Vulnerable Joomla! Installation under active attack

A Core Remote Code Execution Vulnerability (CVE-2015-8562) in the popular content management system (CMS) Joomla! was recently discovered. The vulnerability affects all versions of Joomla! prior to 3.4.6, and while updating the CMS to the latest version will patch the bug, there are still plenty of unpatched targets out there and Symantec has observed attackers actively scanning for and attacking vulnerable servers.

With over 50 million downloads Joomla! is one of the most widely used content management platforms and is used by some very popular websites, meaning the vulnerability potentially puts millions of users at risk. In an attack scenario, an attacker can use this vulnerability to execute commands on the server, tamper with the website or database contents, host malware on the server, or even redirect visitors to  other malicious websites.

How attackers find and exploit vulnerable servers
The exploit code is relatively easy to deploy and doesn’t require much skill, all that is needed is a single HTTP request. According to our telemetry, the methods attackers are using to scan for vulnerable versions of Joomla! is similar to methods we covered in a recent blog on an RCE vulnerability in the vBulletin platform. Attackers are scanning for servers running vulnerable versions of Joomla! by attempting to call a phpinfo() function or printing out an MD5 of a predetermined value. As with the vBulletin RCE exploit attacks, it is likely attackers are scanning and documenting vulnerable web servers for exploitation at a later time.

Let’s take a look at how attackers are doing this.

In one method used by attackers, if the targeted server is vulnerable, the MD5 hash for the value 233333 is printed in the response sent by the server.

Figure 1. MD5 hash printed in the server response

Another method involves the attacker attempting to execute the eval(char()) function and waiting for any output from the die(pi()); function in the response. If this response is received it tells the attacker that the server is vulnerable.

Figure 2. Server response from eval(char()) function

System administrators can look for the methods described previously as possible indicators of attack (IoA) or indicators of compromise (IoC). By examining web access logs, administrators can look for the requests and, if found, compare the time they were made to the time the server was patched to determine if the system was likely to have been breached.

Malicious script injection
Once a system is found to be vulnerable, the attackers can then proceed to the main attack. This usually involves the installation of a back door to enable the attackers to gain full access to the compromised computer.

The section of code shown in Figure 3 is part of an encoded PHP back door which is used against vulnerable Joomla! servers. Once the back door is established on the server, the attacker can execute commands, tamper with websites hosted on the server, or upload and download files at will.


Read the full article at Symantec

WordPress Under Attack, 100,000+ WP Websites Compromised By SoakSoak Malware

SoakSoak Malware Compromises 100,000+ WordPress Websites

News of a malware campaign against WordPress has been doing the rounds since owners and webmaster of wordpress blogs found out about websites getting blacklisted by Google. Around 11,000 domains had been blocked due to the latest malware campaign which has now swelled to 100,000. This campaign has been brought by SoakSoak.ru, thus being dubbed the ‘SoakSoak Malware’ epidemic.

SoakSoak malware modifies the file located at wp-includes/template-loader.php which causes wp-includes/js/swobject.js to be loaded on every page view on the website and this “swobject.js” file includes a malicious java encoded script malware.

Read full article from TechWorm.net

5 Common Website Security Mistakes

People often make fundamental mistakes with their websites and servers. These mistakes can ultimately cost a lot. This happens to not just new website owners but to seasoned ones as well. In fact, you could be making some of the mistakes below essentially harming your business. Fortunately, this guide explains some of the common mistakes every website owner should avoid in order to gain the most from your online presence.

Mistake 1 – Not Monitoring Your Backups
Backups are the forgotten website security pillar. Most website owners do not understand how backups fit into their web security strategy. Backups are your safety net. With a backup, you can quickly restore a part of, or your entire website when bad something happens.

A lot of bad things can happen to your website:

Hackers can compromise your site
A careless key stroke can overwrite important files
Web hosting equipment might fail

These and other scenarios will give you sleepless nights if you do not monitor your backups to make sure they are properly running and completing successfully.

The importance of monitoring your backups cannot be overstated. Just think how effectively you could recover from a complete website crash. Here are some important ideas on monitoring your backups:

Ask your hosting provider how often they backup your data, and the number of copies they keep.
Get a copy of your website files, including photos, artworks and any other unique fonts used to create header graphics, logos, etc. from your web developer.
Back up your site’s database from your control panel. If you need help to complete the backup, contact the support team of your web hosting provider.
Back up 3rd party applications such as your blog, newsletter subscription list, etc. so that in case something happens with your providers, you have a backup solution.
Consider 3rd party backup tools and services which keep the backups in a safe and remote location.

