How To Fix the Pharma Hack

This is a follow-on article from our instructions on 'how to tell if you are the victim of the Pharma hack' article. We assume here that you have already verified that your site has been hacked and you are now looking for information on how to clear the hack and recover your site to its previous clean state.

Please bear in mind that de-hacking / cleansing a website from any hacking incident is a complex process and if you have not done this before you are best advised to retain the services of someone with experience of de-hacking / cleansing websites from hacks such as the pharma hack.

Click the link below to go to our Joomla de-hack form

Clean Hacked Joomla Website

How We Clean hacked Joomla Sites:

  • We will clean out the hacker files by the end of the next working day
  • If log files are available we will trace the initial vector through which the site was compromised - usually an outdated component - and we will update the component and Joomla itself if required
  • We will install our own anti-hacker protection which massively increases the security of the website

But we don't stop there

We will check again 7 days later to see if there has been any sign of recurrence and to monitor log files for any signs of attempts to re-penetrate the site. We will take action as appropriate.

But we don't stop there

We will return one month after the initial clean-up and repeat the process.

Unlike other 'security experts' we assure the quality of our work - we stand by our work and we stand by our clients and their websites.

If you have the confidence and ability to do this yourself, here are the instructions:

Phase One - Make Sure Your Computer is NOT infected with a Virus, Spyware or other Malware   

Scan all PCs that might have had any kind of admin access to your website - all PCs you or your team have used. If you have any reason to believe that the hack involved attempts to install malicious software on the PCs of visitors then you should scan every PC you have that visited the site regardless of whether it ever accessed the admin functions.

Phase Two - Securing Server Access Accounts

Change all usernames and passwords associated with your site/server

  • Hosting control panel access credentials
  • FTP username and passwords - delete all accounts - and create ONE new account with a strong password
  • SSH access credentials
  • Email passwords - change this - and do NOT email yourself passwords. If you have passwords stored in your emails delete these emails
  • Change all database usernames and passwords
  • If your database is using the jos_ prefix - slap yourself hard across the face - then find a way to change it
  • Akeeba Admin Tools is one option. Exporting your databse and doing a search and replace then re-importing is another.
  • Lock down SSH access to specific WhiteListed IP Addresses
  • Turn off SSH access for FTP users on your server

Phase Three - Take down the infected site

Take your website offline:

It is very important that NONE of your files/folders are left publicly accessible

Create two new folders at the same level as your public_html or httpdocs folder - not in these folders.

You should now have
/parent-folder/
    /public_html/
    /old/
    /new/
    

Using ftp or ssh move the CONTENTS of your public_html folder into the 'old' folder
    DO NOT move the public_html folder itself
    
    If you don't have a backup of your site:
        Then learn your lesson well.
        You will have to put a simple holding page in place
        add the following .htaccess file to redirect all requests to the holding page
        add the following robots.txt file to tell robots not to crawl your site for a while
        Now skip to the detective work phase
        
    If you have a backup of your site unpack this into the 'new' folder
    Unpack a clean copy of Joomla and delete the following folders and files
        /administrator/
        /templates/
        robots.txt
        htaccess.txt
    Now upload this set of files over the top of the joomla in your 'new' folder.
    Now do two things - make a copy of the CONTENTS of the 'new' folder.
    Move one copy into the 'live' /public_html/ folder.
    Now check the versions of ALL of your add-ons and bring them all up to date
    If you are using Joomla 2.5 Go to Extensions -> Whatever and check for updates

Phase Four - The DETECTIVE PHASE - Discovering how the pharma hack was implemented

Check that we don't have any new managers, administrators or super administrators that we didn't expect

In the 'old' folder we have to find:

  • Files that don't belong
  • Anyone who ever connected to those files
  • Anything else that those same users connected to

Chances are the first 'successful' requests of the hackers will be the entry point through which they gained access to the site

How to find files that don't belong:

The pharma hack has been around quite a while now, probably upwards of three years. There have been many blogs written by webmasters detailing their experiences and trying to document for others where to look and what to look for. In the early days of the hack these may have been useful pieces of advice - but the hack has evolved through so many iterations that it is really pointless to only look in places where others have found suspect files.

You really need to employ a far more comprehensive strategy.

