Understanding a hacker attemt on my website

Toggle sidebar Toggle sidebar
M

morten444

Junior Member
Nov 27, 2014
3
0
0
Hi. We have a joomla website and it seems to have a vonurebility in one of the plugin. We have now disable plugin but i want to understand what the hack means. What are they acheiving/doing. Below some example from the log. I have changed the domain name:

domainname.com:80 81.17.20.38 - - [23/Nov/2014:09:36:39 +0100] "HEAD /plugins/system/plugin_googlemap2/plugin_googlemap2_proxy.php?url=www.ostgotatrafiken.se HTTP/1.1" 503 308 "-" "Mozilla/5.0"
domainname.com:80 81.17.20.38 - - [23/Nov/2014:09:36:39 +0100] "HEAD /plugins/system/plugin_googlemap2/plugin_googlemap2_proxy.php?url=www.ostgotatrafiken.se HTTP/1.1" 503 308 "-" "Mozilla/5.0"
domainname.com:80 81.17.20.38 - - [23/Nov/2014:09:36:39 +0100] "HEAD /plugins/system/plugin_googlemap2/plugin_googlemap2_proxy.php?url=www.ostgotatrafiken.se HTTP/1.1" 503 308 "-" "Mozilla/5.0"
domainname.com:80 81.17.20.38 - - [23/Nov/2014:09:36:39 +0100] "HEAD /plugins/system/plugin_googlemap2/plugin_googlemap2_proxy.php?url=www.ostgotatrafiken.se HTTP/1.1" 503 308 "-" "Mozilla/5.0"
domainname.com:80 81.17.20.38 - - [23/Nov/2014:09:36:39 +0100] "HEAD /plugins/system/plugin_googlemap2/plugin_googlemap2_proxy.php?url=www.ostgotatrafiken.se HTTP/1.1" 503 308 "-" "Mozilla/5.0"
domainname.com:80 81.17.20.38 - - [23/Nov/2014:09:36:40 +0100] "HEAD /plugins/system/plugin_googlemap2/plugin_googlemap2_proxy.php?url=www.ostgotatrafiken.se HTTP/1.1" 503 308 "-" "Mozilla/5.0"
domainname.com:80 81.17.20.38 - - [23/Nov/2014:09:36:40 +0100] "HEAD /plugins/system/plugin_googlemap2/plugin_googlemap2_proxy.php?url=www.ostgotatrafiken.se HTTP/1.1" 503 308 "-" "Mozilla/5.0"
domainname.com:80 81.17.20.38 - - [23/Nov/2014:09:36:40 +0100] "HEAD /plugins/system/plugin_googlemap2/plugin_googlemap2_proxy.php?url=www.ostgotatrafiken.se HTTP/1.1" 503 308 "-" "Mozilla/5.0"
domainname.com:80 81.17.20.38 - - [23/Nov/2014:09:36:40 +0100] "HEAD /plugins/system/plugin_googlemap2/plugin_googlemap2_proxy.php?url=www.ostgotatrafiken.se HTTP/1.1" 503 308 "-" "Mozilla/5.0"
domainname.com:80 81.17.20.38 - - [23/Nov/2014:09:36:40 +0100] "HEAD /plugins/system/plugin_googlemap2/plugin_googlemap2_proxy.php?url=www.ostgotatrafiken.se HTTP/1.1" 503 308 "-" "Mozilla/5.0"
domainname.com:80 81.17.20.38 - - [23/Nov/2014:09:36:40 +0100] "HEAD /plugins/system/plugin_googlemap2/plugin_googlemap2_proxy.php?url=www.ostgotatrafiken.se HTTP/1.1" 503 308 "-" "Mozilla/5.0"
domainname.com:80 81.17.20.38 - - [23/Nov/2014:09:36:40 +0100] "HEAD /plugins/system/plugin_googlemap2/plugin_googlemap2_proxy.php?url=www.ostgotatrafiken.se HTTP/1.1" 503 308 "-" "Mozilla/5.0"