Mistake 2 – Not Changing Default Settings and Usernames
A lot of website applications, (think of something like WordPress), include a default set of usernames, passwords, and settings to provide a consistent installation experience. After the installation has been completed it is critical to change those default usernames, passwords, and configurations. Keeping with the WordPress example, the WordPress installation creates an account with the username ‘admin’. A default location for managing your WordPress site is created at http:///wp-admin.

Hackers will test your site to see if those default values are in place. If they are found, they will begin to run software targeting your website to figure out your password. There are also a number of installation files that should be removed once you have completed your installation. These scenarios are not unique to WordPress, we just used them as an example. It is a good idea to search for a ‘How to Secure X Application’ guide for each of the applications you are using.

Mistake 3 – Ignoring Software Patches
Many website owners wonder why they should apply a software patch when things are working fine. However, by ignoring software patches or updates, you are leaving the door wide open for malware and other attacks. This exposes anyone who depends on your website to unwanted risk.

Software patches and updates are packages of software that are released by software vendors to address security vulnerabilities in existing products. Hackers exploit software vulnerabilities to deliver malware and other threats. Sometimes, software patches contain product enhancements and bug fixes. The patches are installed over the existing installation and therefore do not need un-installation or re-installation of the current software in question. Your only role is to accept the software update and the updater does its thing. Just make sure you have a good backup first.

You should never ignore those software updates. Besides enhancing your site’s performance and user experience, they provide protection against malicious threats and cyber-attacks. Moreover, you should understand all the implications of a software patch. When in doubt, consult your web developer or the customer service team at your hosting provider.

Mistake 4 – Not Monitoring for New Security Updates
Security updates are a constant feature just like the software updates. In fact, security updates are sometimes rolled into software patches. Security updates usually come out in point releases and are often clear on what they are intended to address. Security updates do not normally introduce new features and are instead focused on preventing vulnerabilities.

Some security updates can be managed automatically while others need manual effort. Whatever the option, you should not forsake monitoring the release of security updates of the applications being used to run your website. These updates, as previously mentioned, are released to address specific security issues and failure to apply those updates compromises the security of your website. It is important to install security updates in a timely manner. You can also go the extra mile and look for plugins which have extra layers of security and install any updates for those as well.

The other kind of security update does not involve anything to install but rather deals with database management and hosting. This involves things such as setting a strong password, locking down file permissions, checking the sites you link to, using SFTP for file transfers, and looking beyond shared hosting plans. These tactics add an extra layer of security to your website and should never be ignored.

Mistake 5 – Failure to Monitor for New Server Exploits
A server is exploited when it is no longer under your total control. Another party is using your server for their individual purposes. Common examples of server exploits include someone using your server to send spam emails, launching attacks on other servers with your clean IP being used as the attacking source, installing a phishing site on your server, or installing programs which try to steal passwords and other log in details when a person visits your website. Server exploits negatively affects your online reputation. It is therefore important to always remain alert for any signs of server exploits.

Although your hosting provider will report suspicious activity from your server, it is normally too late at that point. The best thing you can do is to constantly check for lapses in your web security and immediately address them. For example, servers mainly get exploited when an authorized person guesses a password and logs in as a user or when a security hole in the web application has been exploited. It therefore goes without saying that every user must have a strong password and you should remain up to date on the security of any webapp you have installed in your site. With these tips, you will stay on top of server exploits.

Bonus Tip! – Not Monitoring Uptime
Server uptime is critical to a business. Databases and file services, web and email servers are indispensable to most business processes. Downtimes negatively affect productivity, sales, customer and employee satisfaction. Downtime hurts. You must find a means to monitor server uptime at all times.

With the right service, monitoring servers and websites becomes easy. You will be the first one to know when your site is down, and you will easily monitor the performance of your site. It is important to get a service that is thorough in server and website uptime monitoring to prevent unnecessary disturbance.
Server uptime monitoring helps you provide better user experience to customers and other people who visit your site. It also gives you useful information on the reliability of your hosting provider. If you are getting a raw deal, you will realize it.

Your website is your gateway to the global online marketplace. It is important to check these 5 common mistakes so to get protect your presence on the Internet and get the most value as possible out of your website.