[Cialug] Slight OT: Joomla & Security

jrnosee jrnosee at gmail.com
Thu May 24 14:17:42 CDT 2012


Thanks everyone for the tips.

Since I got a lot of replies I'll post some responses this way so everyone
who responded can see.

I was getting a PHP injection at the top of a number of the php pages that
contained a <?php eval(base64_encode([base64 data]));> line.  After
decoding the data and working though what it did I found it was opening a
hidden iframe to some dubious URL.  To what purpose I don't really know.

After a LOT of searching and seeing how common this issue was I did find a
fix (for now).  I was able to remove the code from all the php pages.

*NOTE:* Crud...just checked the site today...it's back :(  This is actually
IN the index.php file yet the file's modified date/time stamp haven't
changed?!  Anyone know how it's possible to modify a file in linux and NOT
change the modified date/time?  I was thinking that this was
self-replicating, but I swear I removed it from every page....

I'm going to work with my web host to try and clear this up.  My church is
planning to move to a new host/solution *at some point....* but I don't
know how long that will take.  I'll have to discuss options with them.

My townhomes website barely gets used.  I keep asking the board to put up
content but nobody wants to do it so they may just scrub the whole thing.
 We paid for 1 yr hosting I think up front....

For now I'm going to go through the tips Josh sent and try to work with my
hosting (phpwebhosting) to see if they can find anything on their end.

For now if anyone wants to see what it's doing it's on the top line of view
source (you'll see a script tag...that's the decoded base64) at www.jefc.org.
 It keeps breaking my townhome's joomla theme so there's nothing to see
there.

If it's gone when you check it's probably because I'm trying to remove it
again.


More information about the Cialug mailing list