I just found this hack in a Joomla 1.5 site that I host. I found other JS infections too but was able to track down the bad files & replace them with known good copies with some relatively simple measures so am adding my experiences in the hope that this can help others similarly afflicted. I have root access to the site on a WHM/cPanel managed virtual server so logged in as root & issued this command with results of similar form to this:-
Code: Select all
tail --lines=100 /usr/local/apache/logs/suphp_log
[Tue Sep 20 21:40:52 2016] [info] Executing "/home/websiteA/public_html/index.php" as UID 518, GID 514
[Tue Sep 20 21:41:12 2016] [info] Executing "/home/websiteB/public_html/index.php" as UID 533, GID 529
[Tue Sep 20 21:41:13 2016] [info] Executing "/home/websiteB/public_html/index.php" as UID 533, GID 529
[Tue Sep 20 21:41:49 2016] [info] Executing "/home/websiteB/public_html/index.php" as UID 533, GID 529
[Tue Sep 20 21:43:50 2016] [info] Executing "/home/websiteC/public_html/libraries/openid/Auth/OpenID/session57.php" as UID 551, GID 549
The bad JS is being run from the file libraries/openid/Auth/OpenID/session57.php on websiteC I found several files buried deep that had plausible names but were not part of the Joomla installation. There were files in the root of the website with filenames like system.php or licence.php which again were not part of the Joomla installation.
The key way of identifying the bad files was that they all contained base64 encoded obfuscated JS & can generally be found by searching for any files containing the base64 decode string in a fashion similar to this:-
Code: Select all
grep -r '"64_decode";return' /home/websiteC/www/*
Of course replace websiteC etc by the WHM username for the account that hosts the website. Once you have seen one of the hacked files the signature is pretty distinctive.
I know that the website needs upgrading but it's run by a small non-profit using Joomfish for multilingual features plus an ancient Wordpress for Joomla plugin & some other photo gallery plugins. It would be impossible to upgrade to Joomla 3.6 & the only realistic option is to eventually to start from scratch & replace it with a more easily managed Wordpress website which offers better security with minimal management. In the meantime all I can do is lock down the site as far as possible adding the post 1.5.26 security patches & monitoring the site rigorously with lfd so I can step in at any sign that it's been hacked.