Sharing is Caring


Joomla! websites abused as open proxy for Denial-of-Service attacks

Denial of Service (DoS) Attack

Joomla websites using the Googlemaps plugin for Joomla are actively abused as open proxy for launching Denial-of-Service (DoS) attacks. Even though the Googlemaps plugin vulnerability plugin_googlemap2_proxy.php was released over one and a half (1,5) years ago, I still see these DoS-attacks happening on a regular basis…

Joomla security

This isn’t the first vulnerability in a Joomla! plugin or component (and won’t be the last…): we all remember the Joomla Content Editor (JCE) and Media Manager vulnerabilities and exploits. It seems Joomla! website owners tend to not update their sites, which is very bad of course.

Joomla! Googlemaps plugin vulnerability

The problem with the Joomla! Googlemaps plugin lies in the fact anyone can request the /plugins/system/plugin_googlemap2_proxy.php in their browser or script, to execute cURL HTTP requests to remote websites. The url parameter is vulnerable for Cross Site Scripting (XSS) attacks, and allows the retrieval of remote website content. When this happens a lot, a website becomes overloaded and unresponsive, making a Denial-of-Service attack successfully executed.

This is not only a problem for the website owner on the remote end, or its hosting company. Your web servers transmit a lot of HTTP traffic to remote ends, increasing server load, usage and network bandwidth (for which you pay). Therefor it’s important to stop this abuse.

You may also like:  Deloitte team Hack.ERS win #Cyberlympics

An example request I pulled from a website logfile:

2014-11-16 08:54:25 1.1.1.1 GET /plugins/system/plugin_googlemap2_proxy.php
  url=www.victim_site.example 80 -
  193.23.181.130 Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.36+
    (KHTML,+like+Gecko)+Chrome/37.0.2062.124+Safari/537.36 - 
  example.com 200 0 64 0 252 42558

Mitigate Joomla! Googlemaps plugin proxy Denial-of-Service attacks

A quick search on one web server for the file plugin_googlemap2_proxy.php showed me it’s used a lot. Those Joomla! sites are running older 1.5.x versions too *sigh*… So, let’s stop these DoS attacks on remote sites.

Project Honeypot

A mitigation is to implement a Project Honeypot solution to filter and block IP addresses on the HTTP level. They call their HTTP blacklist Http:BL. Join and work with Project Honeypot to add IP addresses of abusers to their database, create new, or improve existing implementations for Http:BL, or donate a small amount of money to the cause. Of course you can create your own HTTP blacklist easily as well.

Remove plugin_googlemap2_proxy.php

The simplest way to stop being a proxy for DoS attacks is to just remove the plugin_googlemap2_proxy.php file. This file is often located in the folder /plugins/system/ or /plugins/content/.

This will break the Joomla plugin, but be honest: who cares?! Version 2 of this plugin is deprecated, update to version 3.1.

You may also like:  Cracking PHP rand()

.htaccess security for Joomla

Block the access to plugin_googlemap2_proxy.php with an .htaccess RewriteRule:
Open up Joomla’s default .htaccess file and locate the line RewriteEngine On.

Directly below that line, add:

RewriteRule plugin_googlemap2_proxy.php - [F,L]

This will deny any request to the URI plugin_googlemap2_proxy.php with a 403 Forbidden status code. (Updated the RewriteRule to reflect Paul’s comment)

IIS web.config protection from Joomla plugin_googlemap2_proxy.php DoS attacks

The same as the .htaccess block can be made with IIS URL Rewrite feature in the web.config file. Use the following Rewrite rule:

<rule name="block Joomla Googlemap plugin" stopProcessing="true">
  <match url=".plugin_googlemap2_proxy\.php" ignoreCase="false" />
  <action type="CustomResponse"
    statusCode="403"
    statusReason="Forbidden: Access is denied."
    statusDescription="No DDoSing remote websites!" />
</rule>

This will display an HTTP 403.0 – Forbidden status code with a message “No DDoSing remote websites!”.

IIS Request Filtering denyUrlSequences rule

You can block requests to the plugin_googlemap2_proxy.php file with IIS’ Request Filtering too. Either in IIS’ root node, or on the website level. In the next example, fill out a website name after config to add this Request Filtering denyUrlSequences rule to a particular website, and use /commit:webroot instead /commit:apphost

IIS root node:

AppCmd set config 
  -section:system.webserver/security/requestFiltering
  /+"denyUrlSequences.[sequence='plugin_googlemap2_proxy.php']"
  /commit:apphost

Website level:

AppCmd set config "Default Web Site"
  -section:system.webserver/security/requestFiltering
  /+"denyUrlSequences.[sequence='plugin_googlemap2_proxy.php']"
  /commit:webroot

This will display a HTTP Error 404.5 – Not Found response.

