I am sharing what I've experienced today and the way I was thinking and analyzing so excuse me if it's a long post ...
I am on a dedicated machine protected by a firewall, proxy and a powerful enterprise anti-virus software. There's no access to the administration and no way for a user to login except through a VPN.
Today the anti-virus detected a 'php_rc57shell' malware. Quick research shown that this is another shell script being used to take control over the files/db ... etc. I checked the access logs and found a POST request matching the time when the anti-virus stopped the file:
Code: Select all
POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1" 200 10 "-" "BOT/0.1 (BOT for JCE)"
- 1- It wasn't in the regular working hours our users used to work.
2- This was the first time this IP address visit the site!
Now it makes perfect sense. Someone is trying to upload a shell script having an image extension to pass the upload restriction using the unprotected form. I tried to search if that was reported before and found it. Someone even created a script where you post the URL of the website you want to attack and an the file to make it easy for script kiddies to do it :
I am using an old version of JCE. We were planning to upgrade but we have a lot of user groups and many modifications were done so the schedule didn't fit for an upgrade and test yet.
I am using :
JCE version : 184.108.40.206
Image Manager version : 220.127.116.11
Edit : The new versions of JCE redirect directly to the homepage and show an error : You're not authorized to view this resource.