We started massive online scans for unpatched Joomla

As soon as 24 hours after the release of the 3.6.4 security update from the Joomla project that identified two critical security flaws, hackers had already begun to look for unpatched systems and then massive scans on the Internet began.

The two vulnerabilities are listed as CVE-2016-8870 and CVE-2.016-8.869. The first allows attackers to remotely accounts on Joomla websites, while the second allows the elevation of account privileges to administrator level.joomla

Η of Joomla, and Davide Tampellini, the Joomla engineer who discovered the last flaw, refused to release any technical details about the second flaw. But many malicious researchers reverse-engineered the 3.6.4 update, picked apart the modifications, and managed to discern the exploit's methodology. So they created numerous weaponized exploits that were released online.

Sucuri's security team, which carried out reverse engineering at 3.6.4, published a proof-of-concept PoC and added the exploit code to its web firewall.

So Sucuri gained the ability to detect hacking attempts for both of these security blanks. The company reported that about 24 hours after the release of 3.6.4 from Joomla saw three IP addresses from Romania hit some of Joomla's biggest sites around the world.

The attackers tried to exploit the two errors and create a user named "db_cfg" and password "fsugmze3 ″.joomla-vulnerabiity-register-method

Twelve hours after that, the three IPs began mass scans on the internet, searching for every Joomla website.

Shortly afterwards, a second perpetrator using an IP from Latvia began his own mass scans, using random user account names with "ringcoslio1981@gmail.com" as the email address.

Watch these IPs
82.76.195.141
82.77.15.204
81.196.107.174
185.129.148.216

Sucuri advises webmasters to search Joomla! logging their website for the above IP addresses.

Attackers will generally try to access the following URL:

/index.php/component/users/?task=user.

“We believe that any Joomla website! that has not been updated is already in jeopardy, "said Daniel Cid, Founder and CTO of Sucuri.

"Every Joomla site on our network has been hit (and blocked by Sucuri Firewall) and I guess it has happened on every site."

The exact same thing happened last year, when the Joomla project fixed the zero-day CVE-2015-8562 in 3.4.6, which was released in mid-December. By the end of the year, attackers were performing an average of about 16.600 scans per day trying to exploit the flaw.

Juice PoC

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.087 registrants.

Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).