Increased Exploitation in Web Content Management Systems

US-CERT is aware of recent increases in the exploitation of known vulnerabilities in web content management systems (CMSs) such as Wordpress and Joomla. Compromised CMS installations can be used to host malicious content.

US-CERT recommends that users and administrators ensure that their CMS installations are patched or upgraded to remove known vulnerabilities. This may require contacting the hosting provider. Also, users and administrators can check for known vulnerabilities in the National Vulnerability Database by searching their CMS by name.

UPDATE: This is an update to emphasize post-exploitation clean-up.

Basic post-exploitation clean-up can be summarized by this: "Clean, Patch, and Monitor."

Clean - Remove the malicious content AND validate all accounts, removing unauthorized accounts and paying particular attention to accounts with administrative or elevated privileges.

Patch - Keep systems patched and upgrade system software to the most current supported releases (predominantly Joomla in this ongoing campaign of exploitations).

Monitor - Stay abreast of new patches and version releases of your content management software, and patch when new versions are released. Also perform continuous baseline review of your site's usage to detect abuse before your site is used to attack others.

A number of support sites and other open source forums have had recent discussions involving the exploitation of Joomla installs up to versions 2.5.2 and earlier. Additional vulnerabilities have been identified and patched relating to versions 2.5.4 and earlier. In many instances Joomla installs have been found to be very out of date. The attacker would self-register an account and then proceed to escalate the account to have administrative privilege using vulnerabilities in the outdated software. Once privileges have been escalated, the attacker is able to modify the website to include the upload of malicious content. The uploaded content may be malware to infect your website visitors, or tools to enable the attacker to leverage your website to launch denial-of-service attacks against others.

If your site has been compromised, remember to "Clean, Patch, and Monitor."

This product is provided subject to this Notification and this Privacy & Use policy.

Hostage-Taker Updates Facebook During Police Standoff

Writing on his Facebook page that he “cant take it no more,” an armed man was posting updates on the social-networking site after taking a man hostage in downtown Pittsburgh.

The profile page of Klein Michael Thaxton went down hours after police said he went into a building while armed and took a man hostage. Thousands of workers in the area were evacuated.

“I cant take it no more im done bro,” he wrote. “How this ends is up to yall bro real shyt.” He also said that “this life im livn rite now i dnt want anymore ive lost everything….”

All the while, before his page went dark, friends were posting on the 22-year-old’s Facebook page.

“Whatevers goin on you can get through this,” one poster wrote.

Hours after the ordeal had begun around 8 a.m. PDT, he surrendered peacefully from the standoff on the 16th floor of Three Gateway Center. No injuries were immediately reported.

Police described him as “ex-military,” and the Pittsburgh Post Gazette said he was arrested in March on carjacking allegations, which gave rise to a police chase.

Facebook did not immediately respond for comment about Thaxton’s page going dark.


Facebook’s $9.5 Million ‘Beacon’ Settlement Approved

Photo: marcopako/Flickr

A divided federal appeals court is approving a $9.5 million settlement to a class-action lawsuit challenging Facebook’s program that monitored and published what users of the social networking site were buying or renting from Blockbuster, Overstock and other locations.

The case concerned allegations Facebook’s now-defunct “Beacon” program breached federal wiretap and video-rental privacy laws. Terms of the settlement, in which Facebook denied any wrongdoing, require the site to finance what the deal calls a “Digital Trust Fund” that would issue more than $6 million in so-called cy pres grants to organizations to study online privacy.

The settlement, in which a lower court judge signed off on in 2010, was challenged by some of the 3.6 million class members, who argued that the deal was underfunded, and that Facebook should not get a seat on the trust fund’s board (.pdf) to help decide where the money would go.

A dissenting judge on the three-judge panel agreed, but could not shore up a majority Thursday.

“I respectfully dissent. This settlement perverts the class action into a device for depriving victims of remedies for wrongs, while enriching both the wrongdoers and the lawyers purporting to represent the class,” Judge Andrew Kleinfeld wrote in a blistering dissent.

But the majority on the 9th U.S. Circuit Court of Appeals didn’t see it that way.

“That Facebook retained and will use its say in how cy pres funds will be distributed so as to ensure that the funds will not be used in a way that harms Facebook is the unremarkable result of the parties’ give-and-take negotiations, and the district court properly declined to undermine those negotiations by second guessing the parties’ decision as part of its fairness review over the settlement agreement,” Judge Proctor Hug wrote. He was joined by Judge William Fletcher.

The decision comes a month after U.S. District Judge Richard Seeborg of San Francisco, who approved the Beacon settlement, rejected a privacy settlement concerning the social networking site’s “Sponsored Stories” program. Seeborg was concerned that the deal, which provides a $10 million payout to attorneys suing Facebook and $10 million to charity, “was merely plucked from thin air.”

Under that “Sponsored Stories” deal, which would have settled a year-old lawsuit, Facebook agreed to give its adult users the right to “limit” how the social-networking site uses their faces in ads under Facebook’s “Sponsored Stories” program. Minors have the ability to completely opt out.

Sponsored stories basically turns the act of pressing the Facebook “Like” button into a potential commercial endorsement. If a Facebook user clicks the “Like” button for a product or service with a Facebook page, that user’s profile picture and name may be automatically used in advertisements for that product or service that appear in the their friends’ Facebook pages. Facebook also reserves the right to show such ads on sites other than Facebook.

Meanwhile, the attorneys who faced off against Facebook in the Beacon litigation are to receive about $3 million of the $9.5 million pot, as much as $500 an hour in some instances. Only a handful of the estimated 3.6 million class members are to receive financial damages.

Those objecting noted that breaches of Video Privacy Protection Act carry fines of not less than $2,500, which they maintained was not accounted for in the settlement.

“But while Objectors may vigorously disagree with the class representatives’ decision not to hold out for more than $9.5 million or insist on a particular recipient of cy pres funds, that disagreement does not require a reviewing court to undo the settling parties’ private agreement,” the majority ruled.

Under the settlement, Facebook agreed to terminate the Beacon program.

When the program was launched in 2007, Facebook members’ Blockbuster movie rentals sometimes appeared on their news streams. Lead plaintiff Sean Lane’s wife found out, via Facebook, about a jewelry purchase her husband was to surprise her with. “Sean Lane bought 14k White Gold 1/5 ct Diamond Eternity Flower Ring from,” was announced to all of the husband’s Facebook friends, including his wife.

Attorneys on both sides of the Beacon dispute did not immediately respond for comment. Facebook attorney Colin Stretch said the company was “pleased that the panel affirmed the district court’s ruling that the Beacon settlement is fair, reasonable, and adequate.”

The new privacy center, according to terms of the deal, shall “fund and sponsor programs designed to educate users, regulators and enterprises regarding critical issues relating to protection of identity and personal information online through user control, and to protect users from online threats.”