hello there to the ethical hacker community, at the start of the attached file there is code that i found to all .php files that exist on a site that was hacked. If the code seems interesting to anyone, some explanation on what the code does would be very helpful so i can secure my site.

First of all thanks for the reply, i know this code is malicious because the site was hacked several times and many strange things happened, you know like frontpage replacement from hackers and thiings like that. Secondly because the site is built on joomla and i can distinguish (so can everyone who has been working with joomla) the code that exists on a normal joomla .php page from code that was manually inserted. You can also notice this, the joomla code starts with the joomla credits comments (at line 2!!!).
Can you tell what the first part of code (the one that is not well lined out well and is before the joomla credits comments) is for? Also if you can see it uses code encoding and decoding, i don't know, i can post also a normal index.php to view the difference

Alexsp,

I've no experience with Joomla, so apologises if this is overly generic. If you can post what the file should be, or just outline which code is added/modified that will help.

However, whilst this may be a result of a compromise, I'd not expect the code you've found to be the first point of intrusion, as any attacker would already need a foothold on the server to be able to add/alter any of your existing source.

I'd strongly suggest a thorough review of server logs, access, user etc. (basically the usual candidates), as well as a security audit of the code hosted on the site.

Is this site the only web application running on the server, or is it shared? If shared, it could be that the fault doesn't existing within your application, but a weakness on a different site has allowed a malicious user to system access to modify source code of otherwise secure web apps.

Hope this helps.

Again, not a Joomla expert so I'm going blind on some things, but:

'Edited' index file includes two additional php files (helper.php & toolbar.php). Are these a legitimate part of the framework? Are they also edited? Are they required? What do they do?

looks like the edited file removes an authorisation call, suspicion levels rising...

Finally, the edited index file looks like to calls a function to get a gzipped copy of the configuration file.

From my knowledge of Joomla this could be legit (if you're seeing it across multiple systems, any chance you've just upgraded Joomla?). But at worst looks like a data leakage issue, I'd still suggest focusing on locating the original compromise, this looks to be more a symptom than a cause.

Can anyone shed any additional light?

which part? Unless I'm missing something I can't see anything in the code you've uploaded that indicates a shell.

Initial inspection - the initial arguments are set to globals for each function which are extrememly obfuscated:

Also creates a file in my instance on local file system in Temp folder and writes to that file after making following request


In this instance k is the filename for temp created file...


Alot of other code, there I haven't had a chance to look at. That remote site appears down, but is actually a forbidden index page... Suspicious?

Given more time I could have a look, but that may help you get started... PM if you want real URL as I didnt want possibly malicious URLs on posting....

Apologies if not too detailed, I could only look for 10 mins!

n1p

First one provided.. extracted the added code in main index.php and reformatted it..

+1, I did the same, nothing like a rookie error on a public board