In association with heise online

12 December 2012, 10:01

Joomla sites misused to deploy malware

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

JCE logo

The Internet Storm Center reports that a large number of Joomla sites are currently deploying malicious code and infecting visitors with malware; some WordPress sites are also thought to be affected. The German CERT-Bund⁠German language link Computer Emergency Response Team, which is operated by the German Federal Office for Information Security (BSI), has confirmed that similar attacks on and via Joomla servers have also been observed in Germany.

Thomas Hungenberg from CERT-Bund told The H's associates at heise Security that his findings indicate that, for several days, the compromised sites have been exploited to infect computers mainly with fake AV software via an exploit kit. To infect computers, the attackers embed an iFrame into the web sites that points to a Sutra Traffic Distribution System and eventually redirects to an exploit kit. Until recently, URLs ended in /nighttrend.cgi?8 as described by the ISC, but in the past few hours, other URLs such as hxxp:// have also been sighted.

According to Hungenberg's analysis, the original infections were probably achieved via a special automated script that exploits known vulnerabilities in the widely used Joomla Content Editor. A description⁠German language link at the Joomla Downloads blog says the script injects PHP code that masquerades as a GIF file into the server; this code can then be remotely called, and executed, by the attacker. The injected code is a PHP shell that is then used to infect JavaScript files such as /media/system/js/mootools.js or /media/system/js/caption.js with new iFrames on a regular basis.

It appears that the criminals have now started to cash in: they are using so-called Traffic redistribution systems that buy and sell web traffic, and bogus anti-virus software that urges users to buy a pro version, to convert the hijacked servers into hard cash. Both approaches are functional and widely used business models in the cyber underworld.

Joomla site administrators should be sure to check whether they installed the Joomla Content Editor at some point in the past; if they have, they should update it to the current version JCE 2.3.1. Those who have found an old version should also check any JavaScript files for suspicious iFrames. A quick overview is available via the

find . -print0 -name \*.js | xargs -0 grep -i iframe

command line instruction. This instruction doesn't cover variants in which the iFrame tag is assembled at a later stage via script code, but none of the infected sites that are known to heise Security include such variants. The injected PHP backdoor can often be found at /images/stories/story.php.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit