| Michael Lazin on 27 Apr 2009 15:54:29 -0700 |
|
Hi, I recently discovered that one of our customer's databases was overloaded and abused, it appears to be due to a joomla fireboard vulnerability. I found this log entry that definitely looks suspicious, although I'm not sure this is definitely the hack. I've replaced the domain name with x's to protect the vulnerable access.log.16.gz:123.186.131.104 - - [16/Apr/2009:02:01:13 -0400] "POST /adminis trator/index2.php HTTP/1.1" 200 142884 www.xxx.com "http://www.xxx.com/a dministrator/index2.php?option=com_content§ionid=0&mosmsg=1%20\xe6\x9d\xa1\x e7\x9b\xae\xe6\x88\x90\xe5\x8a\x9f\xe5\xa4\x8d\xe5\x88\xb6\xe5\x88\xb0\xe5\x8d\x 95\xe5\x85\x83:%20\xe6\x89\x80\xe6\x9c\x89\xe6\x96\x87\xe7\xab\xa0,%20\xe5\x88\x 86\xe7\xb1\xbb:%20\xe5\x8a\xa0\xe6\x8b\xbf\xe5\xa4\xa7\xe7\x94\x9f\xe6\xb4\xbb" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Alexa Toolbar)" "-" I did a cursory search for Joomla Fireboard SQL injection vulnerabilities and found nothing. IMHO joomla is crap, I see it cracked all the time, but I am interested in this because I see SQL injection attacks more commonly on M$ servers, and I haven't found any documentation on this particular exploit. Anyone know where I should look for fireboard vulnerabilities or where I should post to if this turns out to be something new? Thanks -- Michael Lazin ASCII ribbon campaign ( ) against HTML e-mail X / \ ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|