Code: Select all
<?php /**/ eval(base64_decode(".........."));?>
Thanks in advance.
Wai
Moderator: General Support Moderators
Code: Select all
<?php /**/ eval(base64_decode(".........."));?>
Hi, Stéphane,biirc wrote:Hi,
we have the same problem on a site in joomla 1.0.15
a russian guy have the same problem too.
http://joomlaforum.ru/index.php?topic=131149.0
with a password (htpasswd) on the administrator site it will block the attack
on my site i have (web log)
81.180.71.42 xxxxxxxxxxxxxxxxxxx - [13/Sep/2010:14:41:25 +0200] "GET /administrator/index.php HTTP/1.1" 200 992 "-" "Opera/9.51 (Windows NT 5.1; U; en)"
81.180.71.42 xxxxxxxxxxxxxxxxxxx - [13/Sep/2010:14:41:26 +0200] "POST /administrator/index.php HTTP/1.1" 200 69 "-" "Opera/9.51 (Windows NT 5.1; U; en)"
81.180.71.42 xxxxxxxxxxxxxxxxxxx - [13/Sep/2010:14:41:27 +0200] "GET /administrator/index2.php?option=com_installer&element=mambot HTTP/1.1" 200 6896 "-" "Opera/9.51 (Windows NT 5.1; U; en)"
81.180.71.42 xxxxxxxxxxxxxxxxxxx - [13/Sep/2010:14:41:29 +0200] "POST /administrator/index2.php HTTP/1.1" 200 4689 "-" "Opera/9.51 (Windows NT 5.1; U; en)"
81.180.71.42 xxxxxxxxxxxxxxxxxxx - [13/Sep/2010:14:41:30 +0200] "GET /administrator/index2.php?option=com_installer&element=mambot HTTP/1.1" 200 6938 "-" "Opera/9.51 (Windows NT 5.1; U; en)"
81.180.71.42 xxxxxxxxxxxxxxxxxxx - [13/Sep/2010:14:41:31 +0200] "POST /mambots/system/loginJ00mla.php HTTP/1.1" 200 36 "-" "Opera/9.51 (Windows NT 5.1; U; en)"
81.180.71.42 xxxxxxxxxxxxxxxxxxx - [13/Sep/2010:14:41:32 +0200] "POST /administrator/index2.php HTTP/1.1" 301 20 "-" "Opera/9.51 (Windows NT 5.1; U; en)"
81.180.71.42 xxxxxxxxxxxxxxxxxxx - [13/Sep/2010:14:41:32 +0200] "GET /administrator/index2.php?option=com_installer&element=mambot&mosmsg=SUCCES+ HTTP/1.1" 200 6893 "-" "Opera/9.51 (Windows NT 5.1; U; en)"
But i have no log on the ftp side.
I don't know how the put this : /mambots/system/loginJ00mla.php
Stéphane
Thank you for all your replies. I don't have this particular component installed. I'm now checking the extensions of the site against the Vulnerable Extensions List.VegardAa wrote:Hello! We had the same problem. We think we found the point of entry -> com_mtree. Do you have that component installed? If so I would recommend upgrading it.
This is certainly not normal. The system should not have this particular php file. When they POST to this file, they are sending something to your system, and this loginJ00mla.php is receiving the posted data, and possibly capturing username and password. This means that there is another way that the hacker installed this file before the time shown in this log entry.biirc wrote:Hi, thanks for your answer
we are in the Joomla! 1.0 » Security - 1.0.x - i know they are vulnerability.
This client call me because they have problem
This site use gmacess i will wait for joomla 1.6 for the upgrade.
I want just block the attack but i didn't see any attack on the components or manbots in the log.
81.180.71.42 xxxxxxxxxxxxxxxxxxx - [13/Sep/2010:14:41:31 +0200] "POST /mambots/system/loginJ00mla.php
This is not normal, they install a mambot and uninstall it after. how ?
Stéphane
can i suggest you loko around your hosts forums and see if anyone else has been hit by this... possibly its a jailshell break..biirc wrote:I qqwwong,
Nothing in the http log and the ftp log , still searching
Stéphane