Joomla! Discussion Forums

Folks

Your assistance is appreciated in advance, ive spent 6 hours trying to track this bugger down, in my access log file Im getting entries like this

60.224.52.100 - - [02/Nov/2009:18:59:04 +1100] "GET /40715998/?site=40715998&cmd=inPage&page=http%3A//store.apple.com/au/cart&visitorStatus=INSITE_STATUS&activePlugin=none&pageWindowName=&javaSupport=true&id=6852081189&scriptVersion=1.1&d=1257148744581&&PAGEVAR!ConversionStage=AOS%3A%20cart&PAGEVAR!Section=product%20selection&PAGEVAR!ErrorMessage=&SESSIONVAR!Conversion-Stage=AOS%3A%20cart&SESSIONVAR!Site-Section=product%20selection&cobrowse=true&cookie=asbid%3DsHTC4AACHFYJHJ4F4%3B%20ccl%3D/bbeOD2QWm9fWHu1nFezag%3D%3D%3B%20DefaultAppleID%3D@me.com%3B%20dfa_cookie%3Dappleglobal%252Cappleusstartpage%252Cappleauglobal%252Cappleauhome%252Cappleaumacbook%3B%20dssid2%3Df7697530-90c8-42de-8ad1-e2988b4ae349%3B%20geo%3DAU%3B%20s_aid%3DAIC-NAUS-K2-BUYNOW-MACBOOK%3B%20s_cc%3Dtrue%3B%20s_cvp35%3D%255B%255B%2527login1.maccasfreewifi.net%2527%252C%25271254352007333%2527%255D%255D%3B%20s_invisit_au%3Dhomepage%253Dtrue%253Bmacbook%253Dtrue%253B%3B%20s_invisit_us%3Dstartpage%253Dtrue%253B%3B%20s_ppv%3D80%3B%20s_pv%3Dmacbook%2520-%2520index%2520%2528au%2529%3B%20s_ria%3DFlash%252010%257C%3B%20s_sq%3Dappleauhome%253D%252526pid%25253Dapple%25252520-%25252520index%25252520%25252528au%25252529%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.apple.com/au/macbook/_1%252526oidt%25253D1%252526ot%25253DA%252526oi%25253D1%3B%20s_vi%3D%5BCS%5Dv1%7C255D1DB0050114CA-6000010F00007B87%5BCE%5D%3B%20s_vnum_au%3Dch%253Dmac%2526vn%253D1%253Bch%253Dmacbook%2526vn%253D2%253Bch%253Dhomepage%2526vn%253D2%253Bch%253Ditunes%2526vn%253D1%253Bch%253Dipodtouch%2526vn%253D1%253Bch%253Dappletv%2526vn%253D1%253B&title=Cart%20-%20Apple%20Store%20%28Australia%29&referrer=http%3A//store.apple.com/au/configure/MC207X/A%3Fmco%3DMTMzNzUxNzU HTTP/1.1" 404 1259



We dont have links to the apple store nor itunes on our site !!!!


In the error log I get this

[Mon Nov 02 18:59:04 2009] [error] [client 60.224.52.100] File does not exist: C:/xampp/htdocs/Joomla15/40715998, referer: http://store.apple.com/au/cart

Any ideas what this is?
Thanks
John

yes start reading... right on top of this forum are

Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.

also search the forum for iframe injection

and what version of joomla do you run ? < 1.5.14 ?

Running 1.5.14
also have RS-Firewall installed.

Folks

Here is the info from JTSPOST_EN.PHP that may help.

Problem Description:
c:\\xampp\\apache\\logs\\access file (1) is consistancely every 4 seconds adding an entry for accessing store.apple.com/au/cart, access file was 1.3gb!
Also in the error log file (2)a similiar entry is also being writtern.

