ImageMagick and the Onslaught of Joomla Hacks

As discussed in a previous post, we have been experiencing an onslaught of Joomla 3.5.1 hacks for a few weeks now, and although we were able to clean and protect the hacked websites that we were asked to fix, we were not able to get to the root cause of the problem.

We did, however, suspect that the problem lied within the latest version of Joomla (3.5.1 at the time of writing this post), since the absolute majority of the hacked websites were 3.5.1. This morning, however, we discovered that we were wrong (and we were glad that we were wrong), and that the problem had nothing to do with Joomla, and everything to do with ImageMagick (a Linux software mainly used for image conversion).

So, what happened this morning?

Well, very early in the morning today, we got a call from a new client asking us to immediately clean his company’s website, as it was clearly hacked. The Joomla website didn’t have a single 3rd party extension installed (it was even using the Beez3 template) and it was powered by the latest version (3.5.1). For us, this was another solid proof that Joomla 3.5.1 was vulnerable. So, we fixed the website, we secured it, and then, after being granted permission from the client, we ran some forensics to discover how the website was hacked in the first place.

As soon as we started with the forensics, we noticed that the website was on a shared hosting, which was intriguing, since the absolute majority of the websites that we fixed in the past few weeks resided on a shared host. Of course, it was not logical to say that the cause of the problem is shared hosting, but that was enough to change the direction of our investigation. So we emailed a few of our clients for whom we cleaned Joomla 3.5.1 websites in the past few weeks asking them for permission to check their (server) environment. Luckily, they OK’d our request very quickly (within minutes).

It didn’t take us long to discover that ImageMagick was the root cause of the problem – all the environments with hacked Joomla 3.5.1 websites had ImageMagick installed. In case you don’t know, it was revealed in CVE-2016-3714 that the latest version of ImageMagick had a major exploit allowing for remote code execution (this is very bad), which meant that any application residing on a server with ImageMagick installed was extremely vulnerable, and that was the root cause of why all those Joomla websites were hacked.

So, what is the solution to this problem?

Ideally, the best solution is to move your website to a VPS where you have control over which applications are installed (most servers used for shared hosting have many libraries installed to accommodate the various needs of the hosted websites, and that’s why they are usually more vulnerable). If you don’t want that, then you should tell your host to patch their current version of ImageMagick or risk suffering repeated attacks on your website.

How can you know that ImageMagick is installed on your website’s environment?

There are several ways to do that:

  • If PHP is compiled with ImageMagick, then an ImageMagick section will appear in the output of phpinfo().
  • If ImageMagick is installed but not compiled within PHP, then you can check if you have it installed by running the following PHP script:

    exec("/usr/bin/convert -version", $output, $version);
    echo($version);

    If you get a number (or a combination of numbers), then you know that you have it installed on your server.

  • If you are on a VPS or a dedicated server, then you can try running the following in the shell prompt as root:

    convert -version

    or

    /usr/bin/convert -version

    If you get a valid output (and not something like command not found) when running any of the commands above, then this is a definitive sign that you have it installed.

If your Joomla 3.5.1 is getting repeatedly hacked, then most likely your server is running ImageMagick. Your best option is to cleanup your website and immediately move to a VPS where ImageMagick is not installed. If you need help doing this, the please contact us. We will clean your website for you, we will secure it, we will move it, and we won’t charge you much!

No comments yet.

Leave a comment