HackDig : Dig high-quality web security articles for hacker

Invasion of JCE Bots

2014-08-15 20:40

Joomla has been one of the most popular CMS for a long time.  It powers a huge number of sites.  That’s great! The flip side of this fact is Joomla has been very popular for a long time and there are still very many sites that use older versions of Joomla as well as older version of Joomla components. For example, the 1.5.x branch of Joomla (2008-2010) still has a noticeable share in live Joomla sites.

Old versions may work well for your site but they have multiple well known security holes, so they are the low hanging fruit for hackers. Let me show this using a real world example.

JCE attack

There is a JCE component – a fancy content editor that can be found almost on every Joomla site. It has a well known security hole that allows anyone to upload arbitrary files to a server.

You can easily find a working exploit code for this vulnerability.  What it does is:

  1. Checks whether a vulnerable version of JCE is installed (2.0.11, 2.0.12, 2.0.13, 2.0.14, 2.0.15, 1.5.7.10, 1.5.7.11, 1.5.7.12, 1.5.7.13, 1.5.7.14)
  2. Exploits the bug in the JCE image manager to upload a PHP file with a .gif extenstion to the images/stories directory
  3. Then uses a JSON command to rename the .gif file to *.php.

Now you have a backdoor on a server and can do whatever you want with the site.

This is how this attack looks in logs (real example):

197.205.70.37 - - [23/Jan/2014:16:46:54 -0500] "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.0" 200 302 "-" "BOT/0.1 (BOT for JCE)"
197.205.70.37 - - [23/Jan/2014:16:46:55 -0500] "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20 HTTP/1.0" 200 329 "-" "BOT/0.1 (BOT for JCE)"
197.205.70.37 - - [23/Jan/2014:16:46:55 -0500] "GET /images/stories/3xp.php HTTP/1.0" 200 465 "-" "BOT/0.1 (BOT for JCE)"

As I mentioned, JCE is a very popular component and there are still many sites that use old versions of this component. No wonder, hackers are scanning the Internet for such vulnerable sites.  They reworked the exploit code for use in their automated tools that relentlessly test millions of sites, one by another.  These days, I can find multiple requests with the “BOT/0.1 (BOT for JCE)” User-Agent string in logs of almost every site that I check, even in logs of sites that have never had Joomla installed.

I’d like to share some interesting statistics of a real site that had been hacked using this JCE hole and then was being routinely reinfected every day.

  • 7,409 requests with the User-Agent ”BOT/0.1 (BOT for JCE)“ that came from 785 different IPs during the period of Dec 24th – Jan 24th (one month)
  • 239 requests from 51 unique IP addresses during the last 24 hours
  • 4 independent (uploaded different types of backdoors) successful infections during one day.
  • plus, multiple tests for other vulnerabilities.

To webmasters

As you can see,  this is something that you can’t neglect or consider an insignificant threat.  It’s silly to hope that hackers won’t find your site. Today hackers have resources to spider the Internet almost as efficiently as Google just about 10 years ago, so there is almost no chance your site will stay unnoticed. The only way to prevent the hacks is to be proactive:  keep all software up-to-date and harden your sites.

In case of this particular JCE attack:

  1. Make sure to upgrade your Joomla site to the most current version.
  2. Upgrade JCE to the latest version. You can find download packages for all the three branches of Joomla here.
  3. Protect all file upload directories and all directories that shouldn’t contain .php files. For example, place the following .htaccess file there to prevent execution of PHP files:
    <Files *.php>
    deny from all
    </Files>
  4. Try blocking requests with the ”BOT/0.1 (BOT for JCE)” User-Agent string.  Of course, this shouldn’t be considered as a real protection. Hackers can change the User-Agent string to whatever they want. But it can help keep some dumb annoying bots away from your site.
  5. If, for some reason, you can’t upgrade your site at this moment, consider placing it behind a website firewall that will block any malicious traffic before it reaches your server.  This is something that we call virtual patching in Sucuri CloudProxy.


Source: /stob-ecj-fo-noisavni/72/10/4102/moc.setisarapksamnu.golb

Read:3631 | Comments:0 | Tags:Website exploits exploit JCE Joomla

“Invasion of JCE Bots”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Announce

Share high-quality web security related articles with you:)

Tools

Tag Cloud