I run a few WordPress websites and they all have a firewall set up that also monitors and reports suspicious behaviour. In the last few days I have seen a new URL appear in the logs;
/index.php?
A quick Google of [Simpledownload & Controller] brings up several websites that talk about Joomla, so it looks like this is just some automated robots sniffing for vulnerabilities in Joomla websites (Joomla being another popular open source content management system).
There is a useful thread on Cnet.com from 2010 that talks about the Joomla SimpleDownload Component “controller” File Inclusion Vulnerability. As this is an old thread now we can assume that it is an old vulnerability that has now been fixed in Joomla, but hackers are still using bots to find sites that have not been updated.
Old Vulnerabilities are the best to hack!
In some ways it is advantageous for a hacker to target old vulnerabilities only. Generally, if someone has not updated their software then it is more likely that have stopped actively managing the website. This means that any attacks are more likely to remain for longer before a webmaster takes action to remove them.
Moderately critical – Vendor Patch Fixes
A quick review of that article shows that there is indeed an patch to fix the problem. However, this hacking, sniffing business is not the usual attempt to plant links, redirect sites or install Trojans. The articles says:
“A vulnerability has been reported in the SimpleDownload component for Joomla, which can be exploited by malicious people to disclose potentially sensitive information.”
So the hackers are possibly looking for credit card information or other personal data on websites that are running Joomla. This is of course an attack on the personal data stored in the sites, so any old Joomla eCommerce sites are likely to be prone to this type of attack.
Joomla owners – please update your systems, even if you have mostly forgotten about your website!
Or delete any personal data from the database.