The Internet Storm Center is advising Joomla & WordPress website administrators to keep their CMS installations up-to-date as cybercriminals are attacking sites using a tool “that's basically firing a bunch of Joomla and Wordpress exploits at a given server and hoping something hits.”
“Right now it seems the biggest pain is around Joomla users, particularly with extensions which greatly increase the vulnerability footprint and the one thing helping WordPress is the really nice feature of 1-button upgrades (and upgrades which don't tend to break your website).” John Bambenek wrote on the ICS blog.
Malicious iframes are injected into compromised websites, putting site visitors at risk of having fake antivirus software installed on their machine.
For the uninitiated, fake antivirus allows the attackers to generate revenue by pretending to scan the affected system & produce a list of non-existent malware infections that it offers to remove for a fee.
The domains loaded in the injected iFrames change frequently, but they typically end in "/nightend.cgi?8". Two IP addresses identified to be frequent offenders in this attack are 220.127.116.11 and 18.104.22.168.
That being said, if you have a website running on WordPress or Joomla, it is strongly recommended that you upgrade to the latest version and do your best to keep your CMS current. You may also want to search the web for tips on how to improve website security & minimize the chances of an attacker successfully breaking into your site.
If your site has already been hit, these sites offer instructions on how to clean up the mess:
Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet, “Like” us on Facebook or add us to your circle on Google+