A nasty security exploit has been discovered affecting several thousand old an outdated versions of the popular Joomla! extension, VirtueMart.
More information is available at:
All users need to upgrade or remove the affected VirtueMart Joomla! extension.
Versions of VirtueMart that are safe appear to be versions 2.6.8c and 2.6.10c.
Unfortunately, we cannot provide any support for this. We are just a messenger letting you know that a serious security threat is there. If you are using a vulnerable version and you do nothing, your web hosting account will likely get hacked. We may have to suspend or disable web hosting accounts that are hacked or do not upgrade or resolve this issue.
If you require support for this, you may want to contact your web developer or web designer for more information. Additional support may be found directly at the VirtueMart Support Forums:
or at the Joomla! support forums:
Again, we are just advising you that a threat exists. If you do not know what to do about this, I encourage you to seek help at one of the above forums.
Steven – AMS Support
PLEASE READ IF YOU ARE SEEING A LOGIN PROMPT WHEN TRYING TO ACCESS YOUR WORDPRESS ADMIN AREA
Some of you may be aware that there has been a growing BOTnet across the Internet that has essentially been launching a DDOS attack on WordPress scripts throughout the Internet.
WordPress is an extremely popular blogging and CMS platform. Many people use it. It is widely installed throughout the Internet and on our web hosting servers. This makes it a very inviting target for hackers and other malicious users to take advantage of.
The attack is basically a system of thousands and thousands of IP addresses all trying to login into various site’s backend WordPress admin panel. All of these requests undermines the performance of the server, because the server has to respond to each of those requests. This is why this essentially becomes a DDOS like attack.
Up until now, we have been able to mitigate most of this with a series of IP blocks. But unfortunately this system is reaching it’s saturation and is no longer being effective. The next step to mitigating this is to employ a specific web/captcha system. With this enabled, you will see a dialog box when you go to log into your WordPress admin panel, telling you to enter a specific set of characters for a username and answering a simple arithmetic/addition problem as the password. This is becoming the standard way to mitigate this attack.
We don’t yet know if we will deploy this server-wide or if we will do it on an account-by-account basis. But it is becoming clear that we are going to have to deploy this system in some capacity.
If you see this dialog box pop up on your WordPress admin panel login screen, don’t be alarmed. It is a mitigation solution to stop this WordPress login attack.
We do apologize for having to deploy this, but if we do nothing this attack is just going to continue to undermine server performance for your site and all of the other sites on our web hosting servers.
We have seen a flurry of accounts being hacked due to outdated Joomla! Content Editor components (JCE). Because of this we have made the decision to go through all of our servers are remove/disable all outdated JCE components.
The reason for this is because these accounts with outdated JCE components are being hacked into, compromised, and used to send out spam. This affects the integrity of our servers and is not fair to other users on the server that are keeping their scripts and components up to date, to have to deal with a server that is blacklisted for sending out spam.
It seems that a large portion of our users are unable or unaware of the need to keep their scripts, components, plugins, extensions, and themes up to date. Disabling these outdated JCE components will hopefully bring to light why it is so important to keep things up to date.
The latest version of the Joomla! Content Editor (as of May 30, 2013) is 184.108.40.206. If you are not using 220.127.116.11 then your version is outdated and potentially dangerous. That is why it has been disabled/removed. The website for the Joomla! Content Editor is:
We wanted our users to be aware of this.
Last month (Octoboer 2012) we sent out notices to users who we found to be running outdated WordPress and Joomla! scripts. We will be doing that again this month, and I hope to make this a monthly notice.
If you received a notice in October about an outdated script and you receive another one this month, this simply means that – according to our records – you have not updated the outdated script. We feel that keeping your scripts up to date is important and should be done in order to keep your website safe. That is the purpose of these notices, to inform you that you are running outdated scripts.
Once you update a script, and then keep it updated, you will not receive these outdated notices.
I hope to send the outdated notices early next week to the accounts on our servers.
As I was reading through some of my daily security updates, I came across this post from Secunia:
which I found to be very interesting.
The article focuses mainly on why software updates on your personal computer are important (keeping Adobe Flash, Adobe Reader, Java, etc. up to date) and while this is important, this same principle can be applied to other aspects of your web life. Your web hosting account, the scripts you use for your web site, even your smartphone.
An important quote from the article:
“If you do not update your software with the latest security update, you cannot be sure that it is secure. Software has vulnerabilities, and these vulnerabilities work as a potential open door to your computer for hackers, who exploit these openings to gain access to your computer and everything on it – including your bank and credit card details, your passwords, and all your social media activity.
As NorSIS also states: ”Software programs that aren’t updated are one of the most commonly used methods by criminals to take control of private PCs. It is incredibly important to keep the programs updated.””
So again, just remember that it is important that you keep all software up to date with the latest security patches and this will greatly improve your overall web security.