Log/Error Message:

Quote:

124.191.112.55 - - [02/Nov/2009:22:09:09 +1100] \"GET /40715998/?site=40715998&cmd=inPage&page=http%3A//store.apple.com/au/cart&visitorStatus=INSITE_STATUS&activePlugin=none&pageWindowName=&javaSupport=true&id=8699907620&scriptVersion=1.1&d=1257160149033&&PAGEVAR!ConversionStage=AOS%3A%20cart&PAGEVAR!Section=product%20selection&PAGEVAR!ErrorMessage=&SESSIONVAR!Conversion-Stage=AOS%3A%20cart&SESSIONVAR!Site-Section=product%20selection&cobrowse=true&cookie=__utma%3D125090010.3292315921621627000.1242441223.1242441223.1242441223.1%3B%20__utmz%3D125090010.1242441223.1.1.utmcsr%3D%28direct%29%7Cutmccn%3D%28direct%29%7Cutmcmd%3D%28none%29%3B%20ac_survey%3D1%3B%20asbid%3Ds7XXC9HU9KC2UCYAJ%3B%20ccl%3DE3hOtesyEa51yj+hqx2OYw%3D%3D%3B%20DefaultAppleID%3Dgearing@mac.com%3B%20dssid2%3D58c7ae02-8243-467f-b380-9ed472b03cfe%3B%20geo%3DAU%3B%20Pod%3D12%3B%20s_cc%3Dtrue%3B%20s_cvp35%3D%255B%255B%2527google%253A%2520organic%2527%252C%25271244497646288%2527%255D%252C%255B%2527WWW-NAUS-ITMS-TRAILERS-IPODTOUCH%2527%252C%25271244862446206%2527%255D%252C%255B%2527google%253A%2520organic%2527%252C%25271246251587180%2527%255D%252C%255B%2527MobileMe-NEWF%2527%252C%25271246604133444%2527%255D%252C%255B%2527google%253A%2520organic%2527%252C%25271256792192135%2527%255D%255D%3B%20s_ppv%3D100%3B%20s_ria%3DFlash%252010%257C%3B%20s_sq%3Dappleauhome%253D%252526pid%25253Dapple%25252520-%25252520index%25252520%25252528au%25252529%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.apple.com/au/store/_1%252526oidt%25253D1%252526ot%25253DA%252526oi%25253D1%3B%20s_v35%3Dgoogle%253A%2520organic%3B%20s_vi%3D%5BCS%5Dv1%7C475D173000001948-A2B0B9000000979%5BCE%5D%3B%20s_vnum_au%3Dch%253Dhomepage%2526vn%253D4%253Bch%253Dmac%2526vn%253D2%253Bch%253Dmacbookpro%2526vn%253D2%253Bch%253Dmacbook%2526vn%253D2%253Bch%253Dsearch%2526vn%253D1%253Bch%253Ditunes%2526vn%253D3%253Bch%253Dipodnano%2526vn%253D1%253Bch%253Dip%2526vn%253D2%253Bch%253Dmacosxserver%2526vn%253D1%253B%3B%20s_vnum_kb%3Dch%253Dsupport%2526vn%253D1%253B&title=Cart%20-%20Apple%20Store%&referrer= HTTP/1.1\" 404 1259

Quote:

[Mon Nov 02 22:10:09 2009] [error] [client 124.191.112.55] File does not exist: C:/xampp/htdocs/Joomla15/40715998, referer: http://store.apple.com/au/cart

Actions Taken To Resolve:
Upgraded from 1.5.10 to 1.5.14, installed RS-Firewall, checked for directory 40715998 (doesnt exist on server) - im at wits end on this.
Any help is appreciated.

Diagnostic Information
Joomla! Version: Joomla! 1.5.14 Stable [ Wojmamni Ama Naiki ] 30-July-2009 23:00 GMT
configuration.php: Writable (Mode: 666 ) | RG_EMULATION: N/A
Architecture/Platform: Windows NT 6.0 ( i586) | Web Server: Apache/2.2.9 (Win32) DAV/2 mod_ssl/2.2.9 OpenSSL/0.9.8i mod_autoindex_color PHP/5.2.6 ( www.hc.net.au ) | PHP Version: 5.2.6
PHP Requirements: register_globals: Disabled | magic_quotes_gpc: Enabled | safe_mode: Disabled | MySQL Support: Yes | XML Support: Yes | zlib Support: Yes
mbstring Support (1.5): Yes | iconv Support (1.5): Yes | <br />
<b>Warning</b>: is_writable() [<a href='function.is-writable'>function.is-writable</a>]: open_basedir restriction in effect. File(C:\xampp\tmp) is not within the allowed path(s): (C:\xampp\htdocs\Joomla15) in <b>C:\xampp\htdocs\Joomla15\jtspost_eng.php</b> on line <b>850</b><br />
save.session_path: [color=red]Not Writable[color] | Max.Execution Time: 60 seconds | File Uploads: Enabled
MySQL Version: 5.0.67-community-nt ( localhost via TCP/IP )

well you NOW run 1.5.14, before u used 1.5.10.

