Joomla and Wordpress sites - check and update core and and addons!

[Stephen]

Yesterday seemed to be the start of a massive botnet campaign to exploit any outdated joomla or wordpress sites, infect them with multiple copies of a DDOS malware, and then use your site as a zombie for attacking other domains.

This was the core issue yesterday, and how we stopped part of it, but others continued.

The abuse reports about attacks yesterday are rolling in and it is right now mostly about 10 different sites with many copies of these files, but if your are hit with this due to an old installation not kept up to date, we will likely have to stop your site from processing any scripts until it is updated.

If you use joomla or wordpress you MUST stay on edge and update often or you will be hacked, defaced, or used as a trojan horse/zombie for others.
I should also note that a few have a lot of other domains in their accounts and the way permissions set, they may have bad files in some of those other domains even if only one uses wordpress/joomla.

 

[Bunchadogs]

As a reseller, I would ask that if possible, PLEASE notify the reseller before taking an account offline.

I know time is critical when you identify something like this, so it may not be possible.
However, any latitude you can offer to resellers would be GREATLY appreciated!
It's difficult with just H-Sphere for a reseller to keep on top of accounts and make sure CMS/scripts are up-to-date. It's also difficult to monitor things like directory permissions and even file ownership/permissions across accounts/domains.

Ironically I've been fixing some old installs recently - "hacked by Hmei7 / misafir / sejeal / iskorpitx " - so far most of these were either preliminary attacks or just mild defacement. Sadly all involved uploading PHP disguised as an image...

Thanks for working hard to keep the Jodo network clean and secure!

-Michael

 

[Stephen]

No, it will not be possible to notify BEFORE. As each time this happens they have multiple copies of the file, and using multiple hundres of megabits PER SECOND to DDOS other networks, once this happens they are infected so badly it is not possible to notify before. We are making sure to send abuse notice as we disable the PHP however, this is all we can ensure we are doing. We hate having to do this, but we've already tried the approach of just disabling the recently edited PHP pages, and it is not working as they have multiple copies hidden using common type filenames, or even legit file names with edited code tagged in. Along with file managers that let them access/upload on the domain later even if upgraded. So it is a really big task to stop, and just modifying/changing is not helping in the last weeks. With this renewed botnet scanning and infection is is getting far worse now and the old hit and miss type hacking, it is getting into the systematic criminal realm.

there are some tools for linux to ID those sites vulnerable, but none on windows, we are working to see if we can make something similar on windows platform as about 50% of them have been that.

Yesterday's DDOS attack was this, initially it was a large flow of incoming data for about 5 min then it started outgoing and loads of requests being replied, but those requests were replying to a different thing, with these DDOS scripts, once we found one and stopped, it just went down some and another came, then again, about 10 times before we found. We started getting automated abuse reports via prolexic of these as well. Someone did this in a very coordinated manner controlling multiple botnets and essentially making people with old PHP platform sites members of their botnet via simple, but effective PHP CURL requests in mass.

 

[Bunchadogs]

there are some tools for linux to ID those sites vulnerable, but none on windows, we are working to see if we can make something similar on windows platform as about 50% of them have been that.

Are there any tools you can recommend to re-sellers to help us be more pro-active?
I'd gladly install a script on all of my clients sites that would allow me to check or scan them...

As it stands, I have no idea if someone has installed a bad plugin or out-of-date script.
I'm checking on my sites/domains right now - but that will all be irrelevant 30 days from now!

Thanks again for all you and your team do!
-Michael

 

[emaderam]

Thank you for your alert and advice. I'm a beginner and when comparing Joomla, Drupal and WordPress it makes me confused! WP seems to be more user friendly and Joomla and Drupal more professional and complicated!
And after reading this page I got a new question. I want to know that updating Joomla and WordPress is automatically or it must be done manually?