Joomla index.php Defaced

Dieses Thema im Forum "Sicherheit & Datenschutz" wurde erstellt von Spy, 5. März 2010 .

Schlagworte:
  1. 5. März 2010
    Hallo RRler,

    ich habe neulich eine Problem mit Defacern auf meiner Seite gehabt.
    Die haben meine Index.php in meinem Template Ordner in Joomla ersetzt.

    hier der Link: http://abofallen.net/defacer/
    so sah die seite dann aus.

    Aus welchen Gründen konnten die meine Template index.php ersetzen?
    Wie kann ich diese Lücke schließen?

    Mit freundlichen Grüßen
    SpY
    bw is selbstverständlich

    // hier das Profil des Deppen:
    http://www.zone-h.com/archive/notifier=oche_an3h
     
    + Multi-Zitat Zitieren
  3. 5. März 2010
    AW: Problem mit Defacern

    Du müsstest uns schon etwas mehr Informationen geben. bzw hast du Logs von deinem Webserver ? Dann könnte man sehen was genau gemacht wurde und dementsprechend vorgehen. Ansonsten immer die neuste Version von Joomla verwenden und prüfen ob es für eventuelle Plugins o.ä. Exploits gibt.
     
    + Multi-Zitat Zitieren
  4. 5. März 2010
    AW: Problem mit Defacern

    hab in den logs tatsächlich ne ip aus richtung asien gefunden ... hier der log ausschnitt.
    Ist auch das einzige auffällige:

