Pages

Monday, September 17, 2012

Recent Joomla! Compromise Might Affect You

We are noticing a string of Joomla! compromises, and we wanted to share some details for those running the Content Management System (CMS). This current exploit is affecting the following versions of Joomla :
  • 1.6.x
  • 1.7.x
  • 2.5.0-2.5.2
  • 2.5.4
  • all earlier 2.5.x versions
 
The compromise begins with the attacker registering a user, and then escalating that user’s privileges to an administration level. In every case, we noticed the attackers add a user with a Gmail™ address beginning with xxxtxxx and the user name of alexaalexa.
Once the attackers have their user on the account, they typically come back a few days later and edit the error.php file to create a script that allows people to upload content anonymously. A few days after the creation of the file upload script, the attackers come back again and uploads the following file s:
  • rp.php
  • indx.php
  • stph.php
  
This attack is extremely malicious, and the stph.php file performs other aggressive attacks against other networks. To see if your site is affected, run the following query :
  
SELECT u.username AS username, u.email AS email, g.group_id AS group_id

FROM jos_users u, jos_user_usergroup_map g

WHERE u.email LIKE ‘xxxtxxx%’

AND u.id = g.user_id

  
If the email matches xxxtxxx, the user name matches alexaalexa, and the group_id is either a 7 or 8, your account is compromised. Group_id 7 is associated with the Administrator group, and group_id 8 is associated with the Super Administrator group. As a general rule, users do not have these permissions.
  
  1. If affected, we recommend taking the following actions:
  2. Remove the uploaded files, and then restore the error.php file to its original content.
  3. Remove any users with the group_id of 7 or 8.
  4. Update Joomla to the latest version.
  5. Update all themes, plugins, and extensions to their latest versions.

No comments:

Post a Comment

 

Blogger news

Blogroll

About