Happy Birthday CVE-2015-8562 (Object Injection Remote Command Execution)

Background

As it turned out during the malware clean-up of customer websites, hackers were using exactly this type of exploit to attack the site. Furthermore, the site got reinfected with malware as soon as someone accessed it. We got alarmed as the reinfection was so sudden, so we dig deeply and found out something else.

Website Malware Incident Investigation

Upon checking the access logs of the site, we found a very nifty but familiar entry on the records as shown below:

08-11-16-access_log.png

This type of attack exploits the 'X-Forwarded-For’ and ‘User-Agent’ HTTP headers which has not been cleared properly causing the attacker to inject malicious codes that contain remote code execution. This security flaw has been affecting Joomla! versions 1.5.x, 2.x, and 3.x before 3.4.6.

The infection that we got overwrites the index.php of the Joomla! site and performs multiple infections to the following files:

  • index.php
  • .htaccess
  • more than 400 Joomla! core files

Year Old Joomla! CMS Security Flaw Exploitation

More on our research, the exploit has been almost over a year now, and cyber criminals still using it in the wild. We found out that about 30% of Joomla! users are still working on the targeted version.

We also discovered that it is not that easy to migrate from Joomla! 1.5 to the latest. The blame was put on the developers of Joomla! for not providing an easy path to upgrade to the latest version of the popular CMS. Developers, need to migrate it meticulously or at least built from scratch to upgrade to the new version. Third party tools have been developed for this migration but do not perform to anyone's expectation causing massive errors on the site after the upgrade.

However, it is better to go through the upgrade hassle and block hackers before they destroy, install ransomware blocking access to your files or even take your site down permanently due to malware distribution.

Your website is infected with the similar malware or blocked by the search engines?

We at Quttera are always here to help our customers protect their sites from any form of attacks and advise them on how to do the upgrade for their's and their visitors' safety. Select appropriate ThreatSign! Anti-Malware Plan and get back online.

For other issues and help: Quttera's help-desk

References: