Saturday, December 14, 2013

Malware found on a Joomla driven website 

Today, I found this malicious code on a Church's website, driven by Joomla. 
 
<div style="display:none"><a href="http://www.sikayetvar.com/firma/detay/fuga-mobilya" title="fuga mobilya">fuga mobilya</a></div>
<div style="display:none"><a href="http://www.sikayetvar.com/sikayet/detay/2137094/fuga-mobilya-zamaninda-teslimat-yapmadi/" title="fuga mobilya">fuga mobilya</a></div>
<div style="display:none"><a href="http://www.sikayetvar.com/sikayet/detay/2108657/fuga-mobilya-gec-teslimat-yapiyor/" title="fuga mobilya">fuga mobilya</a></div>
<div style="display:none"><a href="http://www.sikayetvar.com/sikayet/detay/2080660/fuga-mobilyadan-aldigim-koltuk-ses-cikariyor/" title="fuga mobilya">fuga mobilya</a></div>
<div style="display:none"><a href="http://www.sikayetvar.com/sikayet/detay/2048411/fuga-mobilya-hatali-urun-getirdi/" title="fuga mobilya">fuga mobilya</a></div>
<div style="display:none"><a href="http://www.sikayetvar.com/sikayet/detay/2045973/fuga-mobilya-urunleri-teslim-edemiyor/" title="fuga mobilya">fuga mobilya</a></div>
<div style="display:none"><a href="http://www.sikayetvar.com/sikayet/detay/1996547/fuga-mobilya-gecikmeli-teslimat/" title="fuga mobilya">fuga mobilya</a></div>
<div style="display:none"><a href="http://www.sikayetvar.com/sikayet/detay/1993556/fuga-mobilya-teslimat-yapmiyor/" title="fuga mobilya">fuga mobilya</a></div>
<div style="display:none"><a href="http://www.sikayetvar.com/sikayet/detay/1993798/fuga-mobilya-gec-teslimat/" title="fuga mobilya">fuga mobilya</a></div>
<div style="display:none"><a href="http://www.sikayetvar.com/sikayet/detay/1972065/fuga-mobilya-teslimat-yapilmiyor/" title="fuga mobilya">fuga mobilya</a></div>
<div style="display:none"><a href="http://www.sikayetvar.com/sikayet/detay/1861963/fuga-mobilya-musteri-hizmeti-cok-kotu/" title="fuga mobilya">fuga mobilya</a></div>
<div style="display:none"><a href="http://www.sikayetvar.com/sikayet/detay/1840619/fuga-mobilya-esyalar-teslim-edilmiyor/" title="fuga mobilya">fuga mobilya</a></div>
<div style="display:none"><a href="http://www.sikayetvar.com/sikayet/detay/1566776/fuga-mobilya-kumas-istedigimiz-gibi-cikmadi" title="fuga mobilya">fuga mobilya</a></div>
Posted by at
Labels:

3 comments:

  1. XpucmoJune 1, 2014 at 5:10 AM

    Hi Ali, thank you for your collection of malicious code in joomla and other sites.
    I have similar links (to sikayet.com) in a joomla 1.5.26 site. Yes, I know, I should migrate this to joomla 2.5 or 3.0, but before I do this: do you have a hint where to look for the malicious code that inserts the links? I have been searching for a while (chiefly using the change-dates of the files in the system), but so far I haven't found anything suspicious...

    Thank you, kind regards,
    Christian

    ReplyDelete
  2. XpucmoJune 1, 2014 at 5:11 AM

    sikayetvar.com I wanted to say...

    ReplyDelete
  3. Amanat AliJune 1, 2014 at 7:44 AM

    Hello,

    This code was in theme's index.php file. You should download all .php files and search within all the files. I use Dreamweaver for this purpose.

    Regards

    ReplyDelete

Subscribe to: Post Comments (Atom)