CONFERENCE Cyber AI & Automation Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Attackers Exploiting Vulnerabilities In Joomla, WordPress to Distribute Malware

Joomla Vulnerability

Joomla Vulnerability

Attackers are targeting a third-party extension in sites powered by popular Content Management System Joomla to redirect visitors to malicious sites. WordPress sites are also being compromised, but it’s not clear how they are being hijacked.

The SANS Institute’s Internet Storm Center had received numerous reports that Joomla and WordPress sites had been compromised and injected with IFRAMES pointing to malicious sites, John Bambenek, ISC’s incident handler, wrote on the ISC Diary on Monday. Users are eventually being redirected to URLs ending in /nighttrend.cgi?8 and served fake antivirus, he said.

Germany’s Computer Emergency Response Team (CERT-Bund) told heise Security that other URLs have been observed, The H reported. Attackers are embedding an IFRAME into the compromised Joomla site that points to a Sutra Traffic Distribution System, which eventually redirects visitors to an exploit kit, according to CERT-BUND. Sutra Traffic Distribution System allows attackers to buy and well Web traffic to monetize the victims landing on the sites.

“It doesn’t seem to be a scanner exploiting one vulnerability but some tool that’s basically firing a bunch of Joomla and WordPress exploits at a given server and hoping something hits,” Bambenek wrote.

Joomla sites appear to be harder hit, although one commenter on the ISC Diary post reported seeing “heavy” brute force attempts from two IP addresses trying to gain admin access on WordPress sites.

According to CERT-BUND’s analysis, it seems the attackers compromised the initial Joomla sites by using a customized automated script that exploited known security flaws in Joomla Content Editor, The H reported. The malicious script injected PHP code that masqueraded as a GIF file into the Web server, and the attackers were able to later call and execute the PHP shell, according to the Joomla Download post (translated). The PHP shell then infected JavaScript files with new IFRAMEs.

JCE is a third-party extension which makes it easy to create Joomla pages without knowing HTML, XHTML, or CSS. The flaws were disclosed in August 2011 and have since then been patched, according to Joomla Download. Bambenek has asked for logs and other information to learn more about the exploit tool. So far he knows the user agent comes in as JCE BOT, “but not much more than that,” Bambenek told SecurityWeek over email.

Bambenek identified two IP addresses behind the attack, although commenters on the ISC Diary post identified a few more addresses. One also said the attacks appeared to be using the domain “freewww.info.”

Advertisement. Scroll to continue reading.

Joomla administrators should check whether they’d installed Joomla Content Editor in the past and still had it installed. If they have JCE, it should be uninstalled or updated to the latest version, JCE 2.3.1. Administrators with an old version of JCE should check their pages for any suspicious IFRAMEs.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.