Very Funny "com_user&task=activate&activation" logs

doushabu06 · Post by **doushabu06** » Sun Oct 04, 2015 1:09 am

I have seen very suspicious logs in apache that look like the following. Note that I have replaced actual characters with "The-characters" and IP actual address with "IP":

Code: Select all

IP - - [03/Oct/2015:06:08:52 -0400] "GET /index.php?option=com_user&task=activate&activation=The-characters HTTP/1.1" 301 1147 "http://some-other-website" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 YaBrowser/15.2.2214.3645 Safari/537.36"
IP - - [03/Oct/2015:06:08:54 -0400] "GET /index.php?option=com_user&task=activate&activation=The-characters HTTP/1.1" 404 1496 "http://www.my-website.com/index.php?option=com_user&task=activate&activation=The-characters" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 YaBrowser/15.2.2214.3645 Safari/537.36"
IP - - [03/Oct/2015:06:09:01 -0400] "GET /index.php?option=com_user&task=activate&activation=The-characters HTTP/1.1" 301 1147 "http://my-website.com/index.php?option=com_user&task=activate&activation=The-characters" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 YaBrowser/15.2.2214.3645 Safari/537.36"
IP - - [03/Oct/2015:06:09:01 -0400] "GET /index.php?option=com_user&task=activate&activation=The-characters HTTP/1.1" 301 1147 "http://my-website.com/index.php?option=com_user&task=activate&activation=The-characters" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 YaBrowser/15.2.2214.3645 Safari/537.36"
IP - - [03/Oct/2015:06:09:02 -0400] "GET /index.php?option=com_user&task=activate&activation=The-characters HTTP/1.1" 301 1147 "http://my-website.com/index.php?option=com_user&task=activate&activation=The-characters" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 YaBrowser/15.2.2214.3645 Safari/537.36"
IP - - [03/Oct/2015:06:09:03 -0400] "GET /index.php?option=com_user&task=activate&activation=The-characters HTTP/1.1" 301 1147 "http://my-website.com/index.php?option=com_user&task=activate&activation=The-characters" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 YaBrowser/15.2.2214.3645 Safari/537.36"
IP - - [03/Oct/2015:06:09:05 -0400] "GET /index.php?option=com_user&task=activate&activation=The-characters HTTP/1.1" 301 1147 "http://my-website.com/index.php?option=com_user&task=activate&activation=The-characters" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 YaBrowser/15.2.2214.3645 Safari/537.36"
IP - - [03/Oct/2015:06:09:06 -0400] "GET /index.php?option=com_user&task=activate&activation=The-characters HTTP/1.1" 301 1147 "http://my-website.com/index.php?option=com_user&task=activate&activation=The-characters" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 YaBrowser/15.2.2214.3645 Safari/537.36"
IP - - [03/Oct/2015:06:09:07 -0400] "GET /index.php?option=com_user&task=activate&activation=The-characters HTTP/1.1" 301 1147 "http://my-website.com/index.php?option=com_user&task=activate&activation=The-characters" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 YaBrowser/15.2.2214.3645 Safari/537.36"
IP - - [03/Oct/2015:06:09:08 -0400] "GET /index.php?option=com_user&task=activate&activation=The-characters HTTP/1.1" 301 1147 "http://my-website.com/index.php?option=com_user&task=activate&activation=The-characters" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 YaBrowser/15.2.2214.3645 Safari/537.36"
IP - - [03/Oct/2015:06:09:09 -0400] "GET /index.php?option=com_user&task=activate&activation=The-characters HTTP/1.1" 301 1147 "http://my-website.com/index.php?option=com_user&task=activate&activation=The-characters" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 YaBrowser/15.2.2214.3645 Safari/537.36"
IP - - [03/Oct/2015:06:09:10 -0400] "GET /index.php?option=com_user&task=activate&activation=The-characters HTTP/1.1" 301 1147 "http://my-website.com/index.php?option=com_user&task=activate&activation=The-characters" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 YaBrowser/15.2.2214.3645 Safari/537.36"
IP - - [03/Oct/2015:06:09:11 -0400] "GET /index.php?option=com_user&task=activate&activation=The-characters HTTP/1.1" 301 1147 "http://my-website.com/index.php?option=com_user&task=activate&activation=The-characters" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 YaBrowser/15.2.2214.3645 Safari/537.36"
IP - - [03/Oct/2015:06:09:12 -0400] "GET /index.php?option=com_user&task=activate&activation=The-characters HTTP/1.1" 301 1147 "http://my-website.com/index.php?option=com_user&task=activate&activation=The-characters" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 YaBrowser/15.2.2214.3645 Safari/537.36"
IP - - [03/Oct/2015:06:09:24 -0400] "GET /index.php?option=com_user&task=activate&activation=The-characters HTTP/1.1" 301 1147 "http://my-website.com/index.php?option=com_user&task=activate&activation=The-characters" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 YaBrowser/15.2.2214.3645 Safari/537.36"
IP - - [03/Oct/2015:06:09:25 -0400] "GET /index.php?option=com_user&task=activate&activation=The-characters HTTP/1.1" 301 1147 "http://my-website.com/index.php?option=com_user&task=activate&activation=The-characters" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 YaBrowser/15.2.2214.3645 Safari/537.36"
IP - - [03/Oct/2015:06:09:37 -0400] "GET /index.php?option=com_user&task=activate&activation=The-characters HTTP/1.1" 301 1147 "http://my-website.com/index.php?option=com_user&task=activate&activation=The-characters" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 YaBrowser/15.2.2214.3645 Safari/537.36"
IP - - [03/Oct/2015:06:09:38 -0400] "GET /index.php?option=com_user&task=activate&activation=The-characters HTTP/1.1" 301 1147 "http://my-website.com/index.php?option=com_user&task=activate&activation=The-characters" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 YaBrowser/15.2.2214.3645 Safari/537.36"

What's funny with this logs is that the same exact characters are present in all the "The-characters" while the IPs are different. This entries have been coming up on Apache logs for three days now and with some of the same Ips. Is this safe or is it just a very weird user opening the Joomla user registration emailed activation link on multiple devices? I would appreciate ur help please

itoctopus · Post by **itoctopus** » Sun Oct 04, 2015 7:58 am

We get these all the time on many of the websites we manage. Nothing to really worry about.

Bernard T · Post by **Bernard T** » Mon Oct 05, 2015 11:22 am

If all of the "the-characters" are exactly the same, then it's most probably just script-kiddie's script gone wild. Can't do anything bad if the activation hash is wrong.
The notable thing is almost all faked user-agent tags are the same.

The Joomla! Forum™

Very Funny "com_user&task=activate&activation" logs

Very Funny "com_user&task=activate&activation" logs

Re: Very Funny "com_user&task=activate&activation" logs

Re: Very Funny "com_user&task=activate&activation" logs