    Spoiler
    -[04/Mar/2010:11:40:28 +0100] "GET /index.php?option=com_content&view=article&id=20&Itemid=39 HTTP/1.1" 200 5519 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:40:30 +0100] "GET /index.php?option=com_content&view=article&id=20&Itemid=39%27%60%28%5B%7B%5E%7E HTTP/1.1" 200 5519 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:40:31 +0100] "GET /index.php?option=com_content&view=article&id=20&Itemid=39%20aND%208%3D8 HTTP/1.1" 200 5519 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:40:32 +0100] "GET /index.php?option=com_content&view=article&id=20&Itemid=39%20aND%208%3D3 HTTP/1.1" 200 5519 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:40:33 +0100] "GET /index.php?option=com_content&view=article&id=20&Itemid=39%27%20aND%20%278%27%3D%278 HTTP/1.1" 200 5519 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:40:34 +0100] "GET /index.php?option=com_content&view=article&id=20&Itemid=39%27%20aND%20%278%27%3D%273 HTTP/1.1" 200 5519 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:40:35 +0100] "GET /index.php?option=com_content&view=article&id=20&Itemid=39%09aND%098%3D8 HTTP/1.1" 200 5519 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:40:36 +0100] "GET /index.php?option=com_content&view=article&id=20&Itemid=39%09aND%098%3D3 HTTP/1.1" 200 5519 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:40:36 +0100] "GET /index.php?option=com_content&view=article&id=20&Itemid=39%27%09aND%09%278%27%3D%278 HTTP/1.1" 200 5519 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:40:37 +0100] "GET /index.php?option=com_content&view=article&id=20&Itemid=39%27%09aND%09%278%27%3D%273 HTTP/1.1" 200 5519 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:40:38 +0100] "GET /index.php?option=com_content&view=article&id=20&Itemid=39/**/aND/**/8%3D8 HTTP/1.1" 200 5519 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:40:39 +0100] "GET /index.php?option=com_content&view=article&id=20&Itemid=39/**/aND/**/8%3D3 HTTP/1.1" 200 5519 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:40:40 +0100] "GET /index.php?option=com_content&view=article&id=20&Itemid=39%27/**/aND/**/%278%27%3D%278 HTTP/1.1" 200 5519 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:40:41 +0100] "GET /index.php?option=com_content&view=article&id=20&Itemid=39%27/**/aND/**/%278%27%3D%273 HTTP/1.1" 200 5519 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:40:42 +0100] "GET /index.php?option=com_content&view=article&id=20&Itemid=39%25%27%20aND%20%278%25%27%3D%278 HTTP/1.1" 200 5519 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:40:43 +0100] "GET /index.php?option=com_content&view=article&id=20&Itemid=39%25%27%20aND%20%278%25%27%3D%273 HTTP/1.1" 200 5519 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:40:44 +0100] "GET /index.php?option=com_content&view=article&id=20&Itemid=39%25%27%09aND%09%278%27%3D%278 HTTP/1.1" 200 5519 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:40:45 +0100] "GET /index.php?option=com_content&view=article&id=20&Itemid=39%25%27%09aND%09%278%25%27%3D%273 HTTP/1.1" 200 5519 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:40:46 +0100] "GET /index.php?option=com_content&view=article&id=20&Itemid=39%25%27/**/aND/**/%278%27%3D%278 HTTP/1.1" 200 5519 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:40:47 +0100] "GET /index.php?option=com_content&view=article&id=20&Itemid=39%25%27/**/aND/**/%278%25%27%3D%273 HTTP/1.1" 200 5519 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:40:47 +0100] "GET /index.php?option=com_content&view=article&id=20&Itemid=39%20XoR%208%3D3 HTTP/1.1" 200 5519 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:40:48 +0100] "GET /index.php?option=com_content&view=article&id=20&Itemid=39%20XoR%208%3D8 HTTP/1.1" 200 5519 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:40:49 +0100] "GET /index.php?option=com_content&view=article&id=20&Itemid=39%09XoR%098%3D3 HTTP/1.1" 200 5519 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:40:50 +0100] "GET /index.php?option=com_content&view=article&id=20&Itemid=39%09XoR%098%3D8 HTTP/1.1" 200 5519 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:40:51 +0100] "GET /index.php?option=com_content&view=article&id=20&Itemid=39/**/XoR/**/8%3D3 HTTP/1.1" 200 5519 