The vulnerability, identified as
CVE-2015-8562, was patched in mid-December with the release of Joomla
3.4.6 and hotfixes for versions
2.5. The first attempts to exploit the flaw, which affects installations running Joomla
3.4.5, were spotted two days before the developers of the popular content management system (CMS) released patches.
Symantec has been monitoring attack attempts and detected, on average, 16,000 daily hits since the vulnerability was disclosed.
Attackers can leverage the Joomla security hole to compromise servers and use them for hosting malware and other malicious activities. They can also sell access to the targeted servers on the underground market, allowing others to abuse them for distributed denial-of-service (DDoS) attacks. Some of the compromised machines can also host valuable information.
Symantec reported that their monitoring team already detected some infected servers, which are being used to redirect victims to suspicous URL addresses, and possibly for hosting malware.
The Joomla vulnerability targeted by attackers is caused by the lack of proper filtering when saving browser session values into the database. Sucuri has published a blog post detailing the flaw and how it can be exploited.
According to researchers, attackers have been trying to determine which servers are vulnerable by analyzing HTTP requests that try to call PHP functions such as
eval(chr()) on the server side.
Once a vulnerable server is identified, the attackers install a backdoor that allows them to execute commands, upload and download files, and modify the websites hosted on the server.
It is highly recommended for server administrator to avoid such situations by analyzing content of the "access log" file periodically and always keep Joomla updated.