Security Experts:

Connect with us

Hi, what are you looking for?



Attackers Exploiting Vulnerabilities In Joomla, WordPress to Distribute Malware

Joomla Vulnerability

Joomla Vulnerability

Attackers are targeting a third-party extension in sites powered by popular Content Management System Joomla to redirect visitors to malicious sites. WordPress sites are also being compromised, but it’s not clear how they are being hijacked.

The SANS Institute’s Internet Storm Center had received numerous reports that Joomla and WordPress sites had been compromised and injected with IFRAMES pointing to malicious sites, John Bambenek, ISC’s incident handler, wrote on the ISC Diary on Monday. Users are eventually being redirected to URLs ending in /nighttrend.cgi?8 and served fake antivirus, he said.

Germany’s Computer Emergency Response Team (CERT-Bund) told heise Security that other URLs have been observed, The H reported. Attackers are embedding an IFRAME into the compromised Joomla site that points to a Sutra Traffic Distribution System, which eventually redirects visitors to an exploit kit, according to CERT-BUND. Sutra Traffic Distribution System allows attackers to buy and well Web traffic to monetize the victims landing on the sites.

“It doesn’t seem to be a scanner exploiting one vulnerability but some tool that’s basically firing a bunch of Joomla and WordPress exploits at a given server and hoping something hits,” Bambenek wrote.

Joomla sites appear to be harder hit, although one commenter on the ISC Diary post reported seeing “heavy” brute force attempts from two IP addresses trying to gain admin access on WordPress sites.

According to CERT-BUND’s analysis, it seems the attackers compromised the initial Joomla sites by using a customized automated script that exploited known security flaws in Joomla Content Editor, The H reported. The malicious script injected PHP code that masqueraded as a GIF file into the Web server, and the attackers were able to later call and execute the PHP shell, according to the Joomla Download post (translated). The PHP shell then infected JavaScript files with new IFRAMEs.

JCE is a third-party extension which makes it easy to create Joomla pages without knowing HTML, XHTML, or CSS. The flaws were disclosed in August 2011 and have since then been patched, according to Joomla Download. Bambenek has asked for logs and other information to learn more about the exploit tool. So far he knows the user agent comes in as JCE BOT, “but not much more than that,” Bambenek told SecurityWeek over email.

Bambenek identified two IP addresses behind the attack, although commenters on the ISC Diary post identified a few more addresses. One also said the attacks appeared to be using the domain “”

Joomla administrators should check whether they’d installed Joomla Content Editor in the past and still had it installed. If they have JCE, it should be uninstalled or updated to the latest version, JCE 2.3.1. Administrators with an old version of JCE should check their pages for any suspicious IFRAMEs.

Written By

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.


Cybercriminals earned significantly less from ransomware attacks in 2022 compared to 2021 as victims are increasingly refusing to pay ransom demands.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.