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:40:52 +0100] "GET /index.php?option=com_content&view=article&id=20&Itemid=39/**/XoR/**/8%3D8 HTTP/1.1" 200 5519 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:40:53 +0100] "GET /index.php?option=com_content&view=article&id=20&Itemid=39%27%20XoR%20%278%27%3D%273 HTTP/1.1" 200 5519 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:40:54 +0100] "GET /index.php?option=com_content&view=article&id=20&Itemid=39%27%20XoR%20%278%27%3D%278 HTTP/1.1" 200 5519 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:40:55 +0100] "GET /index.php?option=com_content&view=article&id=20&Itemid=39%27%09XoR%09%278%27%3D%273 HTTP/1.1" 200 5519 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:40:56 +0100] "GET /index.php?option=com_content&view=article&id=20&Itemid=39%27%09XoR%09%278%27%3D%278 HTTP/1.1" 200 5519 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:40:57 +0100] "GET /index.php?option=com_content&view=article&id=20&Itemid=39%27/**/XoR/**/%278%27%3D%273 HTTP/1.1" 200 5519 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:40:58 +0100] "GET /index.php?option=com_content&view=article&id=20&Itemid=39%27/**/XoR/**/%278%27%3D%278 HTTP/1.1" 200 5519 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:40:59 +0100] "GET /index.php?Itemid=39&option=com_content&view=article&id=20%27%60%28%5B%7B%5E%7E HTTP/1.1" 200 5519 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:40:59 +0100] "GET /index.php?Itemid=39&option=com_content&view=article&id=20%20aND%208%3D8 HTTP/1.1" 200 5519 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:00 +0100] "GET /index.php?Itemid=39&option=com_content&view=article&id=20%20aND%208%3D3 HTTP/1.1" 200 5519 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:01 +0100] "GET /index.php?Itemid=39&option=com_content&view=article&id=20%27%20aND%20%278%27%3D%278 HTTP/1.1" 200 5519 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:02 +0100] "GET /index.php?Itemid=39&option=com_content&view=article&id=20%27%20aND%20%278%27%3D%273 HTTP/1.1" 200 5519 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:03 +0100] "GET /index.php?Itemid=39&option=com_content&view=article&id=20%09aND%098%3D8 HTTP/1.1" 200 5519 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:04 +0100] "GET /index.php?Itemid=39&option=com_content&view=article&id=20%09aND%098%3D3 HTTP/1.1" 200 5519 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:05 +0100] "GET /index.php?Itemid=39&option=com_content&view=article&id=20%27%09aND%09%278%27%3D%278 HTTP/1.1" 200 5519 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:06 +0100] "GET /index.php?Itemid=39&option=com_content&view=article&id=20%27%09aND%09%278%27%3D%273 HTTP/1.1" 200 5519 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:07 +0100] "GET /index.php?Itemid=39&option=com_content&view=article&id=20/**/aND/**/8%3D8 HTTP/1.1" 200 5519 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:08 +0100] "GET /index.php?Itemid=39&option=com_content&view=article&id=20/**/aND/**/8%3D3 HTTP/1.1" 200 5519 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:09 +0100] "GET /index.php?Itemid=39&option=com_content&view=article&id=20%27/**/aND/**/%278%27%3D%278 HTTP/1.1" 200 5519 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:10 +0100] "GET /index.php?Itemid=39&option=com_content&view=article&id=20%27/**/aND/**/%278%27%3D%273 HTTP/1.1" 200 5519 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:10 +0100] "GET /index.php?Itemid=39&option=com_content&view=article&id=20%25%27%20aND%20%278%25%27%3D%278 HTTP/1.1" 200 5519 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:11 +0100] "GET /index.php?Itemid=39&option=com_content&view=article&id=20%25%27%20aND%20%278%25%27%3D%273 HTTP/1.1" 200 5519 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:12 +0100] "GET /index.php?Itemid=39&option=com_content&view=article&id=20%25%27%09aND%09%278%27%3D%278 HTTP/1.1" 200 5519 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:13 +0100] "GET /index.php?Itemid=39&option=com_content&view=article&id=20%25%27%09aND%09%278%25%27%3D%273 HTTP/1.1" 200 5519 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:14 +0100] "GET /index.php?Itemid=39&option=com_content&view=article&id=20%25%27/**/aND/**/%278%27%3D%278 HTTP/1.1" 200 5519 