A popular model of Adidas sneakers, viral marketing and undetectable backdoor. What to these 3 things have in common?
Two weeks ago we were contacted by a client, who asked for help with eliminating malicious software from his website, and with identifying issues related to its
security. Now we present our analysis.
The client's website is based on Joomla CMS and it was hacked some time ago. In the meantime, the client updated the Joomla engine and the available plugins, which made it difficult for us to identify the hacking method with 100% certainty.
The client was using the free Webanti version which showed correctly detected malware. However, it was impossible to eliminate the malware completely without technical knowledge, because the virus got attached to correct files necessary for the website to work without errors.
The code looked as follows:
What is more, an interesting code was identified, which worked as follows: if any user visited the specified URL, using Google, bing or yahoo, they were transferred to yeezyboost350.it (the code was attached to a paid Joomla template):
Yeezy Boost 350 is a popular and very expensive model of Adidas sneakers, designed by Kanye West. According to Italian internet users, the website was used for swindling those who looked for a cheap store offering this model. Based on the dates of posts, the scam lasted for almost half a year. We suspect that the malware was intended at luring the victims to the store. We do not know the scale of the infection, though, and because of this we are unable to estimate its popularity. However, it is interesting that it was intended for Italian websites and yet, it got to Poland.
The client wanted us to eliminate the viruses from the correct lines of code of his website, but also asked us to determine how it got there. One of the issues we detected was a brute force attack on the website – a fairly simple login – admin, and a simple 9-character glossary password in the range of [a-zAz0- 9] were quite easy to break in a short time. The incident logs contained more than 34M of log entries relating to password breaking.
In addition, we found that the sever contained copies of the configuration file with stored data base access data – configuration.php.new – this file could be read in a web browser. The attackers who got these data were able to connect directly to the data base and change individual settings.
We also found a very interesting backdoor in file It got activated only when someone visited this source and sent a COOKIE named 8ee4b0401bff6f374ec2d33c4a0724ec
What is more, if anyone had already sent the relevant COOKIE, they had to enter the correct password to activate the backdoor used for the management of files on the client's server.
Another backdoor we detected was a simple file with a file upload function. It is simple, but difficult to be detected by antivirus software, as it seems completely legitimate and present onalmost every website – it is used for uploading files (e.g. images, attachments, etc.). Here, wehave to praise the Webanti algorithm which easily detected this uploader code and flagged itas a threat.
To confirm our words that other types of antivirus software were unable to detect this backdoor uploader, we tested the code with VirusTotal which checked it with 54 popular antivirus programmes and failed to find the problem. This only shows that Webanti was created to detect malware on websites and that it does it successfully.
When analysing the website security, we concluded that we were unable to say with 100% certainty how the hacking occurred in the past, because in the meantime, the client did what everyone does – updated both the plugins and Joomla. Because of the elimination of the attacked files, we could not check where the security bugs were located. To protect your website, use our free scanner – even before the first attack occurs.