21 Apr, 2017

Joomla Templates Under Hacking Attack

Learn how to detect and remove a malicious script that targets Joomla templates and causes redirection to a phishing site.
This short post is about recent attack that targets the Joomla! Content Management System's and specifically its templates. We decided that it is worth to spread the word about it after our malware experts resolved numerous similar incidents.
Attack On Joomla! Templates
The file index.php contains a malicious script that calls its main component like the snippet below:
But if you view the site source via the web, the added script just before the head tag looks like this:
Note: For stat88b.php, 88b is a three random hexadecimal number. It can be 012, ab0, etc.

For this file stat88b.ph is obfuscated.
Adding the above script causes redirection to h t tp://freewebstatistics.net/id4.php and download malicious flash player (As of this time, the link is inaccessible)

You can see the decrypted code here: https://malwaredecoder.com/result/ad5855942ef6d37e08d20fbd42aa7318
Is your website flagged for malware, blocked by the search engines or disabled by the host?
Our experts are here to clean up any malware from your sites and remove false-positives, blacklisting and other kinds of alerts by any security vendor and search engines. Just select from suitable ThreatSign! Anti-Malware Plan and get back online.

For other issues and help: Quttera's help-desk