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:15 +0100] "GET /index.php?Itemid=39&option=com_content&view=article&id=20%25%27/**/aND/**/%278%25%27%3D%273 HTTP/1.1" 200 5519 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:16 +0100] "GET /index.php?Itemid=39&option=com_content&view=article&id=20%20XoR%208%3D3 HTTP/1.1" 200 5519 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:17 +0100] "GET /index.php?Itemid=39&option=com_content&view=article&id=20%20XoR%208%3D8 HTTP/1.1" 200 5519 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:18 +0100] "GET /index.php?Itemid=39&option=com_content&view=article&id=20%09XoR%098%3D3 HTTP/1.1" 200 5519 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:19 +0100] "GET /index.php?Itemid=39&option=com_content&view=article&id=20%09XoR%098%3D8 HTTP/1.1" 200 5519 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:20 +0100] "GET /index.php?Itemid=39&option=com_content&view=article&id=20/**/XoR/**/8%3D3 HTTP/1.1" 200 5519 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:21 +0100] "GET /index.php?Itemid=39&option=com_content&view=article&id=20/**/XoR/**/8%3D8 HTTP/1.1" 200 5519 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:22 +0100] "GET /index.php?Itemid=39&option=com_content&view=article&id=20%27%20XoR%20%278%27%3D%273 HTTP/1.1" 200 5519 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:22 +0100] "GET /index.php?Itemid=39&option=com_content&view=article&id=20%27%20XoR%20%278%27%3D%278 HTTP/1.1" 200 5519 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:23 +0100] "GET /index.php?Itemid=39&option=com_content&view=article&id=20%27%09XoR%09%278%27%3D%273 HTTP/1.1" 200 5519 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:24 +0100] "GET /index.php?Itemid=39&option=com_content&view=article&id=20%27%09XoR%09%278%27%3D%278 HTTP/1.1" 200 5519 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:25 +0100] "GET /index.php?Itemid=39&option=com_content&view=article&id=20%27/**/XoR/**/%278%27%3D%273 HTTP/1.1" 200 5519 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:26 +0100] "GET /index.php?Itemid=39&option=com_content&view=article&id=20%27/**/XoR/**/%278%27%3D%278 HTTP/1.1" 200 5519 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:27 +0100] "GET /index.php?id=20&Itemid=39&option=com_content&view=article%27%60%28%5B%7B%5E%7E HTTP/1.1" 200 5519 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:28 +0100] "GET /index.php?id=20&Itemid=39&option=com_content&view=article%20aND%208%3D8 HTTP/1.1" 500 1493 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:29 +0100] "GET /index.php?id=20&Itemid=39&option=com_content&view=article%20aND%208%3D3 HTTP/1.1" 500 1493 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:30 +0100] "GET /index.php?id=20&Itemid=39&option=com_content&view=article%27%20aND%20%278%27%3D%278 HTTP/1.1" 500 1493 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:31 +0100] "GET /index.php?id=20&Itemid=39&option=com_content&view=article%27%20aND%20%278%27%3D%273 HTTP/1.1" 500 1493 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:32 +0100] "GET /index.php?id=20&Itemid=39&option=com_content&view=article%09aND%098%3D8 HTTP/1.1" 500 1493 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:33 +0100] "GET /index.php?id=20&Itemid=39&option=com_content&view=article%09aND%098%3D3 HTTP/1.1" 500 1493 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:33 +0100] "GET /index.php?id=20&Itemid=39&option=com_content&view=article%27%09aND%09%278%27%3D%278 HTTP/1.1" 500 1493 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:34 +0100] "GET /index.php?id=20&Itemid=39&option=com_content&view=article%27%09aND%09%278%27%3D%273 HTTP/1.1" 500 1493 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:35 +0100] "GET /index.php?id=20&Itemid=39&option=com_content&view=article/**/aND/**/8%3D8 HTTP/1.1" 500 1493 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:35 +0100] "GET /index.php?id=20&Itemid=39&option=com_content&view=article/**/aND/**/8%3D3 HTTP/1.1" 500 1493 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:36 +0100] "GET /index.php?id=20&Itemid=39&option=com_content&view=article%27/**/aND/**/%278%27%3D%278 HTTP/1.1" 500 1493 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:37 +0100] "GET /index.php?id=20&Itemid=39&option=com_content&view=article%27/**/aND/**/%278%27%3D%273 HTTP/1.1" 500 1493 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:37 +0100] "GET /index.php?id=20&Itemid=39&option=com_content&view=article%25%27%20aND%20%278%25%27%3D%278 HTTP/1.1" 500 1493 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:38 +0100] "GET /index.php?id=20&Itemid=39&option=com_content&view=article%25%27%20aND%20%278%25%27%3D%273 HTTP/1.1" 500 1493 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:39 +0100] "GET /index.php?id=20&Itemid=39&option=com_content&view=article%25%27%09aND%09%278%27%3D%278 HTTP/1.1" 500 1493 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:39 +0100] "GET /index.php?id=20&Itemid=39&option=com_content&view=article%25%27%09aND%09%278%25%27%3D%273 HTTP/1.1" 500 1493 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:40 +0100] "GET /index.php?id=20&Itemid=39&option=com_content&view=article%25%27/**/aND/**/%278%27%3D%278 HTTP/1.1" 500 1493 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:41 +0100] "GET /index.php?id=20&Itemid=39&option=com_content&view=article%25%27/**/aND/**/%278%25%27%3D%273 HTTP/1.1" 500 1493 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:41 +0100] "GET /index.php?id=20&Itemid=39&option=com_content&view=article%20XoR%208%3D3 HTTP/1.1" 500 1493 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:42 +0100] "GET /index.php?id=20&Itemid=39&option=com_content&view=article%20XoR%208%3D8 HTTP/1.1" 500 1493 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:43 +0100] "GET /index.php?id=20&Itemid=39&option=com_content&view=article%09XoR%098%3D3 HTTP/1.1" 500 1493 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:43 +0100] "GET /index.php?id=20&Itemid=39&option=com_content&view=article%09XoR%098%3D8 HTTP/1.1" 500 1493 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:44 +0100] "GET /index.php?id=20&Itemid=39&option=com_content&view=article/**/XoR/**/8%3D3 HTTP/1.1" 500 1493 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:45 +0100] "GET /index.php?id=20&Itemid=39&option=com_content&view=article/**/XoR/**/8%3D8 HTTP/1.1" 500 1493 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:45 +0100] "GET /index.php?id=20&Itemid=39&option=com_content&view=article%27%20XoR%20%278%27%3D%273 HTTP/1.1" 500 1493 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:46 +0100] "GET /index.php?id=20&Itemid=39&option=com_content&view=article%27%20XoR%20%278%27%3D%278 HTTP/1.1" 500 1493 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:47 +0100] "GET /index.php?id=20&Itemid=39&option=com_content&view=article%27%09XoR%09%278%27%3D%273 HTTP/1.1" 500 1493 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:47 +0100] "GET /index.php?id=20&Itemid=39&option=com_content&view=article%27%09XoR%09%278%27%3D%278 HTTP/1.1" 500 1493 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:48 +0100] "GET /index.php?id=20&Itemid=39&option=com_content&view=article%27/**/XoR/**/%278%27%3D%273 HTTP/1.1" 500 1493 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:49 +0100] "GET /index.php?id=20&Itemid=39&option=com_content&view=article%27/**/XoR/**/%278%27%3D%278 HTTP/1.1" 500 1493 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:49 +0100] "GET /index.php?view=article&id=20&Itemid=39&option=com_content%27%60%28%5B%7B%5E%7E HTTP/1.1" 200 5519 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:50 +0100] "GET /index.php?view=article&id=20&Itemid=39&option=com_content%20aND%208%3D8 HTTP/1.1" 404 1385 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:51 +0100] "GET /index.php?view=article&id=20&Itemid=39&option=com_content%20aND%208%3D3 HTTP/1.1" 404 1385 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:51 +0100] "GET /index.php?view=article&id=20&Itemid=39&option=com_content%27%20aND%20%278%27%3D%278 HTTP/1.1" 404 1385 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:52 +0100] "GET /index.php?view=article&id=20&Itemid=39&option=com_content%27%20aND%20%278%27%3D%273 HTTP/1.1" 404 1385 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:53 +0100] "GET /index.php?view=article&id=20&Itemid=39&option=com_content%09aND%098%3D8 HTTP/1.1" 404 1385 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:53 +0100] "GET /index.php?view=article&id=20&Itemid=39&option=com_content%09aND%098%3D3 