[Tut] Joomla! Compromise Might Affect You

0
27

We are noticing a string of Joomla! compromises, and we wanted to share some details for those running the Content Management System (CMS). This current exploit is affecting the following versions of Joomla:

1.6.x
1.7.x
2.5.0-2.5.2
2.5.4
all earlier 2.5.x versions

The compromise begins with the attacker registering a user, and then escalating that user’s privileges to an administration level. In every case, we noticed the attackers add a user with a Gmail™ address beginning with xxxtxxx and the user name of alexaalexa.

Once the attackers have their user on the account, they typically come back a few days later and edit the error.php file to create a script that allows people to upload content anonymously. A few days after the creation of the file upload script, the attackers come back again and uploads the following files:

rp.php
indx.php
stph.php

This attack is extremely malicious, and the stph.php file performs other aggressive attacks against other networks. To see if your site is affected, run the following query:

SELECT u.username AS username, u.email AS email, g.group_id AS group_id
FROM jos_users u, jos_user_usergroup_map g
WHERE u.email LIKE ‘xxxtxxx%’
AND u.id = g.user_id

If the email matches xxxtxxx, the user name matches alexaalexa, and the group_id is either a 7 or 8, your account is compromised. Group_id 7 is associated with the Administrator group, and group_id 8 is associated with the Super Administrator group. As a general rule, users do not have these permissions.

If affected, we recommend taking the following actions:
Remove the uploaded files, and then restore the error.php file to its original content.
Remove any users with the group_id of 7 or 8.
Update Joomla to the latest version.
Update all themes, plugins, and extensions to their latest versions.