SA Websites under atack?

B

Bule

Well-Known Member
Joined
Feb 4, 2006
Messages
208
Reaction score
0
SA Websites under attack?

So called hackers in search for Joomla 1.5 exploit, some entries from my log:

88.228.151.113 - - [30/Sep/2008:14:46:02 +0200] "GET /index.php?option=com_user&view=reset&layout=confirm HTTP/1.1" 200 3341 "-" "Opera/9.22 (Windows NT 5.1; U; tr)"

88.238.254.174 - - [01/Oct/2008:19:01:27 +0200] "GET /index.php?option=com_user&view=remind HTTP/1.1" 200 3287 "http://www.google.com.tr/search?hl=tr&lr=&cr=countryZA&as_qdr=all&q=inurl:com_user+intext:africa&start=20&sa=N" "Mozilla/5.0 (Windows; U; Windows NT 6.0; tr; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"

88.228.70.250 - - [03/Oct/2008:10:27:13 +0200] "GET /index.php?option=com_user&view=remind HTTP/1.1" 200 3287 "http://www.google.com.tr/search?num=100&hl=tr&suggon=0&client=firefox-a&channel=s&rls=org.mozilla%3Atr%3Aofficial&as_qdr=all&q=inurl%3Aco.za%2Bcom_user&btnG=Ara&meta=" "Mozilla/5.0 (Windows; U; Windows NT 6.0; tr; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3"


82.114.83.85 - - [05/Oct/2008:14:15:38 +0200] "GET /index.php?option=com_user&view=remind HTTP/1.1" 200 3092 "http://www.google.com/search?hl=en&q=inurl:index.php%3Foption%3Dcom_user+site:.za&start=40&sa=N" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3"

So change Login if it is admin to something else. Upgrade, or patch components/com_user/models/reset.php:

function confirmReset($token)
{
global $mainframe;
#################
if(strlen($token) != 32) {
$this->setError(JText::_(’INVALID_TOKEN’));
return false;
}
#################
$db = &JFactory::getDBO();
$db->setQuery('SELECT id FROM #__users WHERE block = 0 AND activation = '.$db->Quote($token));

// Verify the token
if (!($id = $db->loadResult()))
{
$this->setError(JText::_('INVALID_TOKEN'));
return false;
}

// Push the token and user id into the session
$mainframe->setUserState($this->_namespace.'token', $token);
$mainframe->setUserState($this->_namespace.'id', $id);

return true;
}
 
Last edited:
aticatac.gif


You meant atac as in Atic Atac? :p

Or do you mean Attack? :D
 
Last edited:
All of them are on Widows, so there may be exploit or two.
While we are talking another one, not Albania or Turkey, this time from Yemen:

82.114.160.33 - - [05/Oct/2008:16:51:15 +0200] "GET /index.php?option=com_user&view=reset&layout=confirm HTTP/1.1" 200 3150 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 
Last edited:
Really don't know, website is on Fedora virtual host, WebAfrica.
 
I do not know did you payed attention on the following part of that sample from log file:

"http://www.google.com.tr/search?hl=tr&lr=&cr=countryZA&as_qdr=all&q=inurl:c om_user+intext:africa&start=20&sa=N"

They are looking for SA websites on google with 'inurl:com_user intext:africa' or 'inurl:index.php?option=com_user site:.za'. They will not hack in even if they manage to reset admin password, unless ID is "admin". Applying patch (between two rows of hashes in my first post) can also help.
Pests
 
And another one:

88.241.155.103 - - [05/Oct/2008:19:36:25 +0200] "GET /index.php?option=com_user&view=remind HTTP/1.1" 200 3092 "http://www.google.com.tr/search?hl=tr&q=index.php%3Foption%3Dcom_user+site:za&start=50&sa=N" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)"

New national sport in Turkey?
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X