Blog Entry

How To Diagnose And Remove Pharma Hack In Drupal 7?

Image
drupal security

Biggest challenge with pharma hack is that often you would never know that your site is actually affected by pharma attack until someone finds out that the website’s Google search results show that the site may be hacked and showing descriptions mentioning Viagra or other pharmaceuticals.

Image
Drupal 7

In case your website is hacked, to find out the level of infection on your website you can do a Google search(as shown below) as the website will look normal for the visitors. The more the pages shown in the Google search results the severe the attack is.

Image
Drupal 7

Clean Malware

Having identified that your website is indeed infested with pharma hack, you need to identify malicious codes/files in the website and remove them. Follow these steps to identify the malware codes:

  • Run Hacked Module to identify backdoor entry files and missing files
  • Run Diff Module to analyze the changes done to core files

Use the results of the checklist and its resources to manually secure your site. After the site is secured and gotten rid of malware, re-submit the website to Google for crawling.

From our previous experience, we have found most common pharma attack happen through “misc” folder and “includes” folder

The pharma attackers add files/folders in the following pattern,

  • leftpanelsin.php on the path "/misc/farbtastic" (pharmacy Request )
  • refresh.inc on the path "/includes" (encoded codes)
  • cache.php on the path "l/misc" (encoded codes)
  • 26 PDF files on the path "/misc/farbtastic"
  • 3 Image files on the path "/misc/farbtastic"

Deleting all these files will clear the malware!

Secure the Drupal Website

After clearing all the malwares from the website, it is important to ensure the website is secure and all known vulnerabilities and anomalies are patched.

  • Run Security Review Module that automates testing for many of the easy-to-make mistakes that render your site in-secure.
  • Run Site Audit Module to generate reports with actionable best practice recommendations.

Use the results of the checklist and its resources to manually secure your site.

After the site is secured and gotten rid of malware, do monitor the website for next couple weeks to ensure that the hack is not re-occurring and monitor log files for any signs of attempts to penetrate your website security.

How to Prevent Sites from Pharma Hack

Obviously everything is not 100% secure in open source, but we can make it difficult for the hacker by implementing Drupal best practices.

  • Always keep your Drupal Core & contributed modules up to date
  • Remove unused modules
  • Tighten folder/file permissions
  • Routinely scan root directory for malware/malicious codes
  • Use third party tools like Sucuri to scan your website for known exploits
  • Disable Error reporting
  • Regularly Backup the website


Find out how our expert Drupal website maintenance team can help maintain your website! Get in touch with us today!

Call Drupal Geeks @ 312-340-7112 or send an email to [email protected]