and if windows hosting is a good home for your joomla ... i dont think so.

well,

this list from dynamicnet you should check:

Is the server you are on secured?

Is the server you are on kept secured (there is no such thing as a one time server hardening)?

Is the server you are on using mod_security from http://www.modsecurity.org/ ?

Are you using FTPS or FTPeS when you use FTP?

Are you using complex (12 to 16 wide, no phrases) passwords for FTP, Joomla Admin, Joomla Super Admin that are changed often?

Do you regularly review who has super admin and admin rights within Joomla?

Have you reviewed all addons that you are using to make sure they are not vulnerable?

Do you do daily scans of all machines with super admin, admin or FTP access for malware, virus, and trojans?

If you're getting errors about it not being found, then you're not being hacked.

Look at the error:

See the referrer? Somewhere http://store.apple.com/au/cart is linking to your site, and is getting a bad URL...

Not hacked, but something is amiss...

Jeff thanks for the info, I will follow up with store.apple.com

FW16 - I must admit that I thank you for your feedback, [abuse removed]

John

i was going to make some other useful suggestions but with that attitude, to get an old version of joomla you must have been using it for over 6 months.
The suggestions by FW116 are valid, and a sticky states

Take the advice and learn as you probably wont be getting advice from any users you have abused (against forum rules) anymore.
oh, did you virus check your computer?
/EOF

Yes, had rs-firewall and oes-Anti-virus but didnt help.

Im rebuilding from scratch using latest joomla certified 1.7.1 xampp.

cheers

XAMPP as installed is not secure or hardened in any way, shape, or form, and their documentation warns against using it if exposed to the web. It is to be used only as a local development platform so you can develop and test your Joomla site locally. If you are using this as a server that can be accessed from the web, then there is a lot of work to do to make it safe and you are better off starting with a more secure platform.

PhilD - A while ago 1.5.6 (i think) joomla were stating utilize xampp!, if thats not the case any more, what are some recommended hardened platforms?
Cheers

What I was trying to convey is that Utilizing XAMPP for a local development server is fine and many of us use it on a daily basis without problem. It is true many recommend XAMPP as well as Uniform server and other Wampp installations of choice to develop Joomla sites locally on. Once the site is developed locally it is then moved to a remote domain hosting account; either the developers own account or a clients account.

If your local XAMPP installation is accessible for some reason from the web (remotely, by a computer not on your local network), then that is bad and you need to find and fix the problem. Your local XAMPP development server should not be accessible from the web at any time for any reason.

XAMPP is not suitable for serving websites to the web without doing a lot of hardening and security work to it first. Correctly configuring, and hardening XAMPP for use as a production server, or server exposed to the web is beyond the scope that most people including me are qualified to handle.

Hi Phil

Thanks for the information, I see where your coming from (use for deve purposes only).

What are people out there using as production server software then?

John

Linux!

Linux (Red Hat Enterprise, Ubuntu Server, etc.), CentOS, LiteSpeed, are a few.

Or, if your host is really hardcore you're using *BSD...

Forgot about BSD

did someone mention IIS ? or was that a cough? @Jeff cineál piongain? subtle

@mandville: he said production... lol

About 10 years ago or more I use to utilise SCO unix (not even sure if its still around),

based on you good folks suggestions it appears linux or bsd are the way to go.

Any preference's from you based on your experience (Dont really want to go IIS anyway)

Cheers

SCO sued IBM claiming they owned Linux... and lost. Big.

Haven't heard about SCO in quite awhile. Currently they are still in bankruptcy and still fighting the judgments against them in court.

That reminds me... I have an old install disc for Caldera Linux... anybody want an iso? :P