One of the things we seem to harp on here at the SANS Internet Storm Center is monitoring your logs. One of our faithful readers, Neal, sent us an e-mail this afternoon regarding some strange entries he found in his Apache logs (see below) and some rumblings of a number of WordPress blogs being compromised. He was in contact with one of the affected bloggers and they figured out that the compromise resulted in the injection of some obfuscated javascript that created a hidden iframe. We haven't heard exactly what the vulnerability was that was exploited, but if the log entries are actually related there may be a permission problem or perhaps some sort of SQL injection issue with joomla or the tinymce editor (at least, that is what the log entries showed that someone is looking for). If any of our readers have info on what the vulnerability is (a Google search didn't show anything recent for tinymce, there was a Joomla vulnerability reported in January but the exploits I've seen didn't touch license.txt), please drop us a line and we will update this diary. The particular log entry that caught Neal's attention was GET /joomla/plugins/editors/tinymce/jscripts/tiny_mce/license.txt So you may want to be on the lookout for those in your own logs. --------------- SEC 503: Intrusion Detection In-Depth coming to central OH beginning 22 Feb, http://www.sans.org/mentor/details.php?nid=20864 I will be teaching next: Reverse-Engineering Malware: Malware Analysis Tools and Techniques - SANS Cyber Defence Australia 2022 |
Jim 423 Posts ISC Handler Feb 5th 2010 |
Thread locked Subscribe |
Feb 5th 2010 1 decade ago |
This might be a re-emergence of the hack described in http://forum.joomla.org/viewtopic.php?f=267&t=310813 if the FileManeger plugin is deployed.
Other exploits have been seen with the TinyBrowser plugin http://www.milw0rm.com/exploits/9296 Perhaps the call to the licence.txt file is a preliminary, information gathering run, to discover versions to target ? |
Karl 14 Posts |
Quote |
Feb 6th 2010 1 decade ago |
I have been getting pounded by the script kiddies lately on my Wordpress blog. Luckily the SQL injection attempts are mitigated and I am alerted with the offending IPs thanks to Wordpress Firewall.
http://www.seoegghead.com/software/wordpress-firewall.seo |
Karl 5 Posts |
Quote |
Feb 6th 2010 1 decade ago |
http://www.inj3ct0r.com/exploits/10776
Its a tinymce xss |
Karl 2 Posts |
Quote |
Feb 7th 2010 1 decade ago |
http://www.inj3ct0r.com/exploits/10770
and wordpess photoblog blind SQL injections |
Karl 2 Posts |
Quote |
Feb 7th 2010 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!