Remote Code Execution Vulnerability
The developer team of the popular content management system (CMS) Joomla released the updates and hotfixes to patch a critical remote code execution vulnerability. This vulnerability is said to be very critical allowing an attacker to execute remote commands.
This vulnerability is actively affecting Joomla versions from 1.5 through 3.4.5. You can determine Joomla version of your website from administrator panel. Once login to Joomla administrator panel, you would see Joomla version mentioned either at top right hand corner or at the bottom.
The patch for this vulnerability was released on Monday morning but it was too late as this bug was already being exploited in the wild. Attackers started exploiting this vulnerability on Saturday from huge number of IP addresses.
How do I determine If my Joomla website is compromised
To determine whether your Joomla website is compromised or not, researches have advised to examine the logs. You might see requests from 146.0.72.83 or 74.3.170.33 or 194.28.174.106 as they were the first IP addresses to start the exploitation. Also, you might see unusual attempts targeting this vulnerability as shown below
2015 Dec 12 16:49:07 clienyhidden.access.log
Src IP: 74.3.170.33 / CAN / Alberta
74.3.170.33 – – [12/Dec/2015:16:49:40 -0500] “GET /contact/ HTTP/1.1” 403 5322 “http://google.com/” “}__test|O:21:\x22JDatabaseDriverMysqli\x22:3: ..
{s:2:\x22fc\x22;O:17:\x22JSimplepieFactory\x22:0: .. {}s:21:\x22\x5C0\x5C0\x5C0disconnectHandlers\x22;a:1:{i:0;a:2:{i:0;O:9:\x22SimplePie\x22:5:..
{s:8:\x22sanitize\x22;O:20:\x22JDatabaseDriverMysql\x22:0:{}s:8:\x22feed_url\x22;s:60:..
Source: Sucuri Blog
Here, payload has been modified so it can’t be misused. Malicious attackers are exploiting this vulnerability to perform an object injection attack that leads to a full remote command execution. If you find above logs in your current Joomla installation, consider your Joomla website compromised
How do I fix Remote Code Execution Vulnerability
If you are using the unsupported versions of Joomla(1.5.x and 2.5.x), you should apply the hotfixes.You can refer to article from OSTraining to apply these hotfixes. If you are using Joomla 3.x, you must update your Joomla installation to 3.4.6.
