Increased Exploitation in Web Content Management Systems

US-CERT is aware of recent increases in the exploitation of known vulnerabilities in web content management systems (CMSs) such as WordPress and Joomla. Compromised CMS installations can be used to host malicious content.

US-CERT recommends that users and administrators ensure that their CMS installations are patched or upgraded to remove known vulnerabilities. This may require contacting the hosting provider. Also, users and administrators can check for known vulnerabilities in the National Vulnerability Database by searching their CMS by name.

UPDATE: This is an update to emphasize post-exploitation clean-up.

Basic post-exploitation clean-up can be summarized by this: “Clean, Patch, and Monitor.”

Clean – Remove the malicious content AND validate all accounts, removing unauthorized accounts and paying particular attention to accounts with administrative or elevated privileges.

Patch – Keep systems patched and upgrade system software to the most current supported releases (predominantly Joomla in this ongoing campaign of exploitations).

Monitor – Stay abreast of new patches and version releases of your content management software, and patch when new versions are released. Also perform continuous baseline review of your site’s usage to detect abuse before your site is used to attack others.

A number of support sites and other open source forums have had recent discussions involving the exploitation of Joomla installs up to versions 2.5.2 and earlier. Additional vulnerabilities have been identified and patched relating to versions 2.5.4 and earlier. In many instances Joomla installs have been found to be very out of date. The attacker would self-register an account and then proceed to escalate the account to have administrative privilege using vulnerabilities in the outdated software. Once privileges have been escalated, the attacker is able to modify the website to include the upload of malicious content. The uploaded content may be malware to infect your website visitors, or tools to enable the attacker to leverage your website to launch denial-of-service attacks against others.

If your site has been compromised, remember to “Clean, Patch, and Monitor.”