Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
Loading site search ...

Invasion of JCE Bots

   27 Jan 14   Filed in Website exploits

Joomla has been one of the most popular CMS for a long time.  It powers a huge number of sites.  That’s great! The flip side of this fact is Joomla has been very popular for a long time and there are still very many sites that use older versions of Joomla as well as older version of Joomla components. For example, the 1.5.x branch of Joomla (2008-2010) still has a noticeable share in live Joomla sites.

Old versions may work well for your site but they have multiple well known security holes, so they are the low hanging fruit for hackers. Let me show this using a real world example.

JCE attack

There is a JCE component — a fancy content editor that can be found almost on every Joomla site. It has a well known security hole that allows anyone to upload arbitrary files to a server.

You can easily find a working exploit code for this vulnerability.  What it does is:

  1. Checks whether a vulnerable version of JCE is installed (2.0.11, 2.0.12, 2.0.13, 2.0.14, 2.0.15,,,,,
  2. Exploits the bug in the JCE image manager to upload a PHP file with a .gif extenstion to the images/stories directory
  3. Then uses a JSON command to rename the .gif file to *.php.

Now you have a backdoor on a server and can do whatever you want with the site.

This is how this attack looks in logs (real example): - - [23/Jan/2014:16:46:54 -0500] "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.0" 200 302 "-" "BOT/0.1 (BOT for JCE)" - - [23/Jan/2014:16:46:55 -0500] "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20 HTTP/1.0" 200 329 "-" "BOT/0.1 (BOT for JCE)" - - [23/Jan/2014:16:46:55 -0500] "GET /images/stories/3xp.php HTTP/1.0" 200 465 "-" "BOT/0.1 (BOT for JCE)"

As I mentioned, JCE is a very popular component and there are still many sites that use old versions of this component. No wonder, hackers are scanning the Internet for such vulnerable sites.  They reworked the exploit code for use in their automated tools that relentlessly test millions of sites, one by another.  These days, I can find multiple requests with the “BOT/0.1 (BOT for JCE)” User-Agent string in logs of almost every site that I check, even in logs of sites that have never had Joomla installed.

I’d like to share some interesting statistics of a real site that had been hacked using this JCE hole and then was being routinely reinfected every day.

  • 7,409 requests with the User-Agent “BOT/0.1 (BOT for JCE)” that came from 785 different IPs during the period of Dec 24th – Jan 24th (one month)
  • 239 requests from 51 unique IP addresses during the last 24 hours
  • 4 independent (uploaded different types of backdoors) successful infections during one day.
  • plus, multiple tests for other vulnerabilities.

To webmasters

As you can see,  this is something that you can’t neglect or consider an insignificant threat.  It’s silly to hope that hackers won’t find your site. Today hackers have resources to spider the Internet almost as efficiently as Google just about 10 years ago, so there is almost no chance your site will stay unnoticed. The only way to prevent the hacks is to be proactive:  keep all software up-to-date and harden your sites.

In case of this particular JCE attack:

  1. Make sure to upgrade your Joomla site to the most current version.
  2. Upgrade JCE to the latest version. You can find download packages for all the three branches of Joomla here.
  3. Protect all file upload directories and all directories that shouldn’t contain .php files. For example, place the following .htaccess file there to prevent execution of PHP files:
    <Files *.php>
    deny from all
  4. Try blocking requests with the “BOT/0.1 (BOT for JCE)” User-Agent string.  Of course, this shouldn’t be considered as a real protection. Hackers can change the User-Agent string to whatever they want. But it can help keep some dumb annoying bots away from your site.
  5. If, for some reason, you can’t upgrade your site at this moment, consider placing it behind a website firewall that will block any malicious traffic before it reaches your server.  This is something that we call virtual patching in Sucuri CloudProxy.

Reader's Comments (8)

  1. |

    Nicely done!
    The JCI component “problem” and has been a thorn in the Joomla communities side for years.

    I would go so far as to say that 1/2 of all of the hacked Joomla installations I’m asked to repair are JCE exploit related.

    As mentioned, simply adding the .htaccess “no execute php” file within the images/stories directory generally does the trick, though upgrading is always best.

    Personally, for this particular exploit, I prefer the below in my .htaccess file:
    # This line turns off directory listings
    Options -Indexes
    # This line forces scripts to load as text.
    Addhandler text/plain .pl .cgi .php .py .jsp .asp .shtml .sh

    I like how you linked out to Google and known JCE exploits as well.
    A quality post top to bottom. Kudos!

    • |

      Thanks Jim,

      That “text/plain” handler also does the trick and covers a broader range of attacks.

      I don’t want to link directly to exploits. But if you want to find the information, this Google search is enough. At the same time, if there is some new JCE file upload vulnerability, this search will show it too, so the link will remain fresh and useful.

    • |

      I just seen it in some logs for the second time. We do not use joomla. But I think your .htaccess code is very useful in preventative measures for sites overall.

  2. |

    I’m curious if you would have any more information on exactly what is allowing the exploit to work? I understand it’s an exploit in code which was in an old version of Joomla, but my vBulletin sites are apparently being exploited by this Bot for JCE script. I do not have any pieces of Joomla installed on the server – at least, not that I’m aware of. Thankfully Microsoft Security Essentials is catching the backdoor/shell script being uploaded to the site and is removing it before they can use it, but it scares me that they’re able to upload the file to my site in the first place. I’ve tried to get help from vBulletin but they brush it off as not being on their end.

    • |

      In case of Joomla JCE, it just uses a bug to upload a PHP file as a .gof and then change it’s extension to .php.

      If you don’t have Joomla, then you might see multiple attempts to scan your site for that JCE security hole. They do it on every site. If they find it – they exploit it, if not they move on to the next site. So what you are seeing is probably just attack attempts, not successful attacks. On the other hand, if hackers find vulnerabilities in vBulletin or any other type of site, they’ll most likely upload pretty much the same backdoors as if it was Joomla.

      vBulletin may be slightly different as most of it’s malware lives in its database.

  3. |

    […] Unmask: Invasion of JCE Bots […]

  4. |

    If I understood, I have to open my .htaccess file and insert these lines:
    # This line turns off directory listings
    Options -Indexes
    # This line forces scripts to load as text.
    Addhandler text/plain .pl .cgi .php .py .jsp .asp .shtml .sh

    Thats it?

    Which are the “collateral effects” of this?

    Thanks in advance

    • |

      This code makes web server treat such files as regular text files. I.e. instead of executing any code in them, it will just display their content in a browser as if they were plain text files.

      The side effect is you won’t be able to have executable scripts in those directories. But it’s the point of this trick – place it to the directories that shouldn’t have executable files