EXPLOIT NOT STOPED: Joomla com_extplorer

xanubi · March 3, 2015, 9:47am

Joomla Exploit: com_extplorer

Comodo didn’t stop this.

Logs of the attack and upload Shell


208.69.56.95 - - [02/Mar/2015:13:55:15 +0000] "POST /administrator//components/com_extplorer/index.php?mod=main HTTP/1.1" 301 - "http://pm-arq.com/administrator//components/com_extplorer/index.php/index.php?mod=main" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.11) Gecko/20071127"
208.69.56.95 - - [02/Mar/2015:13:55:16 +0000] "POST /administrator//components/com_extplorer/index.php?mod=main HTTP/1.1" 200 2187 "http://pm-arq.com/administrator//components/com_extplorer/index.php/index.php?mod=main" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.11) Gecko/20071127"
208.69.56.95 - - [02/Mar/2015:13:55:16 +0000] "POST /administrator//components/com_extplorer/index.php?mod=main HTTP/1.1" 301 - "http://pm-arq.com/administrator//components/com_extplorer/index.php/index.php?mod=main" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.11) Gecko/20071127"
208.69.56.95 - - [02/Mar/2015:13:55:17 +0000] "POST /administrator//components/com_extplorer/index.php?mod=main HTTP/1.1" 200 2188 "http://pm-arq.com/administrator//components/com_extplorer/index.php/index.php?mod=main" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.11) Gecko/20071127"
208.69.56.95 - - [02/Mar/2015:14:25:43 +0000] "GET /components//com_weblinks/index.php HTTP/1.1" 200 18770 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0"

xanubi · March 3, 2015, 9:53am

Another one, same method exactly:

208.69.56.95 - - [02/Mar/2015:13:51:49 +0000] "POST /administrator//components/com_extplorer/index.php?mod=main HTTP/1.1" 301 - "http://covibus.com/administrator//components/com_extplorer/index.php/index.php?mod=main" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.11) Gecko/20071127"
208.69.56.95 - - [02/Mar/2015:13:51:50 +0000] "POST /administrator//components/com_extplorer/index.php?mod=main HTTP/1.1" 200 2193 "http://covibus.com/administrator//components/com_extplorer/index.php/index.php?mod=main" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.11) Gecko/20071127"
208.69.56.95 - - [02/Mar/2015:13:51:51 +0000] "POST /administrator//components/com_extplorer/index.php?mod=main HTTP/1.1" 301 - "http://covibus.com/administrator//components/com_extplorer/index.php/index.php?mod=main" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.11) Gecko/20071127"
208.69.56.95 - - [02/Mar/2015:13:51:52 +0000] "POST /administrator//components/com_extplorer/index.php?mod=main HTTP/1.1" 200 2194 "http://covibus.com/administrator//components/com_extplorer/index.php/index.php?mod=main" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.11) Gecko/20071127"

xanubi · March 4, 2015, 4:04pm

The solution for now is to delete the component (which make many clients MAD), or block that url, which is almost the same like delete the component.

TDmitry · March 6, 2015, 12:25pm

Will be covered with next update.