Recently, one of our clients went into issues with their Joomla! website. The website was keeping redirecting to another website, namely
http://shopforza.info/shop, after exactly 25 seconds. Upon acknowledging the problem, we immediately understood that the website was just another hacked Joomla! website.
Thorough inspection of the HTML source code revealed nothing interesting, or at least, no
Refresh: 25; url="http://shopforza.info/shop"
Let's not forget that
Refresh:is a valid HTTP header, hence the need to use
http-equivattribute when you use it from a
<meta>tag. With this header caught, the cause of the redirect after 25 seconds to that website became suddenly obvious. But we still had to discover where this header was injected from.
A quick search for the malicious use or evil PHP functions
base64_decode()revealed that the only file concerned was
index.php, at the root of the Joomla! install. This file being executed each time a page is shown, it's a good target for an attacker since whatever bad code it contains will be run each time. The file contained the following line between the first two
Evaluating this string after having base64-decoded it, of course, results in running the following code :
Now that the source of the problem has been found, the last step was to get rid of it by removing this line, and bring the website up again to make sure that the redirect is gone. As usual, we had to investigate with the client to explain how this single line of PHP code could have been injected in a file on the server in the first place.
Whereas we did not discovered any backdoors on the website, it turned out that our client used a very insecure administrator password that is listed in the top ten most insecure passwords, and that their website was also using some Joomla! extensions which contain known vulnerabilites. As this combination of security weaknesses likely led to this injection of code, they confirmed that the website remained clean for weeks, after we recommended to uninstall the unsecure extensions and to use only secure passwords.
If you are affected with the same problem, we hope that this article will help you to solve it without too much hassle. And remember that this kind of problem can be easily prevented by using strong passwords and secure or up to date extensions.