Last Updated: 2012-12-10 23:17:33 UTC
by John Bambenek (Version: 1)
We've gotten some reports and discussion around many Joomla (and some WordPress) sites exploited and hosting IFRAMES pointing to bad places. We'll get to the downloaded in a second, but the interesting thing to note is that it doesn't seem to be a scanner exploiting one vulnerability but some tool that's basically firing a bunch of Joomla and Wordpress exploits at a given server and hoping something hits. We'd like PCAPs or weblogs if you're seeing something similar in your environment. Right now it seems the biggest pain is around Joomla users, particularly with extensions which greatly increase the vulnerability footprint and the one thing helping WordPress is the really nice feature of 1-button upgrades (and upgrades which don't tend to break your website).
The IFRAMES seem to have rapidly changing FQDN's that it is using but the common element is /nightend.cgi?8. Two of the bad IPs that seem to be frequent offenders are 18.104.22.168 and 22.214.171.124. Ultimately it pulls FakeAV software to do it's badness.
Mediation is your typical advice, make sure all your software is up-to-date and kept that way on a regular basis.
If you have weblogs (particularly verbose ones), I would be interested in seeing them. The tool being used is of interest to me.
bambenek \at\ gmail /dot/ com