The other day I helped out with the coding of a php page for error 404 handling in a Joomla framework. The idea was that when a 404 is generated the event would be logged for analysis.
The results where pretty boring, GoogleBot who scanned the website for pages that didn't exist anymore ... so nothing special to report until I got this one:
Page:/[a path on the server]/index.php Browser:Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; de;rv:22.214.171.124) Gecko/20101203 Firefox/3.6.13 Request Method: GET Request Request URI: /en/components/com_oziogallery2/imagin/scripts_ralcr/filesystem/writeToFile.php
The remote IP addresses where 126.96.36.199 and 188.8.131.52. A lookup on MaxMind Geoip shows us that 184.108.40.206 is an IP address in Aarau, Switzerland (ISP: Bluewin) and 220.127.116.11 is an IP in Latvia (ISP:Sia Venditore).
It was clear that this scan was part of some scanner but why the website on which my code is running is targetted is still unclear to me. The ozio gallery2 was never installed on this joomla installation.
A google search for the websites with a url containing the string "/en/components/com_oziogallery2" gave me a list of 13.500 possible exploitable sites. A look at exploit db gave us immediately an insight what the attacker was up to.
So my lessons learned from this is :
1. Modify the error 404 page in any framework so you can find interesting data.
2. I have proof that any website is scanned and there has not to be any particular reason. This was an eye opener to the person who asked me to code the page.