The results where pretty boring, GoogleBot who scanned the website for pages that didn't exist anymore ... so nothing special to report until I got this one:
Page:/[a path on the server]/index.php
Browser:Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; de;rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13 Request Method: GET Request
Request URI: /en/components/com_oziogallery2/imagin/scripts_ralcr/filesystem/writeToFile.php
Browser:Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; de;rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13 Request Method: GET Request
Request URI: /en/components/com_
The remote IP addresses where 188.61.137.55 and 195.191.54.46. A lookup on MaxMind Geoip shows us that 188.61.137.55 is an IP address in Aarau, Switzerland (ISP: Bluewin) and 195.191.54.46 is an IP in Latvia (ISP:Sia Venditore).
It was clear that this scan was part of some scanner but why the website on which my code is running is targetted is still unclear to me. The ozio gallery2 was never installed on this joomla installation.
A google search for the websites with a url containing the string "/en/components/com_oziogallery2 " gave me a list of 13.500 possible exploitable sites. A look at exploit db gave us immediately an insight what the attacker was up to.
So my lessons learned from this is :
1. Modify the error 404 page in any framework so you can find interesting data.
2. I have proof that any website is scanned and there has not to be any particular reason. This was an eye opener to the person who asked me to code the page.
2 comments:
Lately we are seeing these popup as well:
/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/upload.php
I guess it comes from this: http://www.hack0wn.com/view.php?xroot=337.0&cat=exploits
And here is the IP list:
- 66.45.234.181(Roselle, New Jersey, US)
- 195.191.54.46 (Latvia, again the same IP :)
I forgot one IP:
188.61.137.55 Aargau, Switzerland, same ISP ad the previous time :)
Post a Comment