«

»

Sep 18

Hacked Joomla website

I found out of one my friend’s joomla site was hacked and hidden links were embedded into his website. It took me almost an hour to figure out where they had added the code. It started with finding out template change that they could hide links from us.

templates/rt_maelstrom/css/template.css:#rt-lm {display-none;}
templates/rt_maelstrom/css/template.css:#rt-lm{position: absolute; top: 0px; left: -5000px;}

Next step was looking for the URL and where they were getting it but lots of ‘grep’ -ing and phpMyAdmin search resulted with nothing. While I was giving up on it, I found it in article.php file under templates folder. Ofcourse encoded as usual.

<?php
$pml='PGRpdiBpZD0icnQtbG0iPjxhIGhyZWY9Imh0dHA6Ly93d3cucHJpbnRlci1zcGIucnUvZXBzb24tc3
R5bHVzLXByby0zODgwLXJjIiB0YXJnZXQ9Il9ibGFuayIgdGl0bGU9IkVwc29uIFN0eWx1cyBQUk8gMzg4MCI+RXB
zb24gU3R5bHVzIFBSTyAzODgwPC9hPjxicj48YSBocmVmPSJodHRwOi8vdG9waG9zdGVyLm9yZyIgdGFyZ2V0PSJf
YmxhbmsiIHRpdGxlPSLQtNC10YjQtdCy0YvQuSDRhdC+0YHRgtC40L3QsyDRgdCw0LnRgtC+0LIiPtC00LXRiNC10
LLRi9C5INGF0L7RgdGC0LjQvdCzINGB0LDQudGC0L7QsjwvYT48L2Rpdj4=';
echo base64_decode($pml);?>

Leave a Reply