This short post is about recent attack that targets the Joomla! Content Management System's and specifically its templates. We decided that it is worth to spread the word about it after our malware experts resolved numerous similar incidents.

The file index.php contains a malicious script that calls its main component like the snippet below:

But if you view the site source via the web, the added script just before the head tag looks like this:

Note: For stat88b.php, 88b is a three random hexadecimal number. It can be 012, ab0, etc.

For this file stat88b.ph is obfuscated.

Adding the above script causes redirection to h t tp://freewebstatistics.net/id4.php and download malicious flash player (As of this time, the link is inaccessible)

You can see the decrypted code here: https://malwaredecoder.com/result/ad5855942ef6d37e08d20fbd42aa7318

Our experts are here to clean up any malware from your sites and remove false-positives, blacklisting and other kinds of alerts by any security vendor and search engines. Just select from suitable ThreatSign! Anti-Malware Plan and get back online.

For other issues and help: Quttera's help-desk