We use the following skills intensive process to cleanse sites - ie to fix websites and remove the pharma hack:

  • Identify zip, gzip, rar and other archive files that may not belong
  • Identify .htaccess files in places they wouldn't normally be found
  • Check the contents of .htaccess files that are in place as expected
  • Find all .cgi, .pl, .sh files
  • We check for .php files in folders that usually would not have .php files
  • You need to grep for file patterns that are often associated with hacker files
                base64_decode, eval, preg_replace utilising a /e modifier, gunzip, rot13 and a few others
  • For every malicious file you identify in your greps you now need to scan your log files for the IP addresses of anyone connecting to those files
  • You might also scan for the IP addresses any connections to .php files other than index.php in the root of your site
  • Now you need to rescan your log files - going back two or three months - perhaps more - looking for all activity from those IP addresses
  • If those IP addresses connect to files you don't know about - repeat the previous steps looking for all IP addresses who connected to those files
  • Rinse and repeat the previous cycle (those last four steps) - until you have the earliest accesses of the hackers
  • Ignore any 404 or 500 errors - you are looking for the first requests resulting in a 200 'okay' message
  • Typically you will see a POST request followed very soon afterwards by the first contact with a known hacker file - the POST is actually the upload
  • In many cases the IP address making the POST will make a single request of the newly uploaded hacker script then different IP addresses make immediate contact with the same file
  • This should help you locate the file that was being exploited initially - if you do nothing else upgrade that add-on within your new 'live' site.
  • Check that none of the 'hacker files' identified above are present in  your newly reconstituted backup
  • Additionally we would typically put in place a script that blogs connections from known suspect 'user-agents'
  • Finally we amend the script to:
    • detect attempts to access those (now removed) hacker files - and permanently block those visitors
    • block all access from those known bad IP Addresses
  • For Joomla powered websites we still use our old 'hacker beware' script to do this protective role.
  • Those of you who have been around Joomla long enough may remember that old script of ours. We withdrew it from distribution because frankly the support demands were too high - but it really does still do the job. We've updated the rule sets over the years to add new bad bots and new behaviours.

In Depth Scanning Commands to Find and Cleanse the Pharma Hack

For those that having read the above description want some more in depth details of the commands to use to help speed up this process below we'll provide some outline of the types of command we use. We can't provide all of the details - to some extent we shape the commands to circumstances and they adapt over time as the attacks vary.

To find .htaccess files within the site

find /home/your_account/public_html/ \( -name ".htaccess" \) -type f -print

To find .zip, .rar, .gz, .tar and other files we use

find /home/your_account/public_html/ \( -iname "*.zip" -o -iname "*.gz" -o -iname "*.tar" -o -iname "*.jpa" -o -iname "*.rar" \) -exec ls -hog {} \;

To find .pl, .cgi and .sh files use a command such as

find /home/your_account/public_html/ \( -iname "*.cgi" -o -iname "*.pl" -o -iname "*.sh" \) -exec ls -hog {} \;

To search within files we use the Grep command - this line searches for base64_decode - but you should also look for "eval\s*("

find /home/your_account/public_html/ \( -name "*.php" \) -type f -print0 | xargs -0 grep --binary-files=without-match -ir "base64_decode\s*("

To find files that are new within the last 3 days (change the three to change the time period)

find /home/your_account/public_html/ -type f -ctime -3

Search for some specific Joomla Pharma Hack files

find /home/your_account/public_html/ \( -name "*xmloem*.*" -o -name "*pharma*.*" -o -name "mod_joomla" -o -name "com_article" -o -name "LICESNE.php" \) -print

In the article above we tried to outline the steps to cleanse / fix / remove the Pharma hack from your website. We have provided a detailed process, some tips and some useful shell commands to help identify hacker files on your server - but ultimately these tools will be best used by people already familiar with the tools in question.

If this is all so new to you that your head hurts - then realistically you probably aren't equipped to carry out the de-hack / website fix. We can cleanse your site of the pharma hack for you.


© Copyright 2002-2016
Dean Marshall Consultancy Ltd - all rights reserved
Registered in England and Wales, Company number 6615299
A team of professional developers specialising in custom Joomla development

Dean Marshall Consultancy - a Member of W3C Sites XHTML valid website valid CSS website design WAI conformant website design

The Joomla!® name is used under a limited license from Open Source Matters in the United States and other countries. This site is not affiliated with, or endorsed by, Open Source Matters or the Joomla! Project.