NGINX.COM
Web Server Load Balancing with NGINX Plus

There is a new zero day exploit in Joomla. Details are described in CVE-2015-8562.

We recommend that you update Joomla immediately, but if you cannot do that or cannot change the files on your backend servers, you can apply a fix in NGINX or NGINX Plus on the frontend.

Note: We strongly advise to update your Joomla installations as soon as possible, even if you patch your site today with this NGINX configuration.

You can read about the exploit and the patch at the Sucuri blog or Ars Technica, among others.

Identifying the Attack

The original attacks came from these IP addresses:

  • On 12 December 2015 – 74.3.170.33
  • On 13 December 2015 – 146.0.72.83 and 194.28.174.106

The attack is usually performed by modifying the User-Agent header and can be identified by these values inside the header: JDatabaseDriverMysqli and O: (capital letter O followed by the colon).

Joomla provides the following sample log entry from an attack.

2015 Dec 12 16:49:07 clienyhidden.access.log
Src IP: 74.3.XX.XX / CAN / Alberta
74.3.XX.XX [12/Dec/2015:16:49:40 -0500] GET /contact/ HTTP/1.1 403 5322 http://google.com/ }__test|O:21:x22JDatabaseDriverMysqlix22:3:..{s:2:x22fcx22;O:17:x22JSimplepieFactoryx22:0:..{}s:21:x22x5C0x5C0x5C0disconnectHandlersx22;a:1:{i:0;a:2:{i:0;O:9:x22SimplePiex22:5:..{s:8:x22sanitizex22;O:20:x22JDatabaseDriverMysqlx22:0:{}s:8:x22feed_urlx22;s:60:..

Applying a Fix in NGINX or NGINX Plus

Use this snippet of NGINX configuration to block the original IP addresses and any request where the User-Agent header contains O: or JDatabaseDriverMysqli. To block additional IP addresses, add them to the list in the second map block.

http {
    map $http_user_agent $blocked_ua {
        ~(?i)O: 1;
        ~(?i)JDatabaseDriverMysql 1;
        default 0;
    }

    map $remote_addr $blocked_ip {
        74.3.170.33 1;
        146.0.72.83 1;
        194.28.174.106 1;
        default 0;
    }
    
    server {
        listen 80;
        if ($blocked_ua) { return 403; }
        if ($blocked_ip) { return 403; }
        # ...
    }
}

For further information on restricting access to your site, see the NGINX Plus Admin Guide.

Post your experience in the Comments below.

Hero image
Are Your Applications Secure?

Learn how to protect your apps with NGINX and NGINX Plus

About The Author

Floyd Smith

Director of Content Marketing

Floyd Earl Smith has been involved in application development since the launch of the Macintosh and has written more than 20 books on hardware and software topics. He now writes for the NGINX blog, including contributing to blog posts and webinars about the NGINX Microservices Reference Architecture, a breakthrough microservices framework.

About F5 NGINX

F5, Inc. is the company behind NGINX, the popular open source project. We offer a suite of technologies for developing and delivering modern applications. Together with F5, our combined solution bridges the gap between NetOps and DevOps, with multi-cloud application services that span from code to customer.

Learn more at nginx.com or join the conversation by following @nginx on Twitter.