Joomla! 3.4.4 and 3.6.3 exploit unauthorised users and escalated privileges hack

Just three days after the patch, the website security company Sucuri detected the exploit on live Joomla websites. Securi software watches real websites live on the Internet and they also run a series of honeypots to help them assess threats just like this. Their investigation showed initial attempts to create users using a payload to POST /index.php/component/users/?task=user.register creating a user called db_cfg and with password fsugmze3. If you have a user in your system with that username, you have been compromised. Sucuri also detected a hack to mass-register users with random usernames and password using this same method, in each of these cases the email address used to register users was ringcoslio1981[@]gmail.com. Again, if you have a user in your system with this email address, you have been compromised and will need a full clean down of your Joomla system to be sure your system is safe. In the initial 36 hours, they detected 27,751 attacks within the set of sites they have visibility over. Full details of their work are available here.

How do I know I've been hacked?

• Check your users for a user called db_cfg or other unauthorised ones
• Check for users with email ringcoslio1981[@]gmail.com
• Check logs for IPs  82.76.195.141; 82.77.15.204; 81.196.107.174; or 185.129.148.216
• Check your images and media folders for .pht files and other non-image files 

With an exploit of this size, an unpatched Joomla system between 3.4.4 and 3.6.3 is likely to have been compromised already. We recommend updating your site as soon as possible, rebuilding from a backup from October 24th or before, and/or checking for new users in your Joomla administrator area. If you have been compromised and are unable to rectify the matter yourself we can help you recover your Joomla system safely and implement a security strategy that will protect you going forward.