Joomla! 3.4.4 and 3.6.3 exploit unauthorised users and escalated privileges hack

On October 25th, 2016 the Joomla team issued a security release for the 3.x series of Joomla. Joomla 3.6.4 fixes a high-severity security vulnerability that can allow remote users to create new accounts, modify existing accounts, and elevate their privileges to that of a Super Administrator on any Joomla site not patched. These issues combined potentially give attackers enough power to get complete control of your Joomla website. The affected Joomla versions are from 3.4.4 through 3.6.3.

Just three days after the patch, the website security company Sucuri detected the exploit on live Joomla websites. Securi software watches real websites live on the Internet and they also run a series of honeypots to help them assess threats just like this. Their investigation showed initial attempts to create users using a payload to POST /index.php/component/users/?task=user.register creating a user called db_cfg and with password fsugmze3. If you have a user in your system with that username, you have been compromised. Sucuri also detected a hack to mass-register users with random usernames and password using this same method, in each of these cases the email address used to register users was ringcoslio1981[@]gmail.com. Again, if you have a user in your system with this email address, you have been compromised and will need a full clean down of your Joomla system to be sure your system is safe. In the initial 36 hours, they detected 27,751 attacks within the set of sites they have visibility over. Full details of their work are available here.

How do I know I've been hacked?

  • Check your users for a user called db_cfg or other unauthorised ones
  • Check for users with email ringcoslio1981[@]gmail.com
  • Check logs for IPs  82.76.195.141; 82.77.15.204; 81.196.107.174; or 185.129.148.216
  • Check your images and media folders for .pht files and other non-image files 

With an exploit of this size, an unpatched Joomla system between 3.4.4 and 3.6.3 is likely to have been compromised already. We recommend updating your site as soon as possible, rebuilding from a backup from October 24th or before, and/or checking for new users in your Joomla administrator area. If you have been compromised and are unable to rectify the matter yourself we can help you recover your Joomla system safely and implement a security strategy that will protect you going forward.

Last modified onSunday, 30 October 2016 09:33
Joomla Expert

JoomlaExpert offers a full range of specialist Joomla website packages coupled with professional Joomla advice & long term support. With clients based in the UK, Scotland, Republic of Ireland, Northern Ireland, the United States, Canada and and Australia we work with a diverse range of businesses providing world-class Joomla solutions. With specialist partners in Marketing, Graphic Design, Video Production, Hosting & Development, we manage your Joomla projects from end-to-end. 

Dr. Ultan Sharkey (BBLS, MBS, Ph.D.) is an ecommerce consultant specializing in online shopping businesses. He holds a Masters degree in Ecommerce and a PhD in Online Shopping Experience from National University of Ireland Galway where he is also an Adjunct Lecturer in the business school. He also owns www.barefoot.ie, a Joomla based online shop for top-brand fitness equipment. He is also a founding member of the eCommerce Association of Ireland (www.ecai.ie).

Ultan and his team have over 10 years experience with Joomla having worked with it since it forked from the Mambo CMS back in 2005. 

Facebook  Twitter  Linkedin

Need Joomla Help? Get a free professional assessment!

Free Joomla Assessment

Contact us

Need a Joomla Expert?