8 Nov, 2016

Happy Birthday CVE-2015-8562 (Object Injection Remote Command Execution)

Learn how hackers exploit a year-old Joomla! security flaw to inject malware into websites, and how Quttera can help you protect your site from such attacks.
As it turned out during the malware clean-up of customer websites, hackers were using exactly this type of exploit to attack the site. Furthermore, the site got reinfected with malware as soon as someone accessed it. We got alarmed as the reinfection was so sudden, so we dig deeply and found out something else.
Website Malware Incident Investigation
Upon checking the access logs of the site, we found a very nifty but familiar entry on the records as shown below:
This type of attack exploits the 'X-Forwarded-For’ and ‘User-Agent’ HTTP headers which has not been cleared properly causing the attacker to inject malicious codes that contain remote code execution. This security flaw has been affecting Joomla! versions 1.5.x, 2.x, and 3.x before 3.4.6.

The infection that we got overwrites the index.php of the Joomla! site and performs multiple infections to the following files:
  • index.php
  • .htaccess
  • more than 400 Joomla! core files
Year Old Joomla! CMS Security Flaw Exploitation
More on our research, the exploit has been almost over a year now, and cyber criminals still using it in the wild. We found out that about 30% of Joomla! users are still working on the targeted version.

We also discovered that it is not that easy to migrate from Joomla! 1.5 to the latest. The blame was put on the developers of Joomla! for not providing an easy path to upgrade to the latest version of the popular CMS. Developers, need to migrate it meticulously or at least built from scratch to upgrade to the new version. Third party tools have been developed for this migration but do not perform to anyone's expectation causing massive errors on the site after the upgrade.

However, it is better to go through the upgrade hassle and block hackers before they destroy, install ransomware blocking access to your files or even take your site down permanently due to malware distribution.
Is your website flagged for malware, blocked by the search engines or disabled by the host?
Our experts are here to clean up any malware from your sites and remove false-positives, blacklisting and other kinds of alerts by any security vendor and search engines. Just select from suitable ThreatSign! Anti-Malware Plan and get back online.

For other issues and help: Quttera's help-desk