The developers of the Joomla! CMS product recently released a new version of their popular CMS application, Joomla! 2.5. This application is replacing their former product, Joomla! 1.7. Joomla! 1.7 will be going end-of-life on February 24th, 2012. This means that no further updates or releases will be made for the Joomla! 1.7 line of products. All Joomla! 1.7 users need to upgrade to Joomla! 2.5 before February 24th, 2012 so that their website can remain safe and secure.
For a better understanding of this, let’s take a look at all of the current Joomla! products:
Currently the latest version of Joomla! 2.5 is version 2.5.1. This is the latest version of the Joomla! 2.5 series. All users of Joomla! 1.7 need to upgrade to this release tree.
This version of Joomla! is being retired and being replaced with Joomla! 2.5. Versions of Joomla! 1.7 include: 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4, and 1.7.5. If you are using ANY of these versions of Joomla! then you need to upgrade to Joomla! 2.5.1. Support for Joomla! 1.7 will be ending on Friday, February 24th, 2012. This is coming directly from the Joomla! developers. What this means is that after February 24th, if you continue to use Joomla! 1.7 on your website and a vulnerability is found in the Joomla! 1.7 line of products, the Joomla! developers will not fix this security issue. Your website will likely be defaced, hacked, and your web hosting account will be compromised. We may to to suspend or disable your web hosting account if this happens. PLEASE upgrade your Joomla! 1.7 script to Joomla! 2.5 as soon as possible.
This is a legacy release of Joomla! As far as I am aware of, there is no direct upgrade path from Joomla! 1.5 to Joomla! 2.5. But as far as I know, Joomla! 1.5 is not going end of life on February 24th, so users of Joomla! 1.5 are being allowed to continue to use this version of the script. The latest version of Joomla! 1.5 is 1.5.25. As long as you keep this updated to the latest version of Joomla! 1.5, you should be safe and secure.
Joomla! 1.0 or others
If you are using Joomla! 1.0 or any other version of Joomla! on your website, then it has long since been end of lifed, and is extremely outdated. Anybody that is still using this version of Joomla! is highly at risk for being attacked, hacked, defaced, and having their website completely compromised.
(Update: 02/14/2012 5:12PM CST)
Perhaps a point was not clear in this post. If you are using Joomla! 1.5.25, then you are fine. There is no need for you to upgrade or do anything else.
• If you are using 1.5.xx, some other version than 1.5.25, then you need to consider upgrading to version 1.5.25, the latest version of the Joomla! 1.5 tree.
• If you are using Joomla! versions 1.7.xx OR 2.5, then you need to consider upgrading to Joomla! 2.5.1
• If you are using Joomla! version 1.7.xx please realize that support for this version from the Joomla! developers and community will cease on February 24th, 2012. That is why these users need to upgrade to Joomla! 2.5.1.
• If you are using Joomla! version 1.0.xx OR version 1.6.xx please note that these version have already reached their end-of-life and are no longer being supported or maintained. If you are using one of these versions of Joomla! then you missed the end-of-life cutoff for those respective releases. You probably need to upgrade to Joomla! 2.5.1 but I am not sure what your upgrade path is. I would recommend posting in the Joomla Forums to see what the exact steps are that you need to do.
If you are running anything other than the latest version of your respective Joomla! release tree, then you are using an outdated version and are susceptible to being hacked or compromised. I did find this post on the Joomla! forum that echos why it is important to use an up-to-date script.
I hope this helps to clear up the confusion.
Backing up your account
Before attempting a Joomla! update we encourage you to create a backup of your account. Joomla! may have a backup component in it’s system, but I am not familiar with that. We do provide a backup method which you can use via your cPanel, to back up your entire account. For instructions on this see:
It’s always a good idea to keep a backup copy of your website, in case something happens to your website. While we’d like to believe that upgrading your Joomla! 1.7 to Joomla! 2.5 will be seamless, in the event that something goes wrong, having a backup of your website can be a life saver.
Upgrade Instructions – Non-Softaculous Users
Upgrading from Joomla! 1.7 to Joomla! 2.5 is suppose to be easy. The Joomla! developers have placed an instruction guide on their website:
I have personally tried the Extension Manager: Update method and the Admin Tools method to upgrade a non-production level version of Joomla! to version 2.5. This worked without any issues. But I would stress that I did not have any extension or components installed and the Joomla! website was non-production level.
If you have questions about the upgrade process, I highly encourage you to speak out at the Joomla! forums:
They have a lot more experience with Joomla! than we do and can likely better answer and upgrade questions you may have.
Upgrade Instructions – Softaculous Users
If you installed Joomla! through Softaculous, then you should be able to upgrade Joomla! to version 2.5 from within Softaculous. Unfortunately, I did not have a test site involving this, so I do not know how well this method works. If it fails to work, you may be able to complete one of the Non-Softaculous methods from above to upgrade your website.
If you are a Softaculous Joomla! 1.7 user and have attempted the Softaculous Joomla! 2.5 upgrade, we would like to hear about your experiences with this, so we can share this information with other users. Leave us a comment on how this procedure worked for you.
