The Joomla! Community Portal ™

Unintentional Honey Trap - Checking Logs
Written by Mandville   
Sunday, 13 May 2012 17:59

While checking my site logs, as should be standard practice for everyone, I discovered an unintentional honeytrap.

Q. What is the point of trying to hack an rss feed and is it possible?

To show how bad some of these hack attempts are a quick view over the logs of your site  should highlight some of the basic hacking attempts on vulnerable extensions.

This site has a feed to content using the great feedgator tool that will take the VEL list and insert it into a content item/article/post. Obviously this eventually turns up into a search engine somewhere.

Script kiddies doing their first exploit search will see probably see these results and attempt to hack these links.
That is their first mistake, not having good bots or manually checking to see the links are valid.

So what do these look like?
A check of the logs will show something like.

&controller=../../../../../../../../../../../proc/self/environ%0000

A check of my logs shows that all the people who recently scoured this rss to content feed tried to exploit known vel items (which are not used on the site)
So this shows that using the proc defence in your htaccess file is a wise idea, but remember to update your htaccess everytime you upgrade joomla, as they do change sometimes

Personally i think the "best" attack is this one
*.php?option=com_juliaportfolio

Here is the proc defender code for your htacccess.

## This attempts to block the most common type of exploit `attempts` to Joomla!
# # proc/self/environ? no way! RewriteCond %{QUERY_STRING} proc\/self\/environ [OR]
# Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]

 

Here are some examples of how they would appear in the log, They are trimed for easy reading, but also note the libwww bot, that is commented on in this topic. The 403 code indeicates they were blocked.

/joomla/news//index.php?option=com_properties&controller=../../../../../../../../../../../../../../../../.
Http Code: 403
Date: May 13 08:59:15
Http Version: HTTP/1.1 Size in Bytes: 798 Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6

/joomla/news//index.php?option=com_juliaportfolio&controller=../../../../../../../../../../../../../../../
Http Code: 403
Date: May 13 05:10:31
Http Version: HTTP/1.1 Size in Bytes: 706 Referer: - Agent: libwww-perl/5.834

hack attempt log screenshot