{"id":2631,"date":"2015-12-16T08:44:42","date_gmt":"2015-12-15T23:44:42","guid":{"rendered":"https:\/\/jirak.net\/wp\/new-joomla-exploit-cve-2015-8562\/"},"modified":"2015-12-16T08:44:42","modified_gmt":"2015-12-15T23:44:42","slug":"new-joomla-exploit-cve-2015-8562","status":"publish","type":"post","link":"https:\/\/jirak.net\/wp\/new-joomla-exploit-cve-2015-8562\/","title":{"rendered":"New Joomla Exploit CVE-2015-8562"},"content":{"rendered":"<p>There is a new zero day exploit in Joomla. Details are described in <a target=\"_blank\" href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2015-0235\">CVE-2015-8562<\/a>. <\/p>\n<p>It is recommended that you update Joomla immediately, but if you cannot do that or cannot change the files on your backend servers, you can apply a fix in NGINX or NGINX Plus on the frontend.<\/p>\n<p><strong>Note<\/strong>: We strongly advise to update your Joomla installations as soon as possible, even if you patch your site today with this NGINX config. <\/p>\n<p>You can read about the exploit and the patch at the <a target=\"_blank\" href=\"http:\/\/www.joomlaexploit.com\">Joomla site<\/a>, the <a target=\"_blank\" href=\"https:\/\/blog.sucuri.net\/2015\/12\/remote-command-execution-vulnerability-in-joomla.html\">Sucuri blog<\/a>, or <a target=\"_blank\" href=\"http:\/\/arstechnica.com\/security\/2015\/12\/hackers-actively-exploit-critical-vulnerability-in-sites-running-joomla\/\">Ars Technica<\/a>, among others.<\/p>\n<h3>Identifying the Attack<\/h3>\n<p>The original attacks came from these IP addresses:<\/p>\n<ul>\n<li>On 12 December 2015\u00a0\u2013\u00a074.3.170.33<\/li>\n<li>On 13 December 2015\u00a0\u2013\u00a0146.0.72.83 and 194.28.174.106<\/li>\n<\/ul>\n<p>The attack is usually performed by modifying the <code>User-Agent<\/code> header and can be identified by these values inside the header: <code>JDatabaseDriverMysqli<\/code> and <code>O:<\/code> (capital letter O followed by the colon).<\/p>\n<p>Joomla provides the following sample log entry from an attack.<\/p>\n<pre><code class=\"config\">2015 Dec 12 16:49:07 clienyhidden.access.log<br \/>\nSrc IP: 74.3.XX.XX \/ CAN \/ Alberta<br \/>\n74.3.XX.XX [12\/Dec\/2015:16:49:40 -0500] GET \/contact\/ HTTP\/1.1 403 5322 http:\/\/google.com\/ }__test|O:21:x22JDatabaseDriverMysqlix22:3:..{s:2:x22fcx22;O:17:x22JSimplepieFactoryx22:0:..{}s:21:x22x5C0x5C0x5C0disconnectHandlersx22;a:1:{i:0;a:2:{i:0;O:9:x22SimplePiex22:5:..{s:8:x22sanitizex22;O:20:x22JDatabaseDriverMysqlx22:0:{}s:8:x22feed_urlx22;s:60:..<\/pre>\n<p><\/code><\/p>\n<h3>Applying a Fix in NGINX or NGINX Plus<\/h3>\n<p>Use this\u00a0snippet of NGINX configuration to block the original IP addresses and any request where the <code>User-Agent<\/code> header contains <code>O:<\/code> or <code>JDatabaseDriverMysqli<\/code>. To block additional IP addresses, add them to the list in the second <code>map<\/code> block.<\/p>\n<pre><code class=\"config\">http {<br \/>\n    map $http_user_agent $blocked_ua {<br \/>\n        ~(?i)O: 1;<br \/>\n        ~(?i)JDatabaseDriverMysql 1;<br \/>\n        default 0;<br \/>\n     }<br \/>\n    map $remote_addr $blocked_ip {<br \/>\n        74.3.170.33 1;<br \/>\n        146.0.72.83 1;<br \/>\n        194.28.174.106 1;<br \/>\n        default 0;<br \/>\n    }<br \/>\n    server {<br \/>\n        listen 80;<br \/>\n        if ($blocked_ua) { return 403; }<br \/>\n        if ($blocked_ip) { return 403; }<br \/>\n        # ...<br \/>\n    }<br \/>\n}<\/pre>\n<p><\/code><\/p>\n<p>For further information, see <a href=\"https:\/\/www.nginx.com\/resources\/admin-guide\/restricting-access\/\">this article<\/a> on how to restrict access to your site.<\/p>\n<p>Post your experience in the Comments below.<\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/www.nginx.com\/blog\/new-joomla-exploit-cve-2015-8562\/\">New Joomla Exploit CVE-2015-8562<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/www.nginx.com\">NGINX<\/a>.<\/p>\n<p>Source: nginx<\/p>\n","protected":false},"excerpt":{"rendered":"<div class=\"mh-excerpt\"><p>There is a new zero day exploit in Joomla. Details are described in CVE-2015-8562. It is recommended that you update Joomla immediately, but if you cannot do that or cannot change the files on your backend servers, you can apply a fix in NGINX or NGINX Plus on the frontend. Note: We strongly advise to update your Joomla installations as soon as possible, even if you patch your site today with this NGINX config. You can read about the exploit and the patch at the Joomla site, the Sucuri blog, or Ars Technica, among others. Identifying the Attack The original attacks came from these IP addresses: On 12 December 2015\u00a0\u2013\u00a074.3.170.33 On 13 December 2015\u00a0\u2013\u00a0146.0.72.83 and 194.28.174.106 The attack is usually performed by modifying the User-Agent header and can be identified by these values inside the header: JDatabaseDriverMysqli and O: (capital <a class=\"mh-excerpt-more\" href=\"https:\/\/jirak.net\/wp\/new-joomla-exploit-cve-2015-8562\/\" title=\"New Joomla Exploit CVE-2015-8562\">[ more&#8230; ]<\/a><\/p>\n<\/div>","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[169],"tags":[652],"class_list":["post-2631","post","type-post","status-publish","format-standard","hentry","category-news","tag-nginx"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/jirak.net\/wp\/wp-json\/wp\/v2\/posts\/2631","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jirak.net\/wp\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jirak.net\/wp\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jirak.net\/wp\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jirak.net\/wp\/wp-json\/wp\/v2\/comments?post=2631"}],"version-history":[{"count":0,"href":"https:\/\/jirak.net\/wp\/wp-json\/wp\/v2\/posts\/2631\/revisions"}],"wp:attachment":[{"href":"https:\/\/jirak.net\/wp\/wp-json\/wp\/v2\/media?parent=2631"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jirak.net\/wp\/wp-json\/wp\/v2\/categories?post=2631"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jirak.net\/wp\/wp-json\/wp\/v2\/tags?post=2631"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}