Call to action: CMS Joomla attacked

December 18, 2015

Alright, ladies and gentlemen, this is kind of urgent, especially for businesses using Joomla. Users of other CMSs may be interested too, because there’s absolutely no guarantee that something like this cannot happen to them.

What’s the buzz?

Joomla-based sites are being attacked using the zeroday vulnerability. According to the researchers who discovered the threat, this is an object injection flaw that allows a full remote command execution. Exploits are in the wild, and the attacks are accelerating, Threatpost reports.

Attacks started last Saturday, and the “post-exploitation tactics” were observed as the attackers injected their backdoors then patched the vulnerability (as the official update is in), creating an illusion of safety.


Fortunately, the attacking IPs are more or less known, so researchers recommend filtering logs for either of these IP addresses or looking for “JDatabaseDriverMysqli” or “O:” in the User Agent.

More data is available at Threatpost.

Major troubles for major CMS

From our side, it is necessary to mention that the major content management systems come under attack on a regular basis; their popularity make them a favorable target for criminals looking to spread their malware as far and wide as possible, so the popular sites with vulnerable CMS are their “weapon of choice”.

We’ve witnessed a major number of attacks on WordPress CMS both in 2013 and 2014. In the latter case a “passively popular” plugin bundled with many WordPress themes was a vulnerable entry-point. Around 10K sites were blacklisted by Google for re-distributing malware, which is an extremely dangerous development for web-based businesses. Your site going down in rankings is way more easy than bringing it back up, and meanwhile losses may be fatal.

Joomla users are whole-heartedly recommended to install the appropriate updates and check out possible hints of being compromised.