HTTP/1.1" 404 1385 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:54 +0100] "GET /index.php?view=article&id=20&Itemid=39&option=com_content%27%09aND%09%278%27%3D%278 HTTP/1.1" 404 1385 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:55 +0100] "GET /index.php?view=article&id=20&Itemid=39&option=com_content%27%09aND%09%278%27%3D%273 HTTP/1.1" 404 1385 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:55 +0100] "GET /index.php?view=article&id=20&Itemid=39&option=com_content/**/aND/**/8%3D8 HTTP/1.1" 404 1385 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:56 +0100] "GET /index.php?view=article&id=20&Itemid=39&option=com_content/**/aND/**/8%3D3 HTTP/1.1" 404 1385 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:56 +0100] "GET /index.php?view=article&id=20&Itemid=39&option=com_content%27/**/aND/**/%278%27%3D%278 HTTP/1.1" 404 1385 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:57 +0100] "GET /index.php?view=article&id=20&Itemid=39&option=com_content%27/**/aND/**/%278%27%3D%273 HTTP/1.1" 404 1385 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:58 +0100] "GET /index.php?view=article&id=20&Itemid=39&option=com_content%25%27%20aND%20%278%25%27%3D%278 HTTP/1.1" 404 1385 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:58 +0100] "GET /index.php?view=article&id=20&Itemid=39&option=com_content%25%27%20aND%20%278%25%27%3D%273 HTTP/1.1" 404 1385 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:41:59 +0100] "GET /index.php?view=article&id=20&Itemid=39&option=com_content%25%27%09aND%09%278%27%3D%278 HTTP/1.1" 404 1385 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:42:00 +0100] "GET /index.php?view=article&id=20&Itemid=39&option=com_content%25%27%09aND%09%278%25%27%3D%273 HTTP/1.1" 404 1385 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:42:00 +0100] "GET /index.php?view=article&id=20&Itemid=39&option=com_content%25%27/**/aND/**/%278%27%3D%278 HTTP/1.1" 404 1385 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:42:01 +0100] "GET /index.php?view=article&id=20&Itemid=39&option=com_content%25%27/**/aND/**/%278%25%27%3D%273 HTTP/1.1" 404 1385 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:42:02 +0100] "GET /index.php?view=article&id=20&Itemid=39&option=com_content%20XoR%208%3D3 HTTP/1.1" 404 1385 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:42:02 +0100] "GET /index.php?view=article&id=20&Itemid=39&option=com_content%20XoR%208%3D8 HTTP/1.1" 404 1385 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:42:03 +0100] "GET /index.php?view=article&id=20&Itemid=39&option=com_content%09XoR%098%3D3 HTTP/1.1" 404 1385 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:42:04 +0100] "GET /index.php?view=article&id=20&Itemid=39&option=com_content%09XoR%098%3D8 HTTP/1.1" 404 1385 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:42:04 +0100] "GET /index.php?view=article&id=20&Itemid=39&option=com_content/**/XoR/**/8%3D3 HTTP/1.1" 404 1385 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:42:05 +0100] "GET /index.php?view=article&id=20&Itemid=39&option=com_content/**/XoR/**/8%3D8 HTTP/1.1" 404 1385 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:42:06 +0100] "GET /index.php?view=article&id=20&Itemid=39&option=com_content%27%20XoR%20%278%27%3D%273 HTTP/1.1" 404 1385 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:42:06 +0100] "GET /index.php?view=article&id=20&Itemid=39&option=com_content%27%20XoR%20%278%27%3D%278 HTTP/1.1" 404 1385 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:42:07 +0100] "GET /index.php?view=article&id=20&Itemid=39&option=com_content%27%09XoR%09%278%27%3D%273 HTTP/1.1" 404 1385 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:42:08 +0100] "GET /index.php?view=article&id=20&Itemid=39&option=com_content%27%09XoR%09%278%27%3D%278 HTTP/1.1" 404 1385 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:42:08 +0100] "GET /index.php?view=article&id=20&Itemid=39&option=com_content%27/**/XoR/**/%278%27%3D%273 HTTP/1.1" 404 1385 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    -[04/Mar/2010:11:42:09 +0100] "GET /index.php?view=article&id=20&Itemid=39&option=com_content%27/**/XoR/**/%278%27%3D%278 HTTP/1.1" 404 1385 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
     
