Analysis of Joomla wgPicasa component LFI source IPs

In a previous post, we have seen that Joomla wgPicasa component LFI exploit was more used than other LFI exploits. I was interested to see if the source IPs of this particular LFI attack was implicated into other attacks and integrated into bigger botnets.

First of all, since the 15 April 2010, we have 165 different unique source IPs how have attempt to use the Joomla wgPicasa component LFI exploit on our HoneyNet. These source IPs have generate 20 351 events. Here under an afterglow representation of all these IPs with they weight in term of events.

165 source IPs calling SIG 2011067
165 source IPs calling SIG 2011067

Are these source IPs involved in other activities ? Surely yes 🙂 After some crazy SQL queries on our HoneyNet database, we got these results.

  • 45 others exploits where detected from the same source IPs who are exploiting the Joomla wgPicasa component LFI vulnerability.
  • Some of these 45 exploits are targeting others LFI exploits, for examples :
  1. Joomla Component com_ccnewsletter controller
  2. Ideal MooFAQ Joomla Component file_includer.php
  3. rgboard _footer.php skin_path parameter
  4. phpSkelSite TplSuffix parameter
  5. MODx CMS snippet.reflect.php reflect_base
  6. TBmnetCMS index.php content Parameter
  7. etc.
  • Some of these 45 exploits are targeting RFI exploits, for examples :
  1. ProdLer prodler.class.php sPath Parameter
  2. Datalife Engine api.class.php dle_config_api Parameter
  3. SERWeb main_prepend.php functionsdir Parameter
  4. Possible AIOCP cp_html2xhtmlbasic.php
  5. Mambo/Joomla! com_koesubmit Component ‘koesubmit.php’
  6. eFront database.php
  7. etc.
  • Some of these 45 exploits are trying SQL injection, for examples :
  1. MYSQL SELECT CONCAT SQL Injection
  2. SQL Injection Attempt UNION SELECT
  3. SQL Injection Attempt SELECT FROM

Here under an afterglow representation of the interactions between all source IPs and them attached exploits attempts.

All SIGs attached to the 165 SIG 2011067 source IPs
All SIGs attached to the 165 SIG 2011067 source IPs

We can clearly see that most of these source IPs are controlled by Remote File Inclusion botnets, but some of them are standalone and only exploiting the particular Joomla wgPicasa component LFI.