Hackers Using Joomla Servers For DDoS Attacks

Security researchers from Akamai Prolexic Security Engineering, PhishLabs and  Intelligence Division (R.A.I.D) have uncovered DDoS (Distributed Denial of Service) attack campaign that is exploiting a vulnerability in Google Maps plug-in installed Joomla servers.

Researchers found that several paid DDoS tools are also using the same vulnerability to power up and mask the origin of DDoS attacks. DAVOSET and UFOnet are the publicly available DDoS tools that leverage the vulnerability of Joomla Google Maps plug-in.

DAVOSET Tool

DAVOSET – DDoS attacks via other sites execution tool, was built to take advantage of these types of attacks and automates the process. For attackers, the most difficult task is building and maintaining a valid list of vulnerable reflectors. However DAVOSET ships with a default list of vulnerable Google Maps plug-in installed Joomla servers.
DAVOSET takes a list of known blind proxy scripts and services and use them to stage a reflected GET flood against a target. DAVOSET allows an attacker to configure their lists of reflectors, the number of requests per reflector, and proxy configurations to automate these attacks.

Hackers also uses Google dorks to find reflectors

UFONet Tool

UFONet tool uses a web interface and a point and click configuration process. These user-friendly features provide attackers with an easy to use interface for proxy configuration, customizable headers, attack options and more.

PLXsert identified three distinct signatures produced by the DAVOSET and UFONet tools. They differ in the type of HTTP GET request header and the presence of PHP language version in the user-agent field. Akamai pointed out in the advisory, ” Application attacks with only one attack vector aren’t known to generate significant bandwidth — the goal of the attack is to generate realistic user connections on the target server to cause a denial of service.”