Recently, Joomla released Version 3.4.6 to address 4 security vulnerabilities. This patch includes security hardening of the user password reset system. It is highly recommended that users immediately upgrade to version 3.4.6.
The vulnerability affects Joomla versions 1.5 to 3.4.5. Attackers are performing an object injection via HTTP user agent for full remote command execution.
Here’s what to look for to determine if you have been comprised, thanks to security blog Sucuri, who first found the exploit.
If you are a Joomla user, check your logs right away. Look for requests from 220.127.116.11 or 18.104.22.168 or 22.214.171.124 as they were the first IP addresses to start the exploitation. I also recommend searching your logs for “JDatabaseDriverMysqli” or “O:” in the User Agent as it has been used in the exploits. If you find them, consider your Joomla site compromised and move to the remediation / incident response phase.
If you are using the old and unsupported versions 1.5.x or 2.5.x, apply the hotfixes here.
If you are a SS6 managed client and have questions, don’t hesitate to contact us.