On October 25th, 2016 the Joomla team issued a security release for the 3.x series of Joomla. Joomla 3.6.4 fixes a high-severity security vulnerability that can allow remote users to create new accounts, modify existing accounts, and elevate their privileges to that of a Super Administrator on any Joomla site not patched. These issues combined potentially give attackers enough power to get complete control of your Joomla website. The affected Joomla versions are from 3.4.4 through 3.6.3.
Just three days after the patch, the website security company Sucuri detected the exploit on live Joomla websites. Securi software watches real websites live on the Internet and they also run a series of honeypots to help them assess threats just like this. Their investigation showed initial attempts to create users using a payload to POST /index.php/component/users/?task=user.register creating a user called db_cfg and with password fsugmze3. If you have a user in your system with that username, you have been compromised. Sucuri also detected a hack to mass-register users with random usernames and password using this same method, in each of these cases the email address used to register users was ringcoslio1981[@]gmail.com. Again, if you have a user in your system with this email address, you have been compromised and will need a full clean down of your Joomla system to be sure your system is safe. In the initial 36 hours, they detected 27,751 attacks within the set of sites they have visibility over. Full details of their work are available here.
How do I know I've been hacked?
- Check your users for a user called db_cfg or other unauthorised ones
- Check for users with email ringcoslio1981[@]gmail.com
- Check logs for IPs 18.104.22.168; 22.214.171.124; 126.96.36.199; or 188.8.131.52
- Check your images and media folders for .pht files and other non-image files
With an exploit of this size, an unpatched Joomla system between 3.4.4 and 3.6.3 is likely to have been compromised already. We recommend updating your site as soon as possible, rebuilding from a backup from October 24th or before, and/or checking for new users in your Joomla administrator area. If you have been compromised and are unable to rectify the matter yourself we can help you recover your Joomla system safely and implement a security strategy that will protect you going forward.