Hacked & defaced 22hrs ago - outdated Joomla etc.

See: http://killmalware.com/jujutsu-styria.eu/#
Web application version:
Joomla Version 3.2.0 found at: -http://www.jujutsu-styria.eu/administrator/manifests/files/joomla.xml
Joomla version outdated: Upgrade required.
Outdated Joomla Found: Joomla under 3.6.4

3 vulnerable jQuery libraries: http://retire.insecurity.today/#!/scan/798412c5392cf441ff58d022c507ea6dea59144d3f4e51b98f893d8d56e4b992

F-F-X-status: https://observatory.mozilla.org/analyze.html?host=www.jujutsu-styria.eu

7 problems on domain: https://mxtoolbox.com/domain/www.jujutsu-styria.eu/

polonus (volunteer website security analyt and website error-hunter)

One of the reasons why web software shouldn’t be outdated.Malware writers are always looking for such holes to exploit.

The site is not under any radar for now:
https://virustotal.com/en/url/460a414e9b554c6d8f6138e05a4209cb304cb82f8a40d70409acc8eaff3485f5/analysis/1481812262/

There are alot of js freeloaders from this site:
http://zulu.zscaler.com/submission/show/adf4c5371feef121d35edc415370b013-1481812247

https://blog.avast.com/2015/08/20/infected-ad-networks-hit-popular-websites/

Update: Noticed a weird line while inspecting the html of the webpage.No reason its defaced.This site is possibly hacked by CRLF Injection.

[CRLF]

Read:
https://prakharprasad.com/crlf-injection-http-response-splitting-explained/

simple solution for CRLF Injection is to sanitise the CRLF characters before passing into the header or to encode the data which will prevent the CRLF sequences entering the header.

Hi TI199,

Thanks for your elaborate reaction, my friend, and you are so right,
the hacker/defacer just needs some outdated CMS code bugs
and a tiny wormhole to work an automated exploit through to compromise a website.

Then again WordPress and Joomla belong to these favourite flavours of CMS to work a hack through,
(outdated kernel-code, wrong settings, theme and plug-in-code).

Website owners should realy do a scan of their websites

  1. via https://hackertarget.com/wordpress-security-scan/
  2. https://hackertarget.com/joomla-security-scan/
  3. check their jQuery libraries here: http://retire.insecurity.today/

When suspicious code is detected, DNS and domain health reports could clarify more on the threat/vulnerability:

So scans here can also help:
4. https://aw-snap.info/file-viewer/
5. https://observatory.mozilla.org/
6. https://sritest.io/ (to see how the same-origin rule is upheld)
7. https://cryptoreport.websecurity.symantec.com/checker/views/certCheck.jsp

polonus

Notable victims of this vulnerability include Google, MSN, Amazon and various other high profile websites.