    + Multi-Zitat Zitieren
  5. 5. März 2010
    AW: Problem mit Defacern

    Das war ganz simpel ein Massdeface.
    Denkst du der hackt jede Website einzeln?
    Ich würde mal die Sicherheit deines Hosters überprüfen. ^^

    Er hat warscheinlich eine Website gehackt von den 247 die auf dem Server gehostet sind. (shared hosting)
    So wie ich glaube ist das Linux System nich gepatcht. (Local Root Exploit>Masse Deface)
    Dazu kommen noch die nicht ausreichende PHP Konfiguration.

    Poste mal aus der PHPInfo welche kernel version der server hat.
    Und wie es mit diesen PHP Funktionen aussieht.

    Passthru
    Exec
    System
    Shell_exec
    Safe Mode
    Open_basedir
     
    + Multi-Zitat Zitieren
  6. 5. März 2010
    AW: Problem mit Defacern

    sorry bin da nicht so bewandert...
    wie komme ich zur PHPInfo?
     
    + Multi-Zitat Zitieren
  7. 5. März 2010
    AW: Problem mit Defacern

    am besten immer das aktuelle joomla update draufspielen...

    phpinfo = <?php phpinfo(); ?>

    vermutlich ham die hacker das automatisiert gemacht.
    am besten joomla updates installiern, falls schon passiert, evtl php.ini auf sicherheit prüfen dazu gibts einige tutorials im netz.
     
    + Multi-Zitat Zitieren
  8. 5. März 2010
    AW: Problem mit Defacern

    Naja im Log sind auch paar komische sachen mit drin z.b;
    Code:
    %'/**/aND/**/'8%'='3
    Sieht nach sql injection aus, kann mich aber auch irren
     
    + Multi-Zitat Zitieren
  9. 5. März 2010
    AW: Problem mit Defacern

    schau dir hzone an
    ping die domains an-- selbe ip

    oder mach ein dns lookup und besuch seiten auf dem server
    teilweise sind welche noch defaced, viele in wartung wegen hack
    liegt ganz sicher am hoster (massdeface) ^^
    und solche sql abfragen wie in den apache logs kann jeder kleine scanbot machen
     
    + Multi-Zitat Zitieren
  10. 5. März 2010
    AW: Problem mit Defacern

    Ich nehme eher an , das es daran liegt das joomla nicht gepatcht wurde.

    Nicht der hoster selbst angegriffen wurde sondern joomla gesucht wurde und eben automatch versucht wurde was einzuschleusen. Einen "mass deface" wie du meinst gibts wohl eher selten , denn dazu bräuchte man das root passwort - und jeder normale ftp server sollte die user chrooten "einsperren" also user maxl1 hat auf maxl2 user keinerlei schreibrechte.
     
    + Multi-Zitat Zitieren
  11. 5. März 2010
    AW: Problem mit Defacern

    Selten aber hier scheint es der Fall zu sein. Andere Seiten des Hosters haben das selbe "Problem".
     
    + Multi-Zitat Zitieren
  12. 6. März 2010
    AW: Problem mit Defacern


    dazu brauch man kein root passwort
    dafür reicht ein ungepatchtes system
    man führt ein local root exploit aus für den kernel und kriegt root rechte aus einem eigentlich eingeschränkten user
    ein ftp hat damit auch nix zu tun

    in diesem fall hatte der hacker entweder direkt zugang zu allen verzeichnissen (openbasedir: off und wwwuser rechte o.ä)

    oder er hat den server mit einem local root exploit gerootet
    dann muss er nur noch sein defacescript ausführen, das wechselt alle index dateien zu seinem inhalt (deface)

    hier ein BSP zu so einem exploit:

    http://www.milw0rm.com/exploits/9641
     
    + Multi-Zitat Zitieren
  13. 6. März 2010
    AW: Problem mit Defacern

    habe die Seite mithilfe von einem Backup nochmal neu aufgesetzt. Auch mit der neusten Joomla Version. Dazu habe ich eine neue MYSQL Datenbank angelegt mit nem langen Passwort. Was könnte ich weiter tun?

    Habt alle 10ner
     
    + Multi-Zitat Zitieren
  14. 6. März 2010
    AW: Problem mit Defacern

    Du kannst gar nichts tun. Das war offensichtlich eine Lücke die deinem System übergeordnet ist -> deinen Hoster betrifft.
     
    + Multi-Zitat Zitieren
  15. Video Script

    Videos zum Themenbereich

    * gefundene Videos auf YouTube, anhand der Überschrift.

Auf dieses Thema antworten