We started massive online scans for unpatched Joomla

As soon as 24 hours after the release of the 3.6.4 security update from the Joomla project that identified two critical security flaws, hackers had already begun to look for unpatched systems and then massive scans on the Internet began.

The two vulnerabilities are listed as CVE-2016-8870 and CVE-2.016-8.869. The first allows attackers to remotely create accounts on Joomla, while the second allows the elevation of account privileges to administrator level.joomla

Η ομάδα του Joomla και ο Davide Tampellini, ο μηχανικός του Joomla που ανακάλυψε το τελευταίο ελάττωμα, αρνήθηκε να δημοσιεύσει οποιεσδήποτε τεχνικές λεπτομέρειες για το δεύτερο ελάττωμα. Πολλοί κακόβουλοι ερευνητές όμως με αντίστροφη μηχανική στην ενημέρωση 3.6.4, ξεχώρισαν τις τροποποιήσεις, και κατάφεραν να διακρίνουν τη μεθοδολογία του exploit. Έτσι δημιούργησαν πολυάριθμα exploits released online.

The Sucuri security team, which reverse-engineered the 3.6.4 update, published a PoC on the website () και πρόσθεσε τον κώδικα του exploit στο web her.

So Sucuri gained the ability to detect hacking attempts for both of these security blanks. The company reported that about 24 hours after the release of 3.6.4 from Joomla saw three IP addresses from Romania hit some of Joomla's biggest sites around the world.

Attackers were trying to exploit both και να δημιουργήσουν ένα χρήστη με το όνομα “db_cfg” και κωδικό το ”fsugmze3 ″.joomla-vulnerabiity-register-method

Twelve hours after that, the three IPs began mass scans on the internet, searching for every Joomla website.

Soon after, a second attacker using an IP from Latvia started his own mass scans, using random user account names with “ringcoslio1981@gmail.com” as an email address. U.

Watch these IPs
82.76.195.141
82.77.15.204
81.196.107.174
185.129.148.216

Sucuri recommends joomla webmasters to look for their IP addresses in their web site logs.

Attackers will generally try to access the following URL:

/index.php/component/users/?task=user.register

“We believe that any Joomla website! that has not been updated is already in jeopardy, "said Daniel Cid, Founder and CTO of Sucuri.

"Every Joomla site on our network has been hit (and blocked by Sucuri Firewall) and I guess it has happened on every site."

Το ίδιο ακριβώς συνέβη και πέρυσι, όταν το project Jοomla επιδιόρθωσε το zero-day CVE--8562 in version 3.4.6, which was released in mid-December. By the end of the year, attackers were performing an average of about 16.600 scans per day trying to exploit the flaw.

Juice PoC

iGuRu.gr The Best Technology Site in Greecefgns

every post, directly to your

Join the 2.100 registrants.

Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).