Joomla (and WordPress) Bulk Exploit Going on

Published: 2012-12-10
Last Updated: 2012-12-10 23:17:33 UTC
by John Bambenek (Version: 1)
9 comment(s)

We've gotten some reports and discussion around many Joomla (and some WordPress) sites exploited and hosting IFRAMES pointing to bad places.  We'll get to the downloaded in a second, but the interesting thing to note is that it doesn't seem to be a scanner exploiting one vulnerability but some tool that's basically firing a bunch of Joomla and Wordpress exploits at a given server and hoping something hits.  We'd like PCAPs or weblogs if you're seeing something similar in your environment.  Right now it seems the biggest pain is around Joomla users, particularly with extensions which greatly increase the vulnerability footprint and the one thing helping WordPress is the really nice feature of 1-button upgrades (and upgrades which don't tend to break your website).

The IFRAMES seem to have rapidly changing FQDN's that it is using but the common element is /nightend.cgi?8.  Two of the bad IPs that seem to be frequent offenders are 78.157.192.72 and 108.174.52.38.  Ultimately it pulls FakeAV software to do it's badness.

Mediation is your typical advice, make sure all your software is up-to-date and kept that way on a regular basis.

If you have weblogs (particularly verbose ones), I would be interested in seeing them.  The tool being used is of interest to me.

--
John Bambenek
bambenek \at\ gmail /dot/ com
Bambenek Consulting

Keywords:
9 comment(s)

Comments

I have seen both IPs in my proxylogs and the common element is "nighttrend.cgi?8"

Have seen heavy WordPress admin login brute force attempts from 91.224.160.141 and 87.229.114.219.
In a previous run-in (about 2 weeks ago) with Joomla based website problems:
91.224.160.24
177.1.78.7
189.23.171.106
177.43.64.140
189.19.207.249
177.43.160.197

Did you know which versions of Wordpress are concerned ?
We've seen several names for the CGI itself, common element was "?8".
We have an extra eye on all requests to FQDNs containing one of changeip's domain names, since these seem to be used for malware sites quite often.
According to our proxy logs, it looks like the ongoing joomla/WP attack mainly utilizes the changeip domain "freewww.info".

Does anybody know about other utilized domain names which are not part of the changeip pool?

We are currently thinking about simply blocking all access to all changeip domain names in order to protect our clients.
I havent seen any bunch exploit attempts on Wordpress, but some specific attacks, which goes to most of my Wordpress sites.

Brute force to wp-login.php
wp-comments-post.php

Check this out
https://github.com/wpscanteam/wpscan/
Most customers with hacked websites I've dealt with in the last few weeks had Joomla 1.5 with JCE Editor from 2011 (JCE bug was fixed in August 2011) installed.
This isn't a new exploit as far as I can see from logs - just renewed activity on the part of the hackers and more dangerous payload since the release of Blackhole Toolkit 2.

The usual advice applies - apply all updates and patches as soon as they are released. Unfortunately the upgrade from Joomla 1.5 to 2.5 or 3.0 isn't very user-friendly!
I've seen something similar, i posted a blog entry back in November about it, http://www.my-audit.gr/hacking/new-joomla-infections-mustmoneyback-cgi/ First impression at that time was that it is PLESK related, but looking at the sites a bit more most of them were old Joomla installations.
Drive by attacks are very common at this moment, most often the IFRAME code written in Javascript is obfuscated. I develop a tool in python that scans the website and search for malicious code in the scripts. Since the pattern in the malicious code is always chaging, this tool allows to add new signatures to detect new patterns.
The script can be found at this URL:
github.com/helderfernandes1279/webscriptscanner.

Diary Archives