The one thing I can tell you is that if you ignore this warning about upgrading your Joomla! 1.7 website to Joomla! 2.5, then you are putting your website at risk of being compromised. There will be no further updates to the Joomla! 1.7 release tree, and so continuing to use Joomla! 1.7 means that you are continuing to use an outdated and unsupported piece of software.
This is all a continuing effort to keep our web hosting users informed and aware of security implications on their accounts. I can speak from experience, trying to recover from an account hack can be more difficult than taking measures to prevent a hack. Running up-to-date and supported software is one of the best things you can do to keep your website secured.
I found this blog post talking about the top 7 ways that a hacker will attempt to hack into your WordPress script and into your web hosting account.
3 of the top 5 methods is utilizing known vulnerabilities in old and outdated scripts, themes, components, plugins, and extensions. This underscores why it is so very important that you keep all scripts, not just WordPress, and all extensions to those scripts, up-to-date.
1. Upgrade to the newest version of WordPress
2. Upgrade all your themes and plugins to their newest versions
5. Know what other web applications you have installed
I encourage you to take a moment and read through this post. It is very well written. And further explains how you can keep your hosting account safe and secure.
Props to Mr. Maunder for a well written article.
As we have documented in previous posts (here and here) an exploit is making its way through the Internet in a security hole in the popular TimThumb addon. TimThumb is common in many WordPress themes.
Lately we have been seeing a lot of hacks as a result of this vulnerability. So many in fact that we are going to have to take measures to protect our servers and our clients from this vulnerability.
Starting today, September 27th 2011, we will be going through the servers and disabling any outdated TimThumb scripts that we find. This may have the adverse affect of disabling the thumbnails and thumbnail creation of your images in your WordPress blog or other scripts. We apologize for this, but the alternative is to risk having your account hacked into through this vulnerability.
WordPress users need to contact the developers of whatever theme they are using on their blog and insure that they are aware of this TimThumb vulnerability. The fix for this vulnerability will have to come from your theme developer. If the theme you are using is no longer being maintained, then this should be red flag that this is not a theme you should be using. If the developer refuses to include the updated TimThumb in their theme, then this should also be a red flag for you.
The purpose of all of this is to protect your webhosting account and keep your account from being hacked into.
The TimThumb exploit is still out there. More theme developers are updating their themes to include fixed solutions for this library.
The TimThumb project was forked into another project, called WordThumb by Mark Maunder and then recombined with the TimThumb project. As a result the versions of TimThumb is a little out of whack. The current version of TimThumb appears to be 2.7, however any version after (and including) 1.34 appears to have fixed the major issue with TimThumb. Each subsequent release of TimThumb just adds additional security layers, and for this reason version 2.7 is probably the version you need to be using.
However, the best thing you can in regards to this vulnerability is talk to developer, the person that wrote the WordPress theme you are using, and ask them if the theme is vulnerable to this security issue. It is important to note that this is not a security issue with WordPress. In fact TimThumb is used by other applications other than WordPress. WordPress is just the most common venue for TimThumb, and select WordPress users are more likely to be affected by this. It is also worth pointing out that not all WordPress uses are affected by this, it just depends on what themes you have installed and are using on your website.
The security blog Sucuri has a list of SOME affected WordPress themes:
However it is important to point out that this is not a complete list. Just because your WordPress theme is not listed here, does not mean that it is not affected by this exploit. Again, the best step is to talk to your WordPress theme developer and ask them if you are affected by this vulnerability.
Matt Mullenweg, the founder and creator of WordPress, has an interesting post about this issue:
We are going to be going through the servers looking for timthumb.php files that may be affected by this. You should receive an email from us if this is found on your webhosting account. However, not all themes use the timthumb.php filename and for those we will not be able to find them. So just because you did not receive an email from us, this does not mean that you are affected by this. Again, I cannot stress this point enough, the best thing you can do is talk to your theme developer and ask them if you are affected by this. Your theme developer, the makers of your theme, are going to be your best bet at finding out if you are vulnerable to this.
As we mentioned in an earlier post, today we are beginning the deployment of new ModSecurity filters on our shared hosting servers.
We haved decided to push out these updates a few days before they were scheduled due to the recent TimThumb exploit (some details here). These new rules will hopefully help mitigate any damage that this exploit can cause (But please note – The new ModSecurity rules do not solve the problem completely, affected TimThumb users should upgrade or discuss this with your theme developer). We are going to be going through the servers looking for TimThumb scripts in the next few days and you may receive an email about this.
These new ModSecurity rules do have the potential to cause certain security issues for some websites. Some actions and files will generate false positives. Rules can be exempted for your website, if a certain rule is causing you problems. You will just need to open a support ticket with our support staff regarding this.
To open a support ticket, go to our Account Management page:
And click on the Support Ticket link.
These new rules should help prevent exploits and compromises on your webhosting account, this is why they are being put into place. We do apologize for any inconvenience these new rules might cause.
Stevenkeep looking »