Server injected via old Joomla install
Posted 12th January 2014 at 11:39 PM by SusieJones
When I started working with my bosses (3 months ago) they had a couple of sites that have an old version of Joomla. Not being familiar with Joomla (I do Wordpress sites), I didn't realize the danger.
I recently moved the two sites to new hosting (the old host company was insistent we had to move them off - now I think I understand why). the one site which has a version 1.5.22 on Joomla, was injected with a perl script just before Christmas and again on the 9th of January 2014. I found 8 files and have deleted all of them and have combed through the folders looking for other suspicious code.
In the end the injection shut down the server with 150 sites (very important sites too).
I have copies of the perl script files and read through them, wondering what they were up to.
My question is this - what would be the purpose of doing this? The code has a line "Open Server Socket" and there are many many urls listed in the code, along with a lot of commenting - like die... killall and rest.... does anyone have any clues?
The other interesting file I found at the cpanel level was gen.roc - a Ruby Script execution. The date of this file was the first day the WHM/cpanel were set up for me....??? thoughts?
I will be re-building the site with WP starting tomorrow... any hints on this are welcome also!
Thank you Susie
I recently moved the two sites to new hosting (the old host company was insistent we had to move them off - now I think I understand why). the one site which has a version 1.5.22 on Joomla, was injected with a perl script just before Christmas and again on the 9th of January 2014. I found 8 files and have deleted all of them and have combed through the folders looking for other suspicious code.
In the end the injection shut down the server with 150 sites (very important sites too).
I have copies of the perl script files and read through them, wondering what they were up to.
My question is this - what would be the purpose of doing this? The code has a line "Open Server Socket" and there are many many urls listed in the code, along with a lot of commenting - like die... killall and rest.... does anyone have any clues?
The other interesting file I found at the cpanel level was gen.roc - a Ruby Script execution. The date of this file was the first day the WHM/cpanel were set up for me....??? thoughts?
I will be re-building the site with WP starting tomorrow... any hints on this are welcome also!
Thank you Susie
Total Comments 0
