My Joomla 3 site was recently hacked. Browsing to it with a common web browser works fine, but when you switch the user agent to a web crawler, it displays a spam page. How do I track down where the code is that does this?
I replaced index.php in the root with a test page and the test page appears. When I replace index.php in the root of a template, the spam page appears when using a web crawler user agent.
Any help would be greatly appreciated.
The best method to check the hacked website is to scan the malware using this link : https://sitecheck.sucuri.net/
Here, all the malware content will be loaded and you can easily back track them.
Enter your website URL in 'Scan your website' textbox and hit the scan button. Check for the results accordingly.
Let me know further if it helps.
I had to face this problem recently. In most cases I saw the libraries folder hacked and I had to replace it with a clean one to see my website correctly.
Here is what you can do:
Hope it helps, Marco
EDIT: I wrote an article here for more details http://goo.gl/47VTwn
There are obvious places to look such as the template
index.php file but a Joomla install has thousands of files and the only way to be confident that you have identified all the compromised files is scan the whole file structure in your web hosting account with a reliable and recently updated scanning tool.
The most useful tool for this on a Joomla website is the mysites.guru (formerly myjoomla.com) security tool from Phil Taylor. It's not free but very affordable. mysites.guru quickly identifies compromised files and can restore any changed core Joomla files to the original versions.
There are other paid services that can help with scanning such as sucuri.net.