906 SHARES Facebook Twitter

Nov 2016 Update: If you need to clean your hacked Joomla site, we have released a new free guide to show you how to identify and remove hacks.

Read the Guide!

The Joomla security team have just released a new version of Joomla to patch a critical remote command execution vulnerability that affects all versions from 1.5 to 3.4.

This is a serious vulnerability that can be easily exploited and is already in the wild. If you are using Joomla, you have to update it right now. If you need joomla security and malware removal, contact our team.

Update – 2015/12/14, 17:15PM EST If you are using the old (unsupported) versions 1.5.x and 2.5.x, you have to apply the hotfixes from here. This article from OSTraining explains how to apply them.

Zero day Exploits in the Wild

What is very concerning is that this vulnerability is already being exploited in the wild and has been for the last 2 days. Repeat: This has been in the wild as a 0-day for 2 days before there was a patch available.

Looking back at our logs, we detected the first exploit targeting this vulnerability on Dec 12, at 4:49PM:

2015 Dec 12 16:49:07 clienyhidden.access.log Src IP: 74.3.170.33 / CAN / Alberta 74.3.170.33 - - [12/Dec/2015:16:49:40 -0500] "GET /contact/ HTTP/1.1" 403 5322 "http://google.com/" "}__test|O:21:\x22JDatabaseDriverMysqli\x22:3: .. {s:2:\x22fc\x22;O:17:\x22JSimplepieFactory\x22:0: .. {}s:21:\x22\x5C0\x5C0\x5C0disconnectHandlers\x22;a:1:{i:0;a:2:{i:0;O:9:\x22SimplePie\x22:5:.. {s:8:\x22sanitize\x22;O:20:\x22JDatabaseDriverMysql\x22:0:{}s:8:\x22feed_url\x22;s:60:..

We modified the payload so it can’t be misused, but the attackers are doing an object injection via the HTTP user agent that leads to a full remote command execution.

We detected more exploits from this same IP address “74.3.170.33” on Dec 12th, followed by hundreds more exploit attempts from 146.0.72.83 and 194.28.174.106 on Dec 13th.

Today (Dec 14th), the wave of attacks is even bigger, with basically every site and honeypot we have being attacked. That means that probably every other Joomla site out there is being targeted as well.

Protect Your Site Now

If you are a Joomla user, check your logs right away. Look for requests from 146.0.72.83 or 74.3.170.33 or 194.28.174.106 as they were the first IP addresses to start the exploitation. I also recommend searching your logs for “JDatabaseDriverMysqli” or “O:” in the User Agent as it has been used in the exploits. If you find them, consider your Joomla site compromised and move to the remediation / incident response phase.

Note that clients behind the Sucuri Firewall were already protected against this threat and are safe. Yes, our virtual patching for the HTTP User Agent kept our users protected against this exploit.

If You Use Joomla, Update ASAP!

For those on the 3.x branch, update immediately to 3.4.6. There will be unofficial fixes for Joomla! 1.5.x and 2.5.x provided soon. Anyone using those versions should stay aware and update as soon as possible.

We are still monitoring the issue and will provide more updates as we learn more. If you require Joomla malware cleanup services, our team is happy to help restore, protect, and monitor your site going forward.