New Joomla 1.5.26 And Joomla 2.5 Exploit, latest joomla protection from exploits Options

[Web Design Seo]

Seems that joomla 1.5.26 New exploit is released.

For the past few days we have some number of hacked Joomla's 1.5 that have been hacked in the same way:
- All joomla installs were with the latest joomla 1.5 version - joomla 1.5.26
- All sites were with unprotected folder /administrator

How exploit work?
A. Uploaded is one php shell file or several shell files in images/stories.
2. Hacker make POST requests to com_installer or com_templates

What makes this Joomla exploit:
Hacker modified .htaccess. As a result, website redirect to the one Russian website and google starts screaming that "this website may harm your computer".

How to clean your Joomla 1.5:
1. Typically, php files are uploaded to the folder images/stories. It is easy to recognize - there should not have php files. File name is something like cache.php or other name.
2. Remove redirects from htaccess file. Redirects are at start and in end of file. Or open one standart Joomla 1.5 htaccess and copy-paste the right parts of code.


The decision to not hack joomla 1.5:
1. Lock folder administrator. With password or by IP address.
2. Add to your htaccess file defense against RFI - Remote File Inclusion protection.

So, seems that latest joomla 1.5.26 is not well protected. Maybe this exploit is possible with latest Joomla 2.5 also - we have not tested. I recommend you to protect folder administrator by IP or with password.

More useful guides about exploits protection: more htaccess huides and guide Ultimate Security For Joomla

[Web Design Seo]

Latest news about this exploit are:

Attacks come from IP: 91.202.244.73 (may be are many, this ip is one of them). One of doors that hacker use is JCE exploit - JCE Extension Remote File Upload. This exploit work with all versions of JCE before 2.0.10.

This mean that all versions of Joomla 2.5 are also vulnerable!

How is this possible?

Joomla 2.5 have your own update manager that check all extensions for new versions. But.... is not working with JCE. I have check about 10 joomla's 2.5 and always message is all extensions are up-to-date.



But... the problem is that on all checked from me joomla installs, version of JCE was older, not latest 2.2.4. May be the problem is in JCE, may be in Joomla 2.5 update manager, will see in next days.

For now, download from here latest version of JCE and install - package is only one for all joomla versions from 1.5 to 2.5 and will update your joomla site automatically to latest version.

[persmash]

Can you please explain how can we use this vulnerability?

[Web Design Seo]

Don't use it, just fix it Problem was in older versions of JCE and is fixed in latest versions. Just update your JCE copy often - always install latest version!

[Web Design Seo]

IP addreses of bots that try to hack joomla websites over this JCE exploit (Ip addresses are from logs from one of our firewalls)

Insert this code in your htaccess to deny access to your website from hacker's bots ip:

Код

deny from 2.228.105.131
deny from 31.131.31.183
deny from 46.32.227.68
deny from 64.34.165.204
deny from 66.55.72.82
deny from 79.143.186.120
deny from 85.214.26.171
deny from 85.214.122.33
deny from 87.126.158.82
deny from 88.255.89.55
deny from 91.121.1.179
deny from 91.121.85.219
deny from 91.121.115.186
deny from 123.242.173.1
deny from 132.248.160.9
deny from 176.28.8.81
deny from 176.223.123.143
deny from 198.27.85.51
deny from 202.129.185.250
deny from 206.167.88.7

[Web Design Seo]

2 more ip's added.

[Web Design Seo]

2 more new ip, now are 10.

[Web Design Seo]

One more bot ip is added.

[Web Design Seo]

IP's of bots that try to login in joomla administration:

Turkish:

Код

213.238.175.29
213.238.175.32
213.238.175.34
213.238.175.35
213.238.175.37
213.238.175.38
213.238.175.40
213.238.175.41
213.238.175.42
213.238.175.50
213.238.175.51
213.238.175.52
213.238.175.53
213.238.175.55

Netherlands:

Код

146.0.73.155
146.0.73.156
146.0.74.202
146.0.74.204
146.0.74.208
146.0.74.28
146.0.78.9
146.0.79.23
5.39.218.37
5.39.219.25
5.39.219.27

[Web Design Seo]

85.214.122.33 added - ip try to upload shell file over jce.

[Web Design Seo]

New IP's from this weekend are added to first post:

202.129.185.250 - try to upload files over JCE imgmanager.
88.255.89.55 - try to upload files over facile forms:

Код

/components/com_facileforms/libraries/jquery/uploadify.php

[Web Design Seo]

Three more IP added in post 5.

[Web Design Seo]

One more added.