Joomla 1.5 websites

Discussion in 'General' started by Ph1L, May 15, 2013.

  1. Ph1L

    Ph1L New Member

    Hi there,

    After moved several websites to ISPConfig, we see that some websites, gets randomfilename.php uploaded in the root directory, like /var/www/clients/clientX/webX/web

    The file is 100 % an exploit, in order to see directories, eval_base64 etc.

    How to prevent this?
     
  2. fbartels

    fbartels New Member

    Your best chance would be to replace this very old Joomla version with a more recent one without the security hole the attacker uses.
     
  3. Ph1L

    Ph1L New Member

    Our 1.5.x are all on latest version 1.5.26, and cannot be upgraded to 2.5 or later.
    Possible chmod on the web folder, so that no one can create files there ?
     
  4. jnsc

    jnsc rotaredoM Moderator

  5. Ph1L

    Ph1L New Member

    I think I found the issue - JCE BOT - The Joomla installations had outdated JCE versions, according to http://docs.joomla.org/Vulnerable_Extensions_List

    41.107.141.X - - [08/May/2013:23:07:11 +0200] "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.0" 200 67 "-" "BOT/0.1 (BOT for JCE)"
    41.107.141.X - - [08/May/2013:23:07:12 +0200] "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20 HTTP/1.0" 200 36 "-" "BOT/0.1 (BOT for JCE)"
    41.107.141.X - - [08/May/2013:23:07:12 +0200] "GET /images/stories/gh.php?ghz HTTP/1.1" 200 20 "-" "BOT/0.1 (BOT for JCE)"
    41.107.141.X - - [08/May/2013:23:07:13 +0200] "GET /gh.html HTTP/1.1" 200 446 "-" "BOT/0.1 (BOT for JCE)"
    41.107.141.X - - [08/May/2013:23:07:16 +0200] "GET / HTTP/1.1" 500 1852 "-" "BOT/0.1 (BOT for JCE)"

    Now JCE is updated :)
     
  6. till

    till Super Moderator Howtoforge Staff HowtoForge Supporter ISPConfig Developer

    I recommend to install apache mod_security. It will block almost all attacks withits filters.
     

Share This Page