Was user-agent identification used for some scripting attack techique?

This is a Joomla 0 Day Attack. Information found here: https://blog.sucuri.net/2015/12/remote-command-execution-vulnerability-in-joomla.html

This is not a vulnerability test despite the __test. It is an attack.

Make sure that any Joomla install is as up to date as possible.

Another option is to simply use .htaccess to intercept this exploit by looking for a common string, "__test" would work, and redirect to some other place.


The IP address that you linked does not resolve to a Google hostname therefore it is not Google. The person or bot is scanning your site for vulnerabilities. The first one is attempting to find a Joomla vulnerability.

These events are a regular occurrence on most websites, You should ensure that you are following best practices and harden your website, the process is long and you will need to find and follow a online tutorial.


Additionally to other answers, note that the fact that this attack apparently worked suggests you are running an old, insecure version of PHP. A fix for the bug that this attack exploits was released in september 2015. Run your update process and make sure it pulls in the most recent version of PHP. And check for other outdated programs that are Internet-facing, too, as it seems your server hasn't been kept up-to-date for at least a year.