Yesterday afternoon, Joomla released Version 3.4.6 to address 4 security vulnerabilities. This patch includes security hardening of the user password reset system. It is highly recommended that users immediately upgrade to version 3.4.6.
The vulnerability affects Joomla versions 1.5 to 3.4.5. Attackers are performing an object injection via HTTP user agent for full remote command execution.
Here’s what to look for to determine if you have been comprised, thanks to security blog Sucuri, who first found the exploit.
If you are a Joomla user, check your logs right away. Look for requests from 220.127.116.11 or 18.104.22.168 or 22.214.171.124 as they were the first IP addresses to start the exploitation. I also recommend searching your logs for “JDatabaseDriverMysqli” or “O:” in the User Agent as it has been used in the exploits. If you find them, consider your Joomla site compromised and move to the remediation / incident response phase.
If you are using the old and unsupported versions 1.5.x or 2.5.x, apply the hotfixes here.
If you are a HostDime managed client and have questions, don’t hesitate to contact us.
HostDime.com, Inc. is a global data center company offering an array of cloud products which include managed services for scalable cloud storage, dedicated servers, VPS (Virtual Private Servers), and colocation. HostDime.com owns and operates data centers in Orlando, Florida as well as Mexico and Brazil, with network facilities in Colombia, Hong Kong, India, the United Kingdom, and the Netherlands.
Jared Smith is HostDime’s Content Marketer.