atack?

Discussion regarding Joomla! security issues.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
User avatar
ruigato
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 129
Joined: Sat Aug 20, 2005 4:12 pm
Location: Arouca - Portugal
Contact:

atack?

Post by ruigato » Mon Aug 22, 2005 8:08 am

http://www.arouca.biz/ - 4:12:41 Thu 28th July 2005
http://www.arouca.biz/index.php?option= ... 0somequery - 4:04:57 Thu 28th July 2005
http://www.arouca.biz/index.php?option= ... _users%20/* - 4:04:49 Thu 28th July 2005
http://www.arouca.biz/index.php?option= ... 0somequery - 4:04:45 Thu 28th July 2005
http://www.arouca.biz/index.php?option= ... _users%20/* - 4:04:37 Thu 28th July 2005
http://www.arouca.biz/index.php?option= ... 0somequery - 4:04:35 Thu 28th July 2005
http://www.arouca.biz/index.php?option= ... _users%20/* - 4:04:26 Thu 28th July 2005
http://www.arouca.biz/index.php?option= ... 0somequery - 4:04:22 Thu 28th July 2005
http://www.arouca.biz/index.php?option= ... _users%20/* - 4:04:14 Thu 28th July 2005
http://www.arouca.biz/index.php?option= ... 0somequery - 4:04:11 Thu 28th July 2005
http://www.arouca.biz/index.php?option= ... _users%20/* - 4:04:03 Thu 28th July 2005
http://www.arouca.biz/index.php?option= ... 0somequery - 4:03:59 Thu 28th July 2005
http://www.arouca.biz/index.php?option= ... _users%20/* - 4:03:52 Thu 28th July 2005
http://www.arouca.biz/index.php?option= ... 0somequery - 4:03:48 Thu 28th July 2005
http://www.arouca.biz/index.php?option= ... _users%20/* - 4:03:44 Thu 28th July 2005
http://www.arouca.biz/index.php?option= ... 0somequery - 4:03:44 Thu 28th July 2005
http://www.arouca.biz/index.php?option= ... _users%20/* - 4:03:28 Thu 28th July 2005
http://www.arouca.biz/index.php?option= ... 0somequery - 4:03:25 Thu 28th July 2005
http://www.arouca.biz/index.php?option= ... _users%20/* - 4:03:17 Thu 28th July 2005
http://www.arouca.biz/index.php?option= ... 0somequery - 4:03:14 Thu 28th July 2005
http://www.arouca.biz/index.php?option= ... _users%20/* - 4:03:06 Thu 28th July 2005
http://www.arouca.biz/index.php?option= ... 0somequery - 4:03:02 Thu 28th July 2005
http://www.arouca.biz/index.php?option= ... _users%20/* - 4:02:54 Thu 28th July 2005
http://www.arouca.biz/index.php?option= ... 0somequery - 4:02:51 Thu 28th July 2005
http://www.arouca.biz/index.php?option= ... _users%20/* - 4:02:48 Thu 28th July 2005
http://www.arouca.biz/index.php?option= ... 0somequery - 4:02:39 Thu 28th July 2005
http://www.arouca.biz/index.php?option= ... _users%20/* - 4:02:31 Thu 28th July 2005
http://www.arouca.biz/index.php?option= ... 0somequery - 4:02:28 Thu 28th July 2005
http://www.arouca.biz/index.php?option= ... _users%20/* - 4:02:20 Thu 28th July 2005
http://www.arouca.biz/index.php?option= ... 0somequery - 4:02:16 Thu 28th July 2005
http://www.arouca.biz/index.php?option= ... _users%20/* - 4:02:08 Thu 28th July 2005
http://www.arouca.biz/index.php?option= ... 0somequery - 4:02:05 Thu 28th July 2005
http://www.arouca.biz/index.php?option= ... _users%20/* - 4:01:57 Thu 28th July 2005
http://www.arouca.biz/index.php?option= ... 0somequery - 4:01:53 Thu 28th July 2005
http://www.arouca.biz/index.php?option= ... _users%20/* - 3:54:40 Thu 28th July 2005
http://www.arouca.biz/mambo/index.php?o ... _users%20/* - 3:54:31 Thu 28th July 2005
http://www.arouca.biz/ - 3:51:09 Thu 28th July 2005
alert(document.cookie)&mosmsg=
Hi,%20I%20am%20an%20XSS%20Problem














" target="_blank">http://www.arouca.biz/index.php?option=c...




- 3:50:52 Thu 28th July 2005
alert(document.cookie)&mosmsg=
Hi,%20I%20am%20an%20XSS%20Problem














" target="_blank">http://www.arouca.biz/index.php?option=c...




- 3:50:39 Thu 28th July 2005
alert(document.cookie)&mosmsg=
Hi,%20I%20am%20an%20XSS%20Problem














" target="_blank">http://www.arouca.biz/index.php?option=c...




- 3:50:28 Thu 28th July 2005
alert(document.cookie)&mosmsg=
Hi,%20I%20am%20an%20XSS%20Problem














" target="_blank">http://www.arouca.biz/index.php?option=c...




- 3:50:16 Thu 28th July 2005
alert(document.cookie)&mosmsg=
Hi,%20I%20am%20an%20XSS%20Problem














" target="_blank">http://www.arouca.biz/index.php?option=c...




