Compromised Joomla 1.5 and Wordpress sites
Posted by simonw
on Mon 21 Jan 2013 at 13:42
A spammer just sent me a list of 1701 compromised website, I suspect the email was only suppose to have 1, and not 1701 redirects in it.
All those checked are (or were in the case of defaced ones) running Wordpress or Joomla.
This spammer has stuck PHP redirector names "yahooo.php" or "yahooocool.php" into all the sites they have compromised.
I've notified the worst affected hosting providers, but the list is clearly incomplete, so your absence doesn't mean you aren't compromised.
However it was enough to make me run 'find . -name "yahooo*php"' over our clients hosting space - just in case - fortunately nothing found.
I'd suggest it to those out there doing hosting of Wordpress or Joomla, especially any sites with Joomla 1.5 (or earlier - no surely not).
Joomla 1.5 was the long term stable release but support expired December last year. So presumably it is compromised, or has a common plugin is compromised. Probably a good time to upgrade if your site isn't owned already.
Wordpress versions include 3.4.2 and 3.5. I've asked a couple of those running recent Wordpress if they can tell me what happened.
I suspect old news in the vulnerability stakes - it usually is - but rare the spammers give you quite such a comprehensive list to someone who knows what it means, and since the spammers have been giving me such a hard time I figured I'd spend half and hour sharing it with those who need to know.