Joomla Hacking Help
The Joomla Hidden Spam Link Hack uses negative positioning resulting in the spam links been above the page. Hence, the links cannot be viewed by the naked eye.
The hack is usually just after the opening body tag and looks as follows:
gia vang, seo, bao ve viet nam, bao ve viet nam, etc, etc.
The Joomla hidden spam link hack is wrapped in the div and h3 and can be found in the default.php file in your template directory template/your-template/layout/default.php
The first signs of the hack are Google displaying translate links next to your site in the search results due to the text been Vietnamese or displaying the spam in the cache or text versions.
Below displays the Joomla hack in the text version (what Google has crawled)
Once detected by Google it will only be a matter of time before the algorithm filters your site or the Webspam Team will flag your site as been hacked and remove it from the search results.
The hacker targets all your sites hosted on the same account. The last hack I removed entailed 2 sites. The one site was Joomla, the other site was build with WordPress (read more about locating the WordPress hidden spam link hack) Both sites were hacked using the same technique.
The hacker does not create new directories or files, they hack existing Joomla files, in this instance the default.php. The first step is to update your existing platform and plug-ins which might remove the hack. If you using an updated version you would need to remove the obfuscated PHP code from template/your-template/layout/default.php
To identify which template you are using, right click and view your page code. Once identified navigate to your control panel (public_html) and open the template directory, choose the template then open “layout”. The default.php file is inside your “layout” folder. It is advised you download a copy (precautionary act) then remove the entire obfuscated PHP code from the opening div to closing div and save the file.
Then navigate to Webmaster Tools (if you don’t have an account open one using your Gmail account) and view the page with fetch as Googlebot to make sure the hack has been removed, then submit your index page to index (including all links) That will force a re-crawl resulting in Google amending the search snippets (it could, however, take a couple of hours to days to reflect) and while in Webmaster Tools check for any messages (manual spam action)
Once you have removed the hack you need to change all your passwords (host login to your control panel, FTP password and platform password) and it is advised to run a security check on your computer.
Depending on the hacker would depend on the location of the infested file and method used. At times hackers create new files which makes it more difficult to locate and leave files on your server as doorways to re-hack the website. In this instance, the hacker used the same technique on all platforms and hacked existing files (default.php file located in your template layout folder)