domainname.com:80 23.95.12.146 - - [23/Nov/2014:09:46:21 +0100] "HEAD /plugins/system/plugin_googlemap2/plugin_googlemap2_proxy.php?url=ragerp.net HTTP/1.1" 200 190 "-" "Mozilla/5.0"
domainname.com:80 23.95.12.146 - - [23/Nov/2014:09:46:21 +0100] "HEAD /plugins/system/plugin_googlemap2/plugin_googlemap2_proxy.php?url=ragerp.net HTTP/1.1" 200 190 "-" "Mozilla/5.0"
domainname.com:80 23.95.12.146 - - [23/Nov/2014:09:46:21 +0100] "HEAD /plugins/system/plugin_googlemap2/plugin_googlemap2_proxy.php?url=ragerp.net HTTP/1.1" 200 190 "-" "Mozilla/5.0"
domainname.com:80 23.95.12.146 - - [23/Nov/2014:09:46:22 +0100] "HEAD /plugins/system/plugin_googlemap2/plugin_googlemap2_proxy.php?url=ragerp.net HTTP/1.1" 200 190 "-" "Mozilla/5.0"
domainname.com:80 23.95.12.146 - - [23/Nov/2014:09:46:22 +0100] "HEAD /plugins/system/plugin_googlemap2/plugin_googlemap2_proxy.php?url=ragerp.net HTTP/1.1" 200 190 "-" "Mozilla/5.0"
domainname.com:80 23.95.12.146 - - [23/Nov/2014:09:46:22 +0100] "HEAD /plugins/system/plugin_googlemap2/plugin_googlemap2_proxy.php?url=ragerp.net HTTP/1.1" 200 190 "-" "Mozilla/5.0"
domainname.com:80 23.95.12.146 - - [23/Nov/2014:09:46:22 +0100] "HEAD /plugins/system/plugin_googlemap2/plugin_googlemap2_proxy.php?url=ragerp.net HTTP/1.1" 200 190 "-" "Mozilla/5.0"
domainname.com:80 23.95.12.146 - - [23/Nov/2014:09:46:22 +0100] "HEAD /plugins/system/plugin_googlemap2/plugin_googlemap2_proxy.php?url=ragerp.net HTTP/1.1" 200 190 "-" "Mozilla/5.0"
domainname.com:80 23.95.12.146 - - [23/Nov/2014:09:46:22 +0100] "HEAD /plugins/system/plugin_googlemap2/plugin_googlemap2_proxy.php?url=ragerp.net HTTP/1.1" 200 190 "-" "Mozilla/5.0"
domainname.com:80 23.95.12.146 - - [23/Nov/2014:09:46:22 +0100] "HEAD /plugins/system/plugin_googlemap2/plugin_googlemap2_proxy.php?url=ragerp.net HTTP/1.1" 200 190 "-" "Mozilla/5.0"
domainname.com:80 23.95.12.146 - - [23/Nov/2014:09:46:22 +0100] "HEAD /plugins/system/plugin_googlemap2/plugin_googlemap2_proxy.php?url=ragerp.net HTTP/1.1" 200 190 "-" "Mozilla/5.0"
domainname.com:80 23.95.12.146 - - [23/Nov/2014:09:46:23 +0100] "HEAD /plugins/system/plugin_googlemap2/plugin_googlemap2_proxy.php?url=ragerp.net HTTP/1.1" 200 190 "-" "Mozilla/5.0"
domainname.com:80 23.95.12.146 - - [23/Nov/2014:09:46:23 +0100] "HEAD /plugins/system/plugin_googlemap2/plugin_googlemap2_proxy.php?url=ragerp.net HTTP/1.1" 200 190 "-" "Mozilla/5.0"
domainname.com:80 23.95.12.146 - - [23/Nov/2014:09:46:23 +0100] "HEAD /plugins/system/plugin_googlemap2/plugin_googlemap2_proxy.php?url=ragerp.net HTTP/1.1" 200 190 "-" "Mozilla/5.0"
domainname.com:80 23.95.12.146 - - [23/Nov/2014:09:46:23 +0100] "HEAD /plugins/system/plugin_googlemap2/plugin_googlemap2_proxy.php?url=ragerp.net HTTP/1.1" 200 190 "-" "Mozilla/5.0"
