows you to modify your 'useragent string' - the text that your browser sends to the websites you visit to identify itself.

A typical Firefox user-agent string might look something like:
    Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0.1

And on Google Chrome something like:
    Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1

Internet Explorer 9 looks something like
    Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)2011-10-16 20:21:07

This compares with how Google identifies itself. When Google visits your website to retrieve your pages it identifies itself using one of the following 'strings' of text:
    Mozilla/5.0 (compatible; Googlebot/2.1; +
    Googlebot/2.1 (+
    Googlebot/2.1 (+

You need to use a tool that has its user-agent string set to look like Googlebot's user agent string.

We recommend the User-Agent Switcher tool from Chris Pederick

also available from the Firefox add-ons website

Now retrieve one or more of the pages of your site and look for anything 'different' or out of place.

If nothing is immediately apparent - view the source of your pages. Usually this option is available by right clicking in the page and selecting 'View source' from the context sensitive popup menu. If the option isn't there - try right clicking on a different (empty) part of the page.

Don't worry if you don't understand the code you are now looking at - we'll guide you through the main points below.

In particular check the following areas of the page's
... - check the text between the two tags - look for any words that don't belong
- look at the text between the quotes following the content= part of the meta description text
By now you have either found something or you haven't.

One final check is to search this html source code for a select few words that should not ordinarily be found within the page. "Control + F" accesses a search function in the source code view of most browsers. Use this to search for words such as:

Pharmaceuticals hacks centre on words such as: Viagra, Cialis or Regalis
Payday loans hacks centre on words such as: Payday, loan
Casino hacks centre on words such as: Casino, Poker, holdem, blackjack, roulette
Porno hacks centre on words such as: p*rn, f*ck, p*ssy - I'm sure you can think of others
Software hacks cenre around Microsoft, Photoshop, Windows

Look at the whole page - does the page seem longer than normal, are there more links or more text than usual?

METHOD 2: Use Webmaster Tools to see what Google Sees

If installing add-ons within Firefox and switching them on and off is too much trouble, you might find it easier to use the 'Fetch as Googlebot' option within Google Webmaster Tools

METHOD 3: Search Google to see if you are already exploited

Google offers a number of useful operators that can help improve the quality of your searches. In this case you wish to
a) search for pages from your site only
b) find pages that contain one of a short list of words as per the lists of words in the tail end of 'METHOD 1' above.

The 'site:' operator is a handy way of telling Google to only show results from specific sites. For best results use your root domain name - ie don't put a sub-domain such as www. in the address.

Follow this by a single space and then a word - enter the whole line in the Google search box viagra

For advanced use you could use a group of words within brackets/parentheses with each word separated from the next by the bar/pipe which signals to Google to match any one of the list of words. (viagra|cialis|regalis|payday|blackjack|holdem|porn)


Alternatively, stand by for an announcement very soon. We are building our own fetch as Googlebot 'robot' which will analyse a number of factors for you and email you a link to view your results.

It isn't ready yet - and even when we launch it, it is bound to be a bit rough around the edges but we will be working on it in the coming months to improve it:
Just type in your web address and we'll crawl up to ten pages and email you a report of our findings.
Please note - before we crawl your site we need to verify you are authorised to ask us to crawl the site in question.
You will need to either:
    provide an email address from the same domain as the site, or
    upload a file to your web server called dmc-robot.txt and verify an email address (at any domain)

Please bear in mind that a small proportion of these hacks are getting even more tricky. They check not only that you are a search engine - but that your IP address is from a matching domain. This can mean that even if we don't detect anything you might have to check with Google's Webmaster Tools - using the 'fetch as Googlebot' tool to be really sure.

Our article on how to fix the Pharma hack will help a knowledgeable person make a start on a cleansing the pharmaceutical hack from their website but for most people running a website the truth is that they will require professional support to be sure they get the job done properly. If one hacker file is left on the server the chances are the hacker will just walk straight back in and re-implement the hack.

If you need that professional help we are here for you. Please read on to find out about our professional Pharma Hack Fix Service.

© Copyright 2002-2016
Dean Marshall Consultancy Ltd - all rights reserved
Registered in England and Wales, Company number 6615299
A team of professional developers specialising in custom Joomla development

Dean Marshall Consultancy - a Member of W3C Sites XHTML valid website valid CSS website design WAI conformant website design

The Joomla!® name is used under a limited license from Open Source Matters in the United States and other countries. This site is not affiliated with, or endorsed by, Open Source Matters or the Joomla! Project.