For the past week or so, we have been working on a very puzzling issue. A client’s website was hacked. In fact, there was only one file that was hacked. The mootools-core.js file which is located under the /media/system/js folder.
The hack was not detected by any scan – commercial or not – internal or external. In fact, the hack was reported to us by the Security Manager of one company dealing with our client (the website in question was a healthcare website).
We immediately cleaned the file, and everything was OK. We then changed the permissions to 444 on all the JS files in the /media/system/js folder, mistakenly and childishly assuming that this would prevent the problem from happening again (yes – we are criticizing ourselves).
Needless to say, the problem repeated itself yesterday: the file mootools-core.js file was hacked again, and, surprisingly, the date on that file was unchanged (as if it was not modified). Again, we cleaned the file and we re-uploaded it. This time, however, we chown’d and chgrp’d the whole media/system directory to root, and we also changed all the files permissions to 444. We were hopeful that we solved the problem once and for all, but for some reason, we knew that it was going to happen again, and that’s why we kept a hawk’s eye on the website. And it did… At 4:59 AM EST this morning (the 24th of September), the same thing happened. But at the same time, something even more interesting happened…
All the files were chown’d and chgrp’d back to the Apache user/group (we’re not fond of suPHP, but for technical reasons, we have to use it on this website), and the date on the files was the date of the hack, and the only file that was hacked was, again, the mootools-core.js file.
At this time, we were almost confident that the script hacking the websites resided somewhere on the server. We just didn’t know where. “What about the logs?”, we thought. So, we grabbed the Apache access log residing under the logs folder for that particular account. Since the log file was 7 GB large and we only wanted the data for one particular day, we ran the following command on the Linux shell:
grep -E '24/Sep/2014' log-file > log-09-24-2014.txt
(Note that we extracted the log-file using gunzip before running the above command).
We then scanned the log for all the activities that happened at 4:59:00 AM EST, and it didn’t take us long to find the culprit. It was this line:
174.91.193.220 - [24/Sep/2014:04:59:00 -0400] "POST /includes/xmlrpc.php HTTP/1.1" 200 14714 "http://www.[our-clients-website].com/includes/xmlrpc.php" "Mozilla/5.0 (Windows NT 5.1; rv:23.0) Gecko/20100101 Firefox/23.0"
xmlrpc.php? Wait! That’s a WordPress file, and our client has a Joomla website. We checked that file, and naturally, it was full of base64_encode’d code, which meant that it wasn’t a good file. There were many subsequent POSTs to that file (mainly to try to overcome the permissions that we set on the mootools-core.js file). We deleted the file immediately.
Currently, we are trying to discover how the xmlrpc.php file was created in the first place. We will update this post if we find anything new. Meanwhile, if your mootools-core.js file keeps on getting hacked, then check your logs for any files that were called the second your website was hacked (e.g. your files were modified), and make sure you don’t have any xmlrpc.php file anywhere on your Joomla website.
Update 09/25/2014: We just discovered the root cause of the issue. It was a malicious PHP file called menu.min.php uploaded under the /modules/mod_ariextmenu/mod_ariextmenu/js/css/ folder. The file created the xmlrpc.php file which was then used to hack the mootools-core.js file. We deleted the menu.min.php file and that concluded our work!
As usual, we are here to help! You can always contact us. We can clean your website efficiently and for a very affordable fee! Oh, and we really, really care about our clients.