Recent Joomla! Compromise Might Affect You
- Category : Website Security
- Posted on : Sep 17, 2012
- Views : 3,016
- By : Radcliff S.
We are noticing a string of Joomla! compromises, and we wanted to share some details for those running the Content Management System (CMS). This current exploit is affecting the following versions of Joomla :
- 1.6.x
- 1.7.x
- 2.5.0-2.5.2
- 2.5.4
- all earlier 2.5.x versions
The compromise begins with the attacker registering a user, and then escalating that user’s privileges to an administration level. In every case, we noticed the attackers add a user with a Gmail™ address beginning with xxxtxxx and the user name of alexaalexa.
Once the attackers have their user on the account, they typically come back a few days later and edit the error.php file to create a script that allows people to upload content anonymously. A few days after the creation of the file upload script, the attackers come back again and uploads the following file s:
- rp.php
- indx.php
- stph.php
This attack is extremely malicious, and the stph.php file performs other aggressive attacks against other networks. To see if your site is affected, run the following query :
SELECT u.username AS username, u.email AS email, g.group_id AS group_id
FROM jos_users u, jos_user_usergroup_map g
WHERE u.email LIKE ‘xxxtxxx%’
AND u.id = g.user_id
If the email matches xxxtxxx, the user name matches alexaalexa, and the group_id is either a 7 or 8, your account is compromised. Group_id 7 is associated with the Administrator group, and group_id 8 is associated with the Super Administrator group. As a general rule, users do not have these permissions.
- If affected, we recommend taking the following actions:
- Remove the uploaded files, and then restore the error.php file to its original content.
- Remove any users with the group_id of 7 or 8.
- Update Joomla to the latest version.
- Update all themes, plugins, and extensions to their latest versions.
Categories
- cPanel Question 47
- cPanel Software Management 29
- cPanel Tutorials 13
- Development 29
- Domain 13
- General 19
- Linux Helpline (Easy Guide) 156
- Marketing 47
- MySQL Question 13
- News 2
- PHP Configuration 14
- SEO 4
- SEO 42
- Server Administration 84
- SSL Installation 54
- Tips and Tricks 24
- VPS 3
- Web Hosting 44
- Website Security 22
- WHM questions 13
- WordPress 148
Subscribe Now
10,000 successful online businessmen like to have our content directly delivered to their inbox. Subscribe to our newsletter!Archive Calendar
| Sat | Sun | Mon | Tue | Wed | Thu | Fri |
|---|---|---|---|---|---|---|
| 1 | ||||||
| 2 | 3 | 4 | 5 | 6 | 7 | 8 |
| 9 | 10 | 11 | 12 | 13 | 14 | 15 |
| 16 | 17 | 18 | 19 | 20 | 21 | 22 |
| 23 | 24 | 25 | 26 | 27 | 28 | 29 |
| 30 | ||||||
Recent Articles
-
Posted on : Sep 17
-
Posted on : Sep 10
-
Posted on : Aug 04
-
Posted on : Apr 01
Tags
- ts
- myisam
- vpn
- sql
- process
- kill
- tweak
- server load
- attack
- ddos mitigation
- Knowledge
- layer 7
- ddos
- webmail
- DMARC
- Development
- nginx
- seo vpn
- Hosting Security
- wireguard
- innodb
- exim
- smtp relay
- smtp
- VPS Hosting
- cpulimit
- Plesk
- Comparison
- cpu
- encryption
- WHM
- xampp
- sysstat
- optimize
- cheap vpn
- php-fpm
- mariadb
- apache
- Small Business
- Error
- Networking
- VPS
- SSD Hosting
- Link Building
- centos
- DNS
- optimization
- ubuntu
