Elxis CMS Forum
Support => Security => Topic started by: ks-net on September 23, 2008, 04:06:05
-
possible hacking???
help here please as this page sends true creditcard's information stollen from people
to my maillbox , i hope that they didn't manage yet to take any.
i was suspicious when mail delivery fails reports came from my mailserver
with the messages that failed to send ... they have complete and real creditcard informations, phones, address
etc.
that url below was in my servers logs, also site visits increased 50 times the two last days
look at that page and you will see that is totally fake. no ssl , no links to aol no right click.
seopro
all samples filter enabled in defender
how can i stop this... is there a filter to add?
palaiopyrgos.gr /upload/webscr/m01.webmail.aol.com/SignIn&co_partnerId=2&pUserId/AOL=user_cmdID12549JDk23/and_login=921831288329,sequence=291038129383.html?t=1222125432671;b=807x477;s=1024x768;c=32;j=1.3;o=300;p=http%3A//palaiopyrgos.gr/upload/webscr/m01.webmail.aol.com/SignIn%26co_partnerId%3D2%26pUserId/AOL%3Duser_cmdID12549JDk23/and_login%3D921831288329%2Csequence%3D291038129383.html;r=;alive=1;t=1222130682828%20HTTP/1.1%22%20200%2043582%20%22http://palaiopyrgos.gr/upload/webscr/m01.webmail.aol.com/SignIn&co_partnerId=2&pUserId/AOL=user_cmdID12549JDk23/and_login=921831288329,sequence=291038129383.html%22%20%22Mozilla/4.0%20(compatible;%20MSIE%207.0;%20AOL%209.1;%20AOLBuild%204334.34;%20Windows%20NT%205.1;%20FunWebProducts;%20(R1%201.3);%20(R1%201.6);%20.NET%20CLR%201.1.4322)%22
edit: deactivated the url for search engines bots.
-
This is really good hack! But, tell me something: do you have the /uploads folder?
-
Isn't this outside from your Elxis directory ?
And in first place check this out. (https://forum.elxis.org/index.php?topic=2265.msg13458#msg13458)
-
found ... ftp hacked
i must change passwords
they made a dir in my server ( attached here)and they waiting for victims
but i don't now how they send people to me...
[attachment deleted by admin]
-
The dir was the upload directory ?
-
yes
-
It is not a hack. You have spyware on your computer. Check this: FunWebProducts.
I think you open a bad e-mail...
-
well .. the files attached above were in my server
also my mailserver received mails that refuses to forward to $maill='breatheresult@voila.fr,pennehart99@yahoo.com';
An other thing is:
also i noticed apache error logs have some lines :
[Tue Sep 23 03:42:27 2008] [error] [client 213.5.200.189] mod_security: Access denied with code 403. Pattern match "select.+from" at POST_PAYLOAD [severity "EMERGENCY"] [hostname "www.palaiopyrgos.gr"] [uri "/administrator/index2.php"]
the same time defender didn't work i couldn't add a new flter(it forward me to frontend) and printed the error above.
so i had to manually remove any SELECT filter.
why this happend ?
is there a conflict with mod_security?
-
"select from" is a mod_security filter and you can not use it via POST request even for defender. Apache's mod_security runs before defender.
-
the only weired think here is that i haven't any problem at the past ???
And must say that defender is totally needed
as a have and i am sure all you have every day at least 3-4 attacks especially with mos_config.