The 14 April 2010, Antisecurity has release a Joomla wgPicasa Component Local File Inclusion (LFI) exploit, published on Exploit Database as EDB-ID 12230. To attract the “bad guys” how will use this exploit, we published the 15 April a news containing, in the URL and the content of the news, some keywords to be the more attractive as possible 🙂 Most of the LFI scanners are using Google dorking methods to find a potential vulnerable target. So let get a good position in Google ranking.

Since the 15 April, we can see that this particular exploit is more targeted than other Local File Inclusion exploits, and the number of events are still increasing until we are one month after the exploit publication.

Joomla wgPicasa SIG 2011067 events for current month

Joomla wgPicasa SIG 2011067 events for current month

Also, we have some source IP how are really trying to get in 🙂

TOP 10 source IPs exploiting Joomla wgPicasa SIG 2011067 during current month

TOP 10 source IPs exploiting Joomla wgPicasa SIG 2011067 during current month

TOP 20 source countries exploiting Joomla wgPicasa SIG 2011067

TOP 20 source countries exploiting Joomla wgPicasa SIG 2011067

So, just one word, Joomla wgPicasa is in the hype, and really if you use Joomla, shutdown your server 🙂