domainname.com:80 23.95.12.146 - - [23/Nov/2014:09:47:15 +0100] "HEAD /plugins/system/plugin_googlemap2/plugin_googlemap2_proxy.php?url=ragerp.net HTTP/1.1" 503 308 "-" "Mozilla/5.0"
domainname.com:80 23.95.12.146 - - [23/Nov/2014:09:47:15 +0100] "HEAD /plugins/system/plugin_googlemap2/plugin_googlemap2_proxy.php?url=ragerp.net HTTP/1.1" 503 308 "-" "Mozilla/5.0"
domainname.com:80 81.17.20.38 - - [23/Nov/2014:09:47:15 +0100] "HEAD /plugins/system/plugin_googlemap2/plugin_googlemap2_proxy.php?url=imcute.yt HTTP/1.1" 503 308 "-" "Mozilla/5.0"
domainname.com:80 81.17.20.38 - - [23/Nov/2014:09:47:15 +0100] "HEAD /plugins/system/plugin_googlemap2/plugin_googlemap2_proxy.php?url=imcute.yt HTTP/1.1" 503 308 "-" "Mozilla/5.0"
domainname.com:80 81.17.20.38 - - [23/Nov/2014:09:47:15 +0100] "HEAD /plugins/system/plugin_googlemap2/plugin_googlemap2_proxy.php?url=imcute.yt HTTP/1.1" 503 308 "-" "Mozilla/5.0"
domainname.com:80 81.17.20.38 - - [23/Nov/2014:09:47:15 +0100] "HEAD /plugins/system/plugin_googlemap2/plugin_googlemap2_proxy.php?url=imcute.yt HTTP/1.1" 503 308 "-" "Mozilla/5.0"
domainname.com:80 81.17.20.38 - - [23/Nov/2014:09:47:15 +0100] "HEAD /plugins/system/plugin_googlemap2/plugin_googlemap2_proxy.php?url=imcute.yt HTTP/1.1" 503 308 "-" "Mozilla/5.0"
domainname.com:80 23.95.12.146 - - [23/Nov/2014:09:48:15 +0100] "HEAD /plugins/system/plugin_googlemap2/plugin_googlemap2_proxy.php?url=ragerp.net HTTP/1.1" 200 190 "-" "Mozilla/5.0"
domainname.com:80 23.95.12.146 - - [23/Nov/2014:09:48:17 +0100] "HEAD /plugins/system/plugin_googlemap2/plugin_googlemap2_proxy.php?url=ragerp.net HTTP/1.1" 200 190 "-" "Mozilla/5.0"


Can anyone out from this see what they are doing or get out if this hack

Thanks
Morten
 
M

morten444

Junior Member
Nov 27, 2014
3
0
0
Hi
Thanks for link
Does this means that they use a volubility in a plugin on our website to make a denial of service towards that website in the log or is it to bring down our website?

Regards
Morten
 
alkemyst

alkemyst

No Lifer
Feb 13, 2001
83,967
19
81
They are able to use XSS and other things to take advantage of Joomla.

I'd avoid that plugin for that site. Sadly, like many companies, Google is not fixing things for it.

It's frustrating in my line of work (network engineer) when we find, document and deliver an exploit/bug/etc and the vendor ignores it or worse responds that they cannot duplicate it.
 
M

morten444

Junior Member
Nov 27, 2014
3
0
0
Thanks again for your answer.
Yea must be fustrating. Guess the big guys are worse in reaching/admit there is an issue. Clearly i will stay away from this plugin
Thanks again
 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom