: Why do I see requests from BOT/0.1 (BOT for JCE) in my server access log and what should I do about them? My server keeps getting requests with user agent identified as BOT/0.1 (BOT for JCE).
My server keeps getting requests with user agent identified as BOT/0.1 (BOT for JCE). The first one arrived 2013-09-14 22:13:17 CEST, the last one yet about three days ago, 2014-08-12 06:05:39 CEST.
Most of them (about 60 %) use GET method of HTTP/1.1 and try to get index.php at various locations on my site based on paths I already use. They always result in response with 404 status code (Not Found) or 400 (Bad Request) as I don’t use PHP at all.
About 40 % of them are HTTP/1.1 POST requests for /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager…&cid=20… where … are either
&version=1576 and empty string (about 50 %), or
&method=form and
&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b
(about 50 %), or
rarely &method=form and
&6bc427c8a71281f4fe1f5ac65c1246b5f=cf6dd3cf11223c1250586d0dd5125c8e20b
As with the GET requests, this is sometimes appended after a URL my site uses. These mostly (75 %) result in 404 or 400; but when they hit my installation of MwForum (25 %), even 200 OK (for the 1st subtype) or 500 Internal Server Error (for the 2nd and 3rd subtype) is generated, which I assume is just poor coding of MwForum.
About 5 % (“round-off” error in the percentages above) of them are utterly malformed requests, having parts of HTML code on request line where path and query string should be. Most of them try POST to MwForum. At the beginning, there is URL of one of my site’s pages, followed by a quote, some HTML code, and at the and another URL with /index.php?option=com_jce&… appended. They probably come from dumb webscraping.
Sample log lines:
2014-08-05 22:50:32 93.95.74.25 "HTTP/1.1" GET example.com "/index.php" 400 0 0 "-" "BOT/0.1 (BOT for JCE)" "-"
2014-02-23 08:50:35 202.29.16.241 "HTTP/1.1" POST example.com "/mwforum/topic_show.pl?tid=1485/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b" 500 711 0 "-" "BOT/0.1 (BOT for JCE)" "-"
2014-01-28 15:25:55 94.23.4.47 "class="url" data-dot="url">example.com/mwforum/topic_show.pl?tid=1485</a> </div> </div> </div> <script> JAK.Fulltext.ResultScreenshotResize("#resultNumber4"); </script> </div> <div data-dot="4" data-elm="r4"> <div class="modCont result cr" id="resultNumber5"> <a href="http:/tracker.modx.com/issues/7324" class="fullclick"></a> <div class="screenshot"> <a id="modImgA-5" href="http:/tracker.modx.com/issues/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1" POST example.com "/mwforum/topic_show.pl?tid=1485"" 500 711 0 "-" "BOT/0.1 (BOT for JCE)" "-"
Is the bot trying to exploit Joomla Content Editor (JCE)? I don’t use JCE, nor Joomla, nor PHP itself. What should I do about those requests?
More posts by @Tiffany637
1 Comments
Sorted by latest first Latest Oldest Best
Yes, this bot is trying to exploit JCE. It’s probably using a very powerful publicly available exploit (+ mirror) for JCE < 2.0.11. Although this is a really outdated version, many instances are still in the wild. JCE 2.0.11 was released on 2011-08-29, the exploit has been available after the release (if its author kept his word).
If JCE is not installed in your site, you can safely ignore these log entries. (Unless someone else is masking his attack as this one. One can never know…)
If you use an outdated version of JCE, upgrade immediately and check if no harm has been done to your site. You should probably dive into the To webmasters section of a related post at Unmask Parasites blog.
As you can see, this is something that you can’t neglect or consider an insignificant threat. It’s silly to hope that hackers won’t find your site. Today hackers have resources to spider the Internet almost as efficiently as Google just about 10 years ago, so there is almost no chance your site will stay unnoticed. The only way to prevent the hacks is to be proactive: keep all software up-to-date and harden your sites.
In case of this particular JCE attack:
Make sure to upgrade your Joomla site to the most current version.
Upgrade JCE to the latest version. You can find download packages for all the three branches of Joomla here.
Protect all file upload directories and all directories that shouldn’t contain .php files. For example, place the following .htaccess file there to prevent execution of PHP files:
<Files *.php>
deny from all
</Files>
Try blocking requests with the ”BOT/0.1 (BOT for JCE)” User-Agent string. Of course, this shouldn’t be considered as a real protection. Hackers can change the User-Agent string to whatever they want. But it can help keep some dumb annoying bots away from your site.
If, for some reason, you can’t upgrade your site at this moment, consider placing it behind a website firewall that will block any malicious traffic before it reaches your server. This is something that we call virtual patching in Sucuri CloudProxy.
Disclaimer: I am not affiliated with Sucuri in any way.
Related
post @ Sucuri blog
honeypot alert @ SpiderLabs – increased activity in March 2014
post @ White Fir Design blog
discussion @ SpambotSecurity.com
thread @ JCE forum
thread @ Joomla forum
attempt to block the bot using .htaccess @ Stack Overflow (block via sending 403 Forbidden when the user agent is detected)
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.