Hack Attempted 12-12-12 - Joomla! Forum - community, help and support
an ip address coming china tried follow uri command , tried hack system have me wondering trying get, until checked access logs. seem going after password , login info! using site ip address instead of domain name. tried place file on system in order create username , password. site offline , have block ip range not single ip address. blocking china later today. can't system still block them , still have offline page show while building site. uri leads offline page, have enter username , password.
hacking attempt info:
page: https://mysite/vtigercrm/graph.php?curr ... astix.conf &module=accounts&action
referer: no referer
description: local file inclusion attempted.
alert level: medium
date of event: 2012-12-12 06:25:22
ip address: 23.25.119.97
hacking attempt info:
page: https://mysite/vtigercrm/graph.php?curr ... astix.conf &module=accounts&action
referer: no referer
description: local file inclusion attempted.
alert level: medium
date of event: 2012-12-12 06:25:22
ip address: 23.25.119.97
in master htaccess file this:
# if request query string contains /proc/self/environ (by sigsiu.net)
rewritecond %{query_string} proc/self/environ [or]
# block out script trying set mosconfig value through url
# (these attacks wouldn't work w/out joomla! 1.5's legacy mode plugin)
rewritecond %{query_string} mosconfig_[a-za-z_]{1,21}(=|\%3d) [or]
# block out script trying base64_encode or base64_decode data within url
rewritecond %{query_string} base64_(en|de)code[^(]*\([^)]*\) [or]
## important: if above line throws http 500 error, replace these 2 lines:
# rewritecond %{query_string} base64_encode\(.*\) [or]
# rewritecond %{query_string} base64_decode\(.*\) [or]
# block out script includes <script> tag in url
rewritecond %{query_string} (<|%3c)([^s]*s)+cript.*(>|%3e) [nc,or]
# block out script trying set php globals variable via url
rewritecond %{query_string} globals(=|\[|\%[0-9a-z]{0,2}) [or]
# block out script trying modify _request variable via url
rewritecond %{query_string} _request(=|\[|\%[0-9a-z]{0,2})
# return 403 forbidden header , show content of root homepage
rewriterule .* index.php [f]
http://docs.joomla.org/htaccess_examples_%28security%29
i think hack attempt blocked line added:
rewritecond %{query_string} etc/elastix.conf [or]
put under line:
rewritecond %{query_string} proc/self/environ [or]
i have added 1 such similar line in htaccess for:
rewritecond %{query_string} etc/passwd [nc,or]
# if request query string contains /proc/self/environ (by sigsiu.net)
rewritecond %{query_string} proc/self/environ [or]
# block out script trying set mosconfig value through url
# (these attacks wouldn't work w/out joomla! 1.5's legacy mode plugin)
rewritecond %{query_string} mosconfig_[a-za-z_]{1,21}(=|\%3d) [or]
# block out script trying base64_encode or base64_decode data within url
rewritecond %{query_string} base64_(en|de)code[^(]*\([^)]*\) [or]
## important: if above line throws http 500 error, replace these 2 lines:
# rewritecond %{query_string} base64_encode\(.*\) [or]
# rewritecond %{query_string} base64_decode\(.*\) [or]
# block out script includes <script> tag in url
rewritecond %{query_string} (<|%3c)([^s]*s)+cript.*(>|%3e) [nc,or]
# block out script trying set php globals variable via url
rewritecond %{query_string} globals(=|\[|\%[0-9a-z]{0,2}) [or]
# block out script trying modify _request variable via url
rewritecond %{query_string} _request(=|\[|\%[0-9a-z]{0,2})
# return 403 forbidden header , show content of root homepage
rewriterule .* index.php [f]
http://docs.joomla.org/htaccess_examples_%28security%29
i think hack attempt blocked line added:
rewritecond %{query_string} etc/elastix.conf [or]
put under line:
rewritecond %{query_string} proc/self/environ [or]
i have added 1 such similar line in htaccess for:
rewritecond %{query_string} etc/passwd [nc,or]
Comments
Post a Comment