Wednesday, January 12, 2011

Error 404 ... we are watching you.

The other day I helped out with the coding of a php page for error 404 handling in a Joomla framework. The idea was that when a 404 is generated the event would be logged for analysis.

The results where pretty boring, GoogleBot who scanned the website for pages that didn't exist anymore ... so nothing special to report until I got this one:

Page:/[a path on the server]/index.php
Browser:Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; de;rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13 Request Method: GET Request
Request URI: /en/components/com_oziogallery2/imagin/scripts_ralcr/filesystem/writeToFile.php

The remote IP addresses where 188.61.137.55 and 195.191.54.46. A lookup on MaxMind Geoip shows us that 188.61.137.55 is an IP address in Aarau, Switzerland (ISP: Bluewin) and 195.191.54.46 is an IP in Latvia (ISP:Sia Venditore).

It was clear that this scan was part of some scanner but why the website on which my code is running is targetted is still unclear to me. The ozio gallery2 was never installed on this joomla installation.

A google search for the websites with a url containing the string "/en/components/com_oziogallery2" gave me a list of 13.500 possible exploitable sites. A look at exploit db gave us immediately an insight what the attacker was up to.

So my lessons learned from this is :
1. Modify the error 404 page in any framework so you can find interesting data.
2. I have proof that any website is scanned and there has not to be any particular reason. This was an eye opener to the person who asked me to code the page.