One of the biggest mistakes that system administrators make when analyzing the Apache server logs, is that they ignore many of the “500” HTTP errors (also known as Internal Server Errors). They think that these fatal errors – if they are not happening on legitimate pages, then they are not worth investigating. Little do they know that there is usually much more beneath the surface. Let us give you an example…
This morning, as part of a routine security check on a Joomla website, we ran the following grep command to get a list of all the pages that generate 500 errors:
grep ' 500 ' ourclientjoomlawebsite.com-Oct-2016 > 500-errors.txt
(Note: The file ourclientjoomlawebsite.com-Oct-2016 is the Apache access log file for the website ourclientjoomlawebsite.com).
When we examined the 500-errors.txt file, we saw the following fatal error, many times:
[ip] - - [16/Oct/2016:14:14:09 -0400] "HEAD /component/mailto/?tmpl=component&template=template-name&link=http://www.ourclientjoomlawebsite.com/category-1/page-1.html HTTP/1.1" 500 - "-" "Mozilla/5.0 (compatible; um-LN/1.0; mailto: randomemail@[anotherdomain.com])"
Now, if you just copy and paste the above link to a browser (of course, you will have to append the domain name in front of it), then you will notice that the link works (it will show the “Send this Article to a Friend” form), but there’s more to it…
The user agent, which is the root of a substantial amount of evil in the online world, has an email in it. Obviously, such a user agent is fake, and has been specifically tampered with to crash the Joomla website, and it did do its job!
The thing is, not a single request on a Joomla website (or any other website, for that matter) should crash it. A solid website should handle any request gracefully, and should never crash, because a crash is a huge positive sign for a blind SQL injection (which may lead the way for an actual exploit).
Naturally, we fixed the problem by 1) addressing the issue in the mailto extension, and 2) by cleaning up the $_SERVER[‘HTTP_USER_AGENT’]. But, we thought, what would have happened if we didn’t examine the server logs this morning? Would it have been possible for the attacker to exploit the website? The latter thought sent chills through our spines, because the website in question was for a very important client of ours.
So, as a system administrator on a Joomla website, it is up to you to examine the server logs for “500” errors, and it is up to you to immediately report any of these errors to your developer(s). If you don’t have any developers to handle these errors, or if you need help performing the log analysis on your website, then please contact us. We are always happy to serve and our fees are super affordable!