Hackers exploit zero-day in Joomla sites

A previously patched Joomla zero-day vulnerability is experiencing attacks that were found in the wild. Website admins are being urged to update the issue as soon as possible.

Sucuri located the attacks on the vulnerability patched on Monday, however the attacks were being carried out for a minimum of two days. Daniel Cid of Sucuri said the attacks began on Saturday from IP address 74[.]3[.]170[.]33, then two more IPs 146[.]0[.]72[.]83 and 194[.]28[.]174[.]106 joined in on the attack on Sunday.

The vulnerability affects all Joomla versions from 1.5 to 3.4. Hotfixes are available for older versions (2.5 and prior) that have been placed on end-of-life.

“The attackers are doing an object injection via the HTTP user agent that leads to a full remote command execution,” Cid said in an advisory posted on Monday. “Today (14 December), the wave of attacks is even bigger, with basically every site and honeypot we have being attacked. That means that probably every other Joomla site out there is being targeted as well.”

Sucuri suggests that admins filter the logs for any of the mentioned IP addresses or look for “JDatabaseDriverMysqli” or “O:” in the User Agent. Admins should assume that systems that test positive for any of the IP addresses have been compromised and should go through a detailed scan and clean-up procedure.