A Nasty Trojan discovered in the file - jcomments_controller.php

[ivanbayross]

Let me start by saying that I consider J_Comments to be an excellent plugin.

Having said that. my website has encountered a really serious issue with the file jcomments_controller.php which is located in the com_jcomments folder.

It all started when I applied to Google AdSense for an account.

Google turned me down indicating - Inappropriate Content - as the reason.

I then went to Google and entered site:opensourcevarsity.com and was surprised to find that my site was hijacked by Viagra and Cailis pharmacies.

In several entries on the Google Search Result Page the link content and the description point to Viagra and Cailis pharmacies in Australia and New Zealand.

I then knew that my website was hijacked.  I took the site off-line immediately and started a process to discover how, so that I could fix this problem.

I also did a complete backup of the website, downloaded this file to a local computer and scanned the backup file using different antivirus software.  I used Dr. CureIT and Avast.

I then discovered that I had two PHP based Trojans on my website.

I opened the file in Dreamweaver my PHP editor of choice.

One of the Trojans I discovered was named jcomments_controller.php located in the folder \com_jcomments.

When I read the PHP code contained within I was pretty dismayed. 

There is 'Brute Force' codespec to obtain network passwords,  there is MySQL cracks to get to the MySQL table schema and really a ton of other real nasties, all apparently streaming data back to a Russian URL.

I wanted to communicate this with the JoomlaTune people. 

The only way that I could find to pass this information in is via this public Forum.

BTW, people have commented on my website, so I'm guessing that the JComments plugin works even while this terrible code is in place.

Now to balance this post:

I downloaded the latest Jcomments component and all the other Joomla plugins from the JoomlaTune website.

I scanned each of the downloaded zip files with my antivirus they are all CLEAN.

I opened each .php and .xml file in Dreamweaver and read their contents, the file content is NORMAL.

As a mark of my belief in Jcomments I'm going to re-install Jcomments on my website.

This post is not to critique JComments in anyway, but to bring to someone's notice that this is happening.

If anyone from JoomlaTune contacts me either via this forum or Email, I'd be happy to forward a copy of the nasty file to them to study.






 

[smart]

Where are you download JComments distributive? The original JComments package has no jcomments_controller.php file. And never had it.

It sounds like someone hacked your site and masked their code as part of jcomments. I could suggest you to do follows:

1. Make sure that you're using latest versions of Joomla and extensions. Upgrade if needed.
2. Change your passwords to FTP and MySQL accounts
3. Change your Joomla's password
4. Check all your site for unknown files. In my mind it could contain more than one trojan file.

I'll be very grateful if you send me this file for investigation. Also I need more detailed information about used versions of Joomla and JComments.

[smart]

I checked the file and I can assure you that it has no relation to JComments. No file by this name never existed in the JComments package. Apparently someone has decided to hide his script inside the folder with JComments. I recommend you conduct a full site survey to determine the presence of vulnerabilities and similar files. It is possible that several of them.