A recent exploit has been brought to our attention that affects all Joomla users. This remote command execution vulnerability takes advantage of a security hole affecting all versions of Joomla between 1.5 and 3.4.5. We highly recommend you update your install of Joomla right now using the patch released yesterday.
What is a zero-day vulnerability?
A zero-day vulnerability is an exploit that has been found prior to the provider being made aware. Hackers may exploit these security holes using malware or spyware to infiltrate personal data, force out spam, or redirect traffic from the intended web address. The main issue with these ‘zero-day’ vulnerabilities is that it becomes a race as the developers work to force out a fix before users are negatively impacted by malicious content.
How does this affect Joomla users?
This exploit allows people who would otherwise be unable to access your hosting platform to run arbitrary commands from a remote location and thus perform potentially malicious tasks from your end. Whilst we have many defenses in place to ensure this doesn’t get out of hand and affect other customers, we feel that it is important to note that users who do not update their installation of Joomla are risking their websites being compromised and having their services suspended as a result.
If you are a Joomla user and have yet to update, we ask that you check your logs as soon as possible. Particularly, look out for requests from 18.104.22.168 or 22.214.171.124or 126.96.36.199 as these IP addresses were the first to be found using the exploit (source: Securi.net). If you find them within your logs, consider your Joomla site compromised and contact your developer to have this issue fixed as soon as possible.