Looking for the Ozio Gallery security flaw
I’m maintaining a Play Framework installation at work, and as a part of this we are monitoring the 404 requests we are getting. Each day I get a mail containing all the 404 requests from yesterday, and sometimes I even look through it. It is useful to see if an update has broken some site wide linking, and it is also useful when looking at how people are trying to hack us.
Normally it is a lot of requests for login forms that does not exist (wp-login.php being among the favourites), but today my eye caught something new. Requests for the following files:
/components/com_community/index.html /components/com_oziogallery/imagin/scripts_ralcr/filesystem/writeToFile.php /components/com_oziogallery2/imagin/scripts_ralcr/filesystem/writeToFile.php
This turns out to be a security flaw in a badly written Joomla component, Ozio Gallery, discovered three years ago. But still being looked for, meaning it most likely still is active. More on the Ozio Gallery security issue at Stop Malvertising from 2011.
A bit scary to trust other peoples code, but it is a risk you take when you are not developing own code. And in most cases, nothing bad happens right? Anyway…
The sniffing came from Spain, from IP 188.8.131.52. A welcoming change from the usual Chinese and Russian sniffs.