- 3:50:05 Thu 28th July 2005
alert(document.cookie)&limitstart=1" target="_blank">http://www.arouca.biz/index.php?option= ... mitstart=1 - 3:49:51 Thu 28th July 2005
alert(document.cookie)&limitstart=1" target="_blank">http://www.arouca.biz/index.php?option= ... mitstart=1 - 3:49:40 Thu 28th July 2005
alert(document.cookie)&limitstart=1" target="_blank">http://www.arouca.biz/index.php?option= ... mitstart=1 - 3:49:28 Thu 28th July 2005
alert(document.cookie)&limitstart=1" target="_blank">http://www.arouca.biz/index.php?option= ... mitstart=1 - 3:49:17 Thu 28th July 2005
alert(document.cookie)&limitstart=1" target="_blank">http://www.arouca.biz/index.php?option= ... mitstart=1 - 3:49:05 Thu 28th July 2005
alert(document.cookie)&limitstart=1" target="_blank">http://www.arouca.biz/index.php?option= ... mitstart=1 - 3:48:54 Thu 28th July 2005
alert(document.cookie)&limitstart=1" target="_blank">http://www.arouca.biz/index.php?option= ... mitstart=1 - 3:48:45 Thu 28th July 2005
alert(document.cookie)&limitstart=1" target="_blank">http://www.arouca.biz/index.php?option= ... mitstart=1 - 3:48:31 Thu 28th July 2005
alert(document.cookie)&limitstart=1" target="_blank">http://www.arouca.biz/index.php?option= ... mitstart=1 - 3:48:20 Thu 28th July 2005
http://www.arouca.biz/ - 3:43:05 Thu 28th July 2005

I had this atack from 82.155.145.241

is this any vulnerability or there are any problem.

Thks

User avatar
kenmcd
Joomla! Champion
Joomla! Champion
Posts: 5672
Joined: Thu Aug 18, 2005 2:09 am
Location: California
Contact:

Re: atack?

Post by kenmcd » Mon Aug 22, 2005 12:16 pm

I would like to see the actual URLs.

Please post using CODE so your info is not cut-off.

Thanks.
██ LibreTraining

User avatar
anthonyaykut
Joomla! Apprentice
Joomla! Apprentice
Posts: 28
Joined: Tue Aug 23, 2005 10:07 am
Location: Netherlands
Contact:

Re: atack?

Post by anthonyaykut » Tue Aug 23, 2005 10:20 am

Yes, please include the complete code -- as far as I can see from what you have included, the "perp" is trying to ascertain whether an XSS (cross-site scripting) problem exists in any of your page(s). The first step is usually to check if a basic script can be injected into any of the pages, and from there more complex scripts could be used for a variety of actions.

That's the Mambo/PHP/scripting side... let's see about the IP number now.
A first check on the IP # via a Query of the RIPE Whois Database reveals:

inetnum:      82.155.128.0 - 82.155.191.255
...
person:       Alfredo Alvim
address:      Telepac II - Comunicacoes Interactivas, SA
address:      Av. Fontes Pereira de Melo, 40
address:      Forum Picoas - 1069-300 Lisboa
address:      PT
phone:        +351-21-7900000
fax-no:       +351-21-7907001
e-mail:       aalvim@tp.telepac.pt
nic-hdl:      AA2895-RIPE
remarks:      For abuse related reports, please use abuse@mail.telepac.pt
mnt-by:       TELEPAC-MNT
source:       RIPE # Filtered

You could also fire off an email to abuse@mail.telepac.pt to say something along the lines of "according to your logs (provide some info, etc) this IP number has tried to exploit your site trying to inject XSS code in your web pages blah blah and could they please investigate and take appropriate action according to their AUP (acceptable use policy) and/or TOS (terms of service).

Hope this helps ... regards,
Anthony.
Anthony Atilla Aykut // Webmaster - Frame4 Security Systems
"You don't need eyes to see, you need vision" - Faithless

d3vlabs
Joomla! Explorer
Joomla! Explorer
Posts: 426
Joined: Thu Aug 18, 2005 10:41 am
Contact:

Re: atack?

Post by d3vlabs » Tue Aug 23, 2005 10:54 am

Most likely spambots or someone scanning ranges for open ports/sploits. Unless you have enemies or you are hosting something that might be in high demand, your risk of getting hacked is not that high. If this repeats again I would recommend to follow advice posted by anthonyyakut. Just for your own sense of security you can change your SQL db password and backend password

User avatar
masterchief
Joomla! Hero
Joomla! Hero
Posts: 2316
Joined: Fri Aug 12, 2005 2:45 am
Location: Brisbane, Australia
Contact:

Re: atack?

Post by masterchief » Thu Sep 01, 2005 4:46 am

ruigato, can you upload a text file of the logs please.

Thanks in advance
Andrew Eddie - Tweet @AndrewEddie
<><
http://eddify.me
http://www.kiva.org/team/joomla - Got Joomla for free? Pay it forward and help fight poverty.

User avatar
ruigato
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 129
Joined: Sat Aug 20, 2005 4:12 pm
Location: Arouca - Portugal
Contact:

Re: atack?

Post by ruigato » Thu Sep 01, 2005 9:31 am

i change server, lost it in the transfer  :-\


Locked

Return to “Security - 1.0.x”