Attackers are targeting a third-party extension in sites powered by popular Content Management System Joomla to redirect visitors to malicious sites. WordPress sites are also being compromised, but it’s not clear how they are being hijacked.
The SANS Institute’s Internet Storm Center had received numerous reports that Joomla and WordPress sites had been compromised and injected with IFRAMES pointing to malicious sites, John Bambenek, ISC’s incident handler, wrote on the ISC Diary on Monday. Users are eventually being redirected to URLs ending in /nighttrend.cgi?8 and served fake antivirus, he said.
Germany’s Computer Emergency Response Team (CERT-Bund) told heise Security that other URLs have been observed, The H reported. Attackers are embedding an IFRAME into the compromised Joomla site that points to a Sutra Traffic Distribution System, which eventually redirects visitors to an exploit kit, according to CERT-BUND. Sutra Traffic Distribution System allows attackers to buy and well Web traffic to monetize the victims landing on the sites.
“It doesn’t seem to be a scanner exploiting one vulnerability but some tool that’s basically firing a bunch of Joomla and WordPress exploits at a given server and hoping something hits,” Bambenek wrote.
Joomla sites appear to be harder hit, although one commenter on the ISC Diary post reported seeing “heavy” brute force attempts from two IP addresses trying to gain admin access on WordPress sites.
According to CERT-BUND’s analysis, it seems the attackers compromised the initial Joomla sites by using a customized automated script that exploited known security flaws in Joomla Content Editor, The H reported. The malicious script injected PHP code that masqueraded as a GIF file into the Web server, and the attackers were able to later call and execute the PHP shell, according to the Joomla Download post (translated). The PHP shell then infected JavaScript files with new IFRAMEs.
JCE is a third-party extension which makes it easy to create Joomla pages without knowing HTML, XHTML, or CSS. The flaws were disclosed in August 2011 and have since then been patched, according to Joomla Download. Bambenek has asked for logs and other information to learn more about the exploit tool. So far he knows the user agent comes in as JCE BOT, “but not much more than that,” Bambenek told SecurityWeek over email.
Bambenek identified two IP addresses behind the attack, although commenters on the ISC Diary post identified a few more addresses. One also said the attacks appeared to be using the domain “freewww.info.”
Joomla administrators should check whether they’d installed Joomla Content Editor in the past and still had it installed. If they have JCE, it should be uninstalled or updated to the latest version, JCE 2.3.1. Administrators with an old version of JCE should check their pages for any suspicious IFRAMEs.