We started massive online scans for unpatched Joomla

Just 24 hours after the release of security update 3.6.4 by the Joomla project that fixed two critical security holes, hackers had already started looking for unpatched systems and then started massive scans on .

The two security gaps are referred to as CVE-2016-8870 and CVE-2.016-8.869. The first allows attackers to create remote accounts on Joomla sites, while the second allows users to raise account privileges at manager level.joomla

The Joomla team and Davide Tampellini, the Joomla engineer who discovered the last flaw, refused to publish any technical details about the second flaw. Many malicious researchers, however, with reverse engineering at 3.6.4, have distinguished the modifications, and have been able to distinguish the exploit methodology. So they created numerous weaponized exploits that were released online.

Sucuri's security team, which carried out reverse engineering at 3.6.4, published a proof-of-concept PoC and added the exploit code to its web firewall.

So Sucuri gained the ability to detect hacking attempts for both of these security holes. THE reported that about 24 hours after Joomla released the 3.6.4 update they saw three IP addresses from Romania hitting some of the biggest Joomla sites around the world.

Οι επιτιθέμενοι προσπαθούσαν να κάνουν exploit τα δύο σφάλματα και να δημιουργήσουν ένα χρήστη με το όνομα “db_cfg” και s the “fsugmze3″.joomla-vulnerabiity-register-method

Twelve hours after that, the three IPs began mass scans on the internet, searching for every Joomla website.

Shortly afterwards, a second perpetrator using an IP from Latvia began his own mass scans, using random user account names with "ringcoslio1981@gmail.com" as the email address.

Watch these IPs
82.76.195.141
82.77.15.204
81.196.107.174
185.129.148.216

Sucuri recommends joomla webmasters to look for their IP addresses in their web site logs.

Attackers will generally try to access the following URL:

/index.php/component/users/?task=user.register

“We believe that any Joomla website! that has not been updated is already in jeopardy, "said Daniel Cid, Founder and CTO of Sucuri.

"Every Joomla site on our network has been hit (and blocked by Sucuri Firewall) and I guess it has happened on every site."

The same thing happened last year when the Jomula project repaired the zero-day CVE-2015-8562 in the 3.4.6 version, released in mid-December. By the end of the year, attackers were averaging about 16.600 scans a day, trying to exploit the flaw.

Juice PoC

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.

Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).