Joomla websites using the Googlemaps plugin for Joomla are actively abused as open proxy for launching Denial-of-Service (DoS) attacks. Even though the Googlemaps plugin vulnerability
plugin_googlemap2_proxy.php was released over one and a half (1,5) years ago, I still see these DoS-attacks happening on a regular basis…
Security in Joomla has a bad track record… This isn’t the first vulnerability in a Joomla plugin or component (and won’t be the last). We all remember the Joomla Content Editor (JCE) and Media Manager vulnerabilities and exploits.
It seems Joomla website owners tend to not update their sites, which is very bad of course.
The problem with the Joomla Googlemaps plugin lies in the fact anyone can request the
/plugins/system/plugin_googlemap2_proxy.php in their browser or script, to execute cURL HTTP requests to remote websites. The
url parameter is vulnerable for Cross Site Scripting (XSS) attacks, and allows the retrieval of remote website content.
When this happens a lot, a website becomes overloaded and unresponsive, making a Denial-of-Service attack successfully executed.
This is not only a problem for the website owner on the remote end, or its hosting company. Your web servers transmit a lot of HTTP traffic to remote ends, increasing server load, usage and network bandwidth (for which you pay). Therefor it’s important to stop this abuse.
An example request I pulled from a website logfile:
2014-11-16 08:54:25 126.96.36.199 GET /plugins/system/plugin_googlemap2_proxy.php url=www.victim_site.example 80 - 188.8.131.52 Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.36+ (KHTML,+like+Gecko)+Chrome/37.0.2062.124+Safari/537.36 - example.com 200 0 64 0 252 42558
Protip: learn about the Top Ten Joomla Security Problems… and how to avoid them.
A quick search on one web server for the file plugin_googlemap2_proxy.php showed me it’s used a lot. Those Joomla sites are running older 1.5.x versions too sigh… So, let’s stop these DoS attacks on remote sites.
Update & Tune Joomla security & performance
It’s important to update Joomla, to improve it’s security and performance.
Project Honeypot – Mitigate DDoS & web attacks
A mitigation is to implement a Project Honeypot solution to filter and block IP addresses on the HTTP level. They call their HTTP blacklist Http:BL. Join and work with Project Honeypot to add IP addresses of abusers to their database, create new, or improve existing implementations for Http:BL, or donate a small amount of money to the cause. Of course you can create your own HTTP blacklist easily as well.
The simplest – and best – way to stop being a proxy for DoS attacks is to just remove the
plugin_googlemap2_proxy.php file. This file is often located in the folder
.htaccess security for Joomla
You can easily block access to plugin_googlemap2_proxy.php with an .htaccess
Open up Joomla’s default
.htaccess file and locate the line
Directly below that line, add:
RewriteRule plugin_googlemap2_proxy.php - [F,L]
This will deny any request to the URI
plugin_googlemap2_proxy.php with a 403 Forbidden status code. (Updated the RewriteRule to reflect Paul’s comment)
IIS web.config protection from Joomla plugin_googlemap2_proxy.php DoS attacks
The same as the .htaccess block can be made with IIS URL Rewrite feature in the
web.config file. Use the following Rewrite rule:
<rule name="block Joomla Googlemap plugin" stopProcessing="true"> <match url=".plugin_googlemap2_proxy\.php" ignoreCase="false" /> <action type="CustomResponse" statusCode="403" statusReason="Forbidden: Access is denied." statusDescription="No DDoSing remote websites!" /> </rule>
This will display an HTTP 403.0 – Forbidden status code with a message “No DDoSing remote websites!”.
IIS Request Filtering denyUrlSequences rule
You can block requests to the plugin_googlemap2_proxy.php file with IIS’ Request Filtering too. Either in IIS’ root node, or on the website level.
In the next example, fill out a website name after
config to add this Request Filtering denyUrlSequences rule to a particular website, and use
IIS root node:
AppCmd set config -section:system.webserver/security/requestFiltering /+"denyUrlSequences.[sequence='plugin_googlemap2_proxy.php']" /commit:apphost
AppCmd set config "Default Web Site" -section:system.webserver/security/requestFiltering /+"denyUrlSequences.[sequence='plugin_googlemap2_proxy.php']" /commit:webroot
This will display a HTTP Error 404.5 – Not Found response.
Update Joomla, plugins and components
And last but not least…: Update Joomla, and update all plugins and components! Frequently!
Remove unused plugins and components. The websites I inspected running this file, all still run ancient 1.5.x versions of Joomla. Joomla 1.5.x is ancient, unsafe, vulnerable, and should be banned from the internet IMO.
Every new Joomla version comes with new optimized PHP code, functions and settings. Use them! Always run an as high as possible Joomla version to make use of these improvements.
8 Tips to Improve Joomla Performance
The following 25(!) IP addresses are responsible for millions of hits to this plugin_googlemap2_proxy.php file a day:
184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206
Unfortunately not all IP addresses are listed at services like Project Honey Pot, but I suggest you block them on your network.
Tune PHP performance: Ensure the performance of your PHP & Joomla websites by following these tips to optimize PHP realpath_cache_size and PHP OPcache.
My name is Jan. I am not a hacker, coder, developer, programmer or guru. I am merely a system administrator, doing my daily thing at Vevida in the Netherlands. With over 15 years of experience, my specialties include Windows Server, IIS, Linux (CentOS, Debian), security, PHP, WordPress, websites & optimization.
Want to support me and donate? Use this link: https://paypal.me/jreilink.