Recent round of WordPress, Joomla and Script Injections

Some of our customers are facing and are impacted by the recent round of “Forex” site injections. The typical symptoms are site injections redirecting users to a “forex” landing page.  Content can either be injected into existing pages, or, the injected bots can delete the content entirely and replace the content with code which accomplishes the same thing. The majority of the reported infections exploited a vulnerability in out-of-date Joomla and WordPress core, plugins, modules and templates. Infections leverage publicly known vulnerabilities in WordPress, WHMCS, and Joomla enabled servers, and other customized dynamic PHP/ASP/SQL web applications. Database injections, via these exploits is also possible, and can act as a back door to re-inject websites after they have been cleaned once. I wanted to take a few minutes and discuss what Cartika is doing to help our customers, and what customers should be doing to deal with this situation if you have been impacted by it Firstly, for all Cartika Proactively Managed customers (including shared/reseller hosting customers, as well as, all managed VPS, Cloud, and Dedicated server customers). Cartika has been performing a round of security updates and patches to all versions of server side platforms and applications.  This includes things like cPanel and Plesk, but, also things like PHP, Apache, etc. We have a very small percentage of accounts impacted (less then 200 accounts out of the approximate 100,000 accounts hosted on our networks). We are absolutely positive these injections are not coming from server side exposures, but, have simply taken extra measures to further lock down and secure our managed servers and of course ensure no potential server side access points exist. We also attempted to block these injection attacks server side by locking down PHP/IIS functions and creating new Firewall and/or MODSEC rules to block these injections.  Unfortunately however, there is only so much we can do, as if we lock things down too tight, the applications we are trying to protect become unusable and break.  For example, blocking move-uploaded-file function in PHP stops this injection from being able to do much, but, also breaks upload functions in applications like WordPress and Joomla.The applications rely on these functions to operate, and hackers are literally using these functions and calls to inject into exploitable coding. Therefore, blocking these functions is not a reasonable solution, since the applications themselves rely on them. So, the only real solution is for users to upgrade and patch their applications. Common applications like WordPress and Joomla should be updated to the absolute latest versions, including all modules, plugins, themes, etc.  WordPress today released a new version (4.3), and several common plugins and themes have released updates and patches as recently as today. Joomla has several new patches out which should be applied, and older versions of Joomla should be upgraded to the latest stable version.  Additionally, any modules, plugins, themes, etc which have not released a patch or update recently, should strongly be considered as unsafe and not used. At least until such time as their developers release a new patch, or confirm their plugins/themes/modules are not exploitable with the most recent publicly known vulnerabilities. A very good resource, outlining known WordPress injections, can be found HERE. Unfortunately, some of these security issues were in the wild for days before WordPress was able to identify and produce a patch. Of course, ALL customers have access to our Bacula4 platform, which will allow you to roll back all code and databases to a point prior to being injected, which will allow you to restore your applications and then patch them in order to avoid being re-injected. We are also scanning our large shared/reseller web servers and notifying users who are still injected. We recommend all customers with their own VPS,Cloud and/or Physical servers hosting customer websites read our KB article and take a quick look in their environments to make sure they are clean as well. We strongly urge everyone who is notified to address their injected sites, and ensure their applications and all plugins, themes, etc are all patched and up to date.  This can be a challenge, specifically with older versions of some applications, and we understand that.  However, once there are publicly known exploits like this, there is nothing that can be done to block the injections from occurring freely into your websites other the patching your applications and your code against the exploits. At this point, we feel most of this has been addressed and cleaned up.  There are still a small number of customers who either have not addressed this yet, or who have become re-injected, and we are notifying everyone we can find on a best effort basis