The SANS Internet Storm Center has issued a warning stating that numerous open source CMS systems, including WordPress and Joomla sites, have been compromised and hijacked in order to spread malicious applications known as “scareware”.
Scareware is a relatively new term used to describe software which tricks users into believing that their systems are infected with viruses, Trojans or malware. The users are manipulated into downloading phony anti-virus software, fake firewalls, or other applications (Magento extensions as well) which then act as a vector for further attacks.
The Scareware is not being spread through new “zero-day” exploits, or even recent vulnerabilities. Rather, the attackers are simply pushing the exploit through as many older, un-patched installs of Joomla and WordPress as they can find. Most patched up-to-date sites should be unaffected.
The attackers are reaching sites by uploading PHP code disguised as a gif image to the server, then run the code remotely. This code can be used to contaminate other files of the server, including mootools. From there, the attackers can then insert iFrames into the front-end of the website, presenting their pop-up warnings to users and tricking them into downloading the malicious applications.
Another use for these infected websites is traffic redistribution systems – attackers infect popular websites, and use the iFrames to send traffic to other sites. They sell the extra traffic to unsuspecting webmasters, who think that they are buying legitimate visitors.
The ISC says that these attacks are preventable with basic precautions. If you are running the latest version of your CMS and have your file permissions set correctly (do not set code folders to 777!) then your site should be safe from this particular attack. If you have any concerns about the safety or security of your website, check your file permissions and look through your javascript code to make sure that there are not any suspicious iFrames in them.
