Current Activity - Increased Exploitation in Web Content Management Systems

[Current Activity <us-cert () us-cert gov>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

National Cyber Awareness System

US-CERT Current Activity
Increased Exploitation in Web Content Management Systems

Original release date: September 21, 2012
Last revised: January 4, 2013

US-CERT is aware of recent increases in the exploitation of known
vulnerabilities in web content management systems (CMSs) such as
Wordpress and Joomla. Compromised CMS installations can be used to host
malicious content.

US-CERT recommends that users and administrators ensure that their CMS
installations are patched or upgraded to remove known vulnerabilities.
This may require contacting the hosting provider. Also, users and
administrators can check for known vulnerabilities in the National
Vulnerability Database by searching their CMS by name.

UPDATE: This is an update to emphasize post-exploitation clean-up.

Basic post-exploitation clean-up can be summarized by this: "Clean,
Patch, and Monitor."

Clean - Remove the malicious content AND validate all accounts, removing
unauthorized accounts and paying particular attention to accounts with
administrative or elevated privileges.

Patch - Keep systems patched and upgrade system software to the most
current supported releases (predominantly Joomla in this ongoing
campaign of exploitations).

Monitor - Stay abreast of new patches and version releases of your
content management software, and patch when new versions are released.
Also perform continuous baseline review of your site's usage to detect
abuse before your site is used to attack others.

A number of support sites and other open source forums have had recent
discussions involving the exploitation of Joomla installs up to versions
2.5.2 and earlier. Additional vulnerabilities have been identified and
patched relating to versions 2.5.4 and earlier. In many instances Joomla
installs have been found to be very out of date. The attacker would
self-register an account and then proceed to escalate the account to
have administrative privilege using vulnerabilities in the outdated
software. Once privileges have been escalated, the attacker is able to
modify the website to include the upload of malicious content. The
uploaded content may be malware to infect your website visitors, or
tools to enable the attacker to leverage your website to launch denial-
of-service attacks against others.

If your site has been compromised, remember to "Clean, Patch, and
Monitor."

Relevant URL(s):
<http://web.nvd.nist.gov/view/vuln/search>


____________________________________________________________________

   Produced by US-CERT, a government organization.
____________________________________________________________________

This product is provided subject to this Notification:
http://www.us-cert.gov/privacy/notification.html

Privacy & Use policy:
http://www.us-cert.gov/privacy/

This document can also be found at
http://www.us-cert.gov/current/#increase_exploitation_in_web_content

For instructions on subscribing to or unsubscribing from this
mailing list, visit http://www.us-cert.gov/cas/signup.html

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iQEVAwUBUOcEVndnhE8Qi3ZhAQKIHAf9G8yN9KuNN1BBVV4jWvNfWkXr/Kn29ioP
mAjThbF21S3JCibOnYPZkbqoCGge6grPUGj4M/B8ItEPpts4/37+S8OAdYDzvZWq
/Lrm/Bd5Gih7DAkIeaDQVRVYhi+fYCd9WlWbQEH1bD8B1lo44FTCm2gBVv9xgg/l
t2hHznTW0f0jHCDCberjahSJF5ZeH9IjdVIyhfqZvYJ41XK9/CHN6BrmQTppEq/3
f3LbZCWYJRLBB/INoBuSUCtwqaC7gBZpN+GIdpR/fNNTjdAiBR9fvg7OtBubL2nW
dc24MNnEe0P04lAs7Y1uotUdKB7bCipyinwLWuKs5gFpOXDIBVANww==
=fTlk
-----END PGP SIGNATURE-----