hello RSFirewall support,

I have been battling the pharma hack for some months now. I keep deleting the spammy code and it keeps coming back. Last week I purchased RSFirewall, installed it, followed the instructions and got my rating up to 85. The firewall made no difference at all and the site was hacked again.

Why did the firewall not even send me an email when one of the core files was modified? (I had to login and do the system check manually to figure out that something was wrong). FTP password has been changed multiple times. Is there a way of figuring out from where the hacking comes from? How is it possible that core files can just be modified like that with no blocking and no warning?

grateful for any help.

Andre

Hello,

Note that in order to monitor the files, you will need to specify which files to be monitored: Components > RSFirewall! > Configuration > Active Scanner: Monitor the following files for changes.

This is most likely caused by a local backdoor infection that actually resides on your personal computer (or a computer that you are using to access administrator areas of your site, such as FTP accounts and such). This type of attack is rather common and basically records your FTP details, and performs the modifications directly with a FTP account, bypassing protections provided at the Application layer.

Some useful pointers are provided here:

http://www.rsjoomla.com/blog/view/36-joomla-website-hacked-whats-next.html

Regards!

Also to be noted that even though you might have cleaned the infection (files that were visibly modified, for example removed the hidden links) you might have a backdoor somewhere in your website, residing in a PHP file that gets triggered once in a while. RSFirewall! does run only within Joomla! (RSFirewall! is designed to prevent infections), it cannot protect you from vulnerabilities in other PHP files that run outside of the Joomla! framework.
You should start by looking at the FTP log - if you don't recognize the IPs there, your FTP password might be stolen, just like my colleague described.
If not, you should check the Apache access_log for accessed *.php files (other than "index.php") - you might find where the backdoor resides and the IP who triggered it.

I've found some very useful articles:
www.pearsonified.com/2010/04/wordpress-pharma-hack.php
wpblogger.com/google-cloacking-wordpress-hack.php
www.elmsoftech.com/articles/3-joomla/7-the-joomla-pharma-hack

The first two are related to WordPress but they should provide some useful tips as well.

thanks for this info to both of you. Octavian, where shall I find these logs?

I hate to resurrect such an old topic, but we are dealing with this at the moment, and one of the main questions in the original post was never answered. Even though RSF purports to monitor joomla core files, why is there no notice sent when a core file is modified? Does it only check core files on a system check (which is of course manually run), or does it actually actively monitor the core?

There are a few core files monitored (index.php, administrator/index.php, plugins/authentication/joomla/joomla.php and plugins/user/joomla/joomla.php) on each run (ie. everytime your website is loaded). A default installation of Joomla! contains ~5000 files, it's not physically possible to monitor all those files through PHP in one go, this is why they are checked only on a manual run (ie. when the System Check is run).
To find out where the hacking comes from you'll need to contact a specialized company that will perform a security audit on your website.
PS: If you were already infected when you installed RSFirewall! than there's little any security extension will do for you - they are used to prevent infections, not cure them. Curing them is a much more elaborate process and must be done manually.