You may also like:  prettyPhoto DOM based XSS

Update Joomla!, plugins and components

And last but not least…: Update Joomla!, and update all plugins and components! Remove unused plugins and components. The websites I inspected running this file, all still run ancient 1.5.x versions of Joomla!. Joomla 1.5.x is ancient, unsafe, vulnerable, and should be banned from the internet IMO.

After you have updated Joomla!, implement these 6 tips to tune Joomla! performance on Windows Server IIS.

Joomla! Googlemaps plugin plugin_googlemap2_proxy.php abusers

The following 25(!) IP addresses are responsible for millions of hits to this plugin_googlemap2_proxy.php file a day:

46.36.37.129
198.12.68.138
37.59.120.246
5.196.5.116
141.255.166.210
23.95.12.146
93.186.192.103
192.187.121.250
23.94.153.186
192.3.106.58
46.36.39.30
46.36.39.27
198.46.154.10
46.36.37.167
46.36.37.185
46.36.38.149
108.61.199.70
185.53.9.251
46.36.39.8
104.128.183.142
108.61.167.0
192.210.198.226
192.210.198.234
192.210.198.242
198.12.95.206

Unfortunately not all IP addresses are listed at services like Project Honey Pot, but I suggest you block them on your network.

photo credit: George Ellenburg via photopin cc

Tune Joomla performance

Ensure the performance of your Joomla website by following these 6 tips to improve Joomla! performance, PHP realpath_cache_size and PHP OPcache.

About the Author J. Reilink

My name is Jan. I am not a hacker, coder, developer, programmer or guru. I am merely a system administrator, doing my daily thing at Vevida in the Netherlands. With over 10 years of experience, my specialties include Windows Server, IIS, Linux (CentOS, Debian), security, PHP, websites & optimization.

follow me on:

Did you find this post excellent, helpful or informative?



Has this post saved you time, helped you solve a problem? Or do you think Saotn is just awesome? Then why not support us and make a small, one-time, donation?

A small donation supports us in research time, hosting costs, and growth.
PayPal Donate
Please buy me a cup of coffee ($2.5) to support these articles and posts.
Or use this link to enter your own donation amount. Thank you!


  • Paul

    Don’t you think that without “/” it would be better?
    RewriteRule plugin_googlemap2_proxy.php – [F,L]

  • Thanks for your reply Paul, I’ve updated the post to reflect your comment.

  • Pingback: Turvalisuse lisa WP ja Joomla | Radicenter()

  • George Egri

    Nice summary about this vulnerability! Anyway you can avoid such attacks by using BitNinja on your server. It also maintains a greylist about attacker IP-s just like the guys at the honey pot project, but bitninja has some advanced modules to filter such attack vectors and it is very easy to install too. https://bitninja.io

  • BitNinja is new to me… Looks very interesting, thanks George!

  • Mike Reumer

    The vulnerability of the google maps plugin is solved since July 2013 so upgrade to the latest version
    See: http://tech.reumer.net/Google-Maps/Documentation-of-plugin-Googlemap/security-release-3-1-of-plugin-googlemaps.html

  • Hello Mike, thank you for your comment. Somehow, the article lost the deprecation of v2 information and link to http://tech.reumer.net/Google-Maps/Documentation-of-plugin-Googlemap/joomla-plugin-google-maps-version-2-deprecated.html. I’ve added it again.

  • I’ve taken a quick look at the new Googlemap plugin version, and I wonder: why are there so much comments (and different comment styles), and commented out debug code within the plugin code?

    $ grep -r print_r .
    ./plugin_googlemap3.php:// print_r($matches);
    ./plugin_googlemap3.php:// print_r($matches);
    ./plugin_googlemap3_kmlprxy.php: //print_r($matches);
    ./plugin_googlemap3_kmlprxy.php:// print_r(curl_getinfo($ch));

  • Some people are contributing in joomla and few are injecting. The community has been messed with dirty minds.

  • Pingback: “Updates available” – a message you shouldn’t ignore • Inspired Magazine()

  • hjmoore420

    What I have seen dealing with this, is even with the removal of the plugin, renaming the Plugins folder, these injections still occur and take down your site. I have removed my files from Joomla completely and still have some issues, but I am trying to get one good set up to stop this issue and then trickle it down to the other sites that are not effected as of yet.

    The .htaccess update you have here is the newest addition to the arsenal, so hopefully that quiets the issue even further.

    thanks,

  • It’s unfortunate cyber vandals don’t respect HTTP return codes like 404, 403 and 503 in their automated attack tools… Despite whether you remove the plugin (or any other vulnerable script, plugin, module), forbid the request, or put the website offline (and returning a 503 Service Unavailable) they keep attacking the old URL’s. That still costs a lot of CPU, RAM and bandwidth on your site and server.

    Hopefully the .htaccess update works for your environment @hjmoore420:disqus, good luck and thank you for your comment!

  • ao

    Hi, thanks for the info. I’ve deleted the entire plugin directory and blocked in .htaccess, but system logs still show requests being made from /plugins/system/…….any ideas?
    thanks

Accessibility