Return of the EXIF PHP Joomla Backdoor

Joomla exif back doorSome people may not be aware, malware can live and run inside and from image files. We’ve seen this A LOT over the years in Joomla. Why joomla? It seems the vulnerable plugins and themes make adding malware via image files (PNG, JPG, GIF) useful.

This backdoor is a full shell hack and is generally added to the application.php core file which reads the EXIF data from the logo name and uses preg_replace to inject the code.  It’s kind of clever, but not to difficult to identify if you are simply grep’ing image files (to grep binary files use the grep -a flag).

Read More about this EXIF image hack

follow and like us:
Author :