How does this mess work?
My Joomla! website has been repeatedly hacked into. Someone, somehow, managed to inject the following rubbish into the key php scripts, but I mean not to talk about configuring Joomla. The site is not visited much (at times I fear I might be the only visitor to that site…) and I don’t care much to have the site back up and running. I’ll handle that eventually.
My question is, how does this rubbish work? I look at it and I just don’t see how does this manage to do any harm? What it does is it tries to download a PDF file called ChangeLog.pdf, which is infected with a trojan and after opening will freeze up your Acrobat and wreak havoc on your machine. How does it do that, I don’t know, I don’t care. But how does the following piece of script invoke the download?
ESET has detected this code as JS/TrojanDownloader.Agent.NRO trojan
replace call after the giant messy string:
It removes most of the special characters, turning it into a normal URL:
(I manually changed
Note that the regex could have been simplified to
If you look at the script, you'll see that it's a very simple script that injects a hidden IFRAME containing the path
/index.php?ys from the same domain.
I requested that page in Fiddler, and it had no content.
My work requires I run many domains, applications and frameworks on many types of servers and systems for clients and myself. Over time I've seen more and more bots crawling these systems looking for known loopholes/entrances by-way of back-door entrances created by those frameworks. Good thing when I use any type of framework, which I seldom do, I make sure to rename most if not the entire file structure to rid myself of those pesky loopholes/back-doors. At the very least you can rename directories which will throw off most bots, but my way is to completely eliminate references that give clues as to the nature of the framework, which includes renaming of the entire file structure not just directories. Always keep a map of the new naming conventions relative to the old naming conventions in order to make adding plug-ins to your base framework a snap. Once you get the hang of this you can go as far as programatically renaming the entire framework filestructure for quicker results, this is especially useful when having to deal with clients needing to be able to update their framework with plug-ins and the like.
It just does a regex replace on the script url to give you
NOTE: DO NOT FOLLOW THE BELOW LINK (inserted
** to deter the copy-pasters)
It uses the replace function to replace the rubbish chars using regex, nothing wrong with the code:
Its load script from
And that script load
iframe from with visibility
When you read the whole thing, you find that it is a string followed by a replace command.