HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   General (http://www.howtoforge.com/forums/forumdisplay.php?f=25)
-   -   Joomla 1.5 websites (http://www.howtoforge.com/forums/showthread.php?t=61849)

Ph1L 15th May 2013 11:36

Joomla 1.5 websites
 
Hi there,

After moved several websites to ISPConfig, we see that some websites, gets randomfilename.php uploaded in the root directory, like /var/www/clients/clientX/webX/web

The file is 100 % an exploit, in order to see directories, eval_base64 etc.

How to prevent this?

fbartels 15th May 2013 13:23

Your best chance would be to replace this very old Joomla version with a more recent one without the security hole the attacker uses.

Ph1L 15th May 2013 13:25

Our 1.5.x are all on latest version 1.5.26, and cannot be upgraded to 2.5 or later.
Possible chmod on the web folder, so that no one can create files there ?

jnsc 15th May 2013 16:03

Never allow execution of scripts in upload dirs!!!

have a look at this link

http://blog.kupchanko.cv.ua/2012/09/...ubdirectories/

Ph1L 15th May 2013 16:05

I think I found the issue - JCE BOT - The Joomla installations had outdated JCE versions, according to http://docs.joomla.org/Vulnerable_Extensions_List

41.107.141.X - - [08/May/2013:23:07:11 +0200] "POST /index.php?option=com_jce&task=plugin&plugin=imgman ager&file=imgmanager&method=form&cid=20&6bc427c8a7 981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c 8e20b HTTP/1.0" 200 67 "-" "BOT/0.1 (BOT for JCE)"
41.107.141.X - - [08/May/2013:23:07:12 +0200] "POST /index.php?option=com_jce&task=plugin&plugin=imgman ager&file=imgmanager&method=form&cid=20 HTTP/1.0" 200 36 "-" "BOT/0.1 (BOT for JCE)"
41.107.141.X - - [08/May/2013:23:07:12 +0200] "GET /images/stories/gh.php?ghz HTTP/1.1" 200 20 "-" "BOT/0.1 (BOT for JCE)"
41.107.141.X - - [08/May/2013:23:07:13 +0200] "GET /gh.html HTTP/1.1" 200 446 "-" "BOT/0.1 (BOT for JCE)"
41.107.141.X - - [08/May/2013:23:07:16 +0200] "GET / HTTP/1.1" 500 1852 "-" "BOT/0.1 (BOT for JCE)"

Now JCE is updated :)

till 15th May 2013 16:55

I recommend to install apache mod_security. It will block almost all attacks withits filters.


All times are GMT +2. The time now is 15:55.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.