Elxis CMS Forum

Support => Security => Topic started by: Ivan Trebješanin on December 15, 2007, 04:21:55

Title: Getting Elxis site down by collation
Post by: Ivan Trebješanin on December 15, 2007, 04:21:55

Here's the new way of breaking down Elxis site: just change DB collation. This is what happened to one of my clients. Someone have hacked and changed DB collation to latin_swedish_ci. It took me 2 minutes to find out what happened and get the site online again, but I thought it would be good to share this with you guys. I added two new filters: COLLATE and COLLATION, and hope it will be enough to stop such attacks. ???

You may also add this to .htaccess:

Options +FollowSymLinks
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} libwww-perl [NC]
RewriteCond %{REQUEST_URI} !^/path-to-your-custom-403-error-page\.html$
RewriteRule .* - [F]

or this:

Options +FollowSymLinks
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} libwww-perl [NC]
RewriteRule .* - [F]

Title: Re: Getting Elxis site down by collation
Post by: datahell on December 15, 2007, 08:45:57

How he changed DB collation? This has nothing to do with Elxis. I don't understand.

Title: Re: Getting Elxis site down by collation
Post by: Ivan Trebješanin on December 15, 2007, 12:16:11

Me neither... Yesterday Elxis Defender sent me lots of messages about attacks, using ADODB (filtered). I believe this guy is not some kid, as he have put 3 phishing sites few weeks ago on this server. If he had acces to CPanel, I believe he would take advantage and install few banking sites again. But I don't know how could change collation from frontend??? He was using libwww-perl user agent. Maybe he hacked around the CPanel, even it seems imposible.