Recently, I came across a newspaper web-site, in the UK, which had been hacked. The owner reported that Google Chrome told him that there was a security problem, but other browsers did not.
The moment I visited the site, I was immediately warned by my security tools that the site had been blocked from delivering an evil payload to my machine.
I told the site owner to bring the site down immediately, to change hosting providers and to employ my company to clean it up. I have experience of cleaning up hacked sites and analyzing site issues, so I felt sure I could help. He did employ my company, albeit for exchange of services, rather than for monetary gain.
I set to work at the beginning of September, when I was given unlimited access to the site, although my company was closed for about a week, from 7th September, for essential renovation work.
By 5th September, I had traced the rogue code, that had been injected into in 166 php files and removed all trace of it.The site owner told me that I’d ‘done brilliant work’ and he would test it, over that weekend.
I noticed that some of the non-alphanumeric characters in the content had been corrupted, in the database migration (e.g. â€™ was substituted for apostrophes), so that had to be fixed using phpMyadmin, to do a search and replace on most of them.
The favicon was just the default one, from the previous hosting service, so I quickly made one, from a screenshot of the front-page and got it working.
On 14th September, it was reported that there were some problems with menu links. Some weird string was being added between the domain and the location. It included some things, that weren’t even on the site, such as the name of a template, never on the site and section and category names, that don’t exist. I set to work to fix it, figuring it was an SEF issue.
SEF stands for ‘Search engine friendly’ and is a way in which long complex urls, containing technical information about the components and modules on the site, can be changed into ones, that look like ‘normal’ URLs, with human/readable/machine-readable directory & file names and the .html suffix. These are actually virtual names, but they make users feels easier with them and search engine crawlers, such as the Googlebot, index them, properly, with ease.
There were a number of security issues. There were far too many Super Administrators, with full power over the site. The Joomla installation directory had been renamed, instead being removed. There were back-ups all over the place, including inside the web-root, itself – a very bad practice. It turned out, in the end that some of these weren’t back-ups at all, but site mirrors that the hacker had created to sell on a forum! But, more of that later.
When my company reopened, I got to work on trying to find out why these menu-links were being corrupted. I disabled stuff, I searched the file system and database, I cleaned up all the extraneous stuff, reducing the domain files from nearly 2 Gb to less than 300 Mb.None of this helped. I played with the SEF plugins, of which there were far too many installed. I have never had a problem with using Apache’s mod_rewrite function, with a suitable .htaccess file. The .htaccess file that comes with Joomla (but needs to be ‘switched on’), is usually sufficient. In combination with the built-in Joomla SEF plugin, it works for me, every time. However, here were Artio JoomSEF, AceSEF and sh404sef installed and running, in addition. I disabled all except the built-in one and enabled mod_rewrite and SEF, in the Joomla configuration. I also replaced the horrendous original .htaccess file, with a normal one.
Still the problem, wasn’t solved. Where was this strange string coming from? It was only when, last night, the site owner told me that the template, who’s name was in the string, was once the template for the site, but had been removed, long ago, that I realized that the string was internal to the database and not coming from outside. This meant that I could do a much more thorough search and, this morning I found the problem. The strings were in the ‘trace’ column of the ‘sefurls’ table, in the database. Finally, after a further cleaning out of the cache, the site is working, as it did, before – much better now, because of the massive clean-ups I did on both file-system and database.
During the course of all this investigation, I did a lot of detective work and was able to tell the site owner the name, address and telephone number of the Rumanian hacker. He is even listed on LinkedIn.
How he got into the site, in the first place, in spite of the insecurity of the installation (it was running Joomla version 1.15 that was months old, with well known exploitable flaws in it), still puzzled me – until I was told that this self-styled ‘ethical hacker’ was actually the person who built the web-site, in the first place. Yes! He had left a back-door into the site, allowing him to hijack it and sell it on in a Rumanian forum. Whoever bought it (a Latvian, it seems), must have hacked it immediately, allowing it to deliver a trojan to every unprotected visitor to the site.
This code is seriously obfuscated, by a very clever hacker. It is in a base64 encoded binary format and it includes PHP code that decodes the string, so that it comes out as more PHP code, when decoded.
Inside that, there is a further base64 encoded string which, when decoded, will run a script, residing on an external web-site – http://zettapetta.com
A lot of the rest of it is further encoded with gzencode and it also includes php code to decode that.
Ultimately, this rewrites the headers of the html files, that Joomla will generate, allowing some bad stuff to be sent to the unprotected site visitor, which will act as a virus on any Windows machine.
The bad script that does all of this, is found at the beginning of a number of php files on the site. This is what was triggering the Avast anti-virus alert, which was quite correct to do so and functioning very well.
The payload is called ‘Script-inf’ and infects Windows machines, with a nasty trojan. Symantec say about this at their web-site that:
“Script.Inf is a piece of malware that infects Windows INF files. Windows will run the script commands in an INF file. Like other viruses, Script.Inf makes use of a few other steps when infecting, creating a TXT file and then appending it to the AUTOEXEC.BAT file so it runs at system startup.”
So, anything may be forced to happen on a Windows machine, after visiting a site, with this infection.
Please be aware, if you are a site owner, webmaster or just an ordinary web user. You have been warned.
If you own the site and the webmaster is lost, please DO take the site down, immediately, so no-one else gets infected and seek professional help.
Goaheadspace is available, at any time, to take on the work of cleaning hacked sites as well as securing them, to prevent infection, in the first place.
We also offer free advice, on our web-site.