XOOPS FAQ - Dealing with error messages, faults and debugging. - Help! My site has been hacked and is sending all kinds of spyware and virusses!

First of all, count to 10 to calm down. It may not be as serious as it looks right now, but we need to look carefully what is causing this.

We have had some occasions where the website was sending all kinds of virusses, spyware, malware and adware along with the XOOPS pages. If you can still access your website (despite all the warnings etc.), your site may not be *hacked* as such, but more like *hijacked*. What does this mean?

Many shared hosting providers do not run each account under a separate apache instance, but use the default 'apache' user and group created on initial install, and use a vhost for each website on that server. Apache runs under this special credentials for all those websites.
So where you need to give your application "write access" you need to give this "apache" user write access (generally it means: making the folder world-writable). If the owner had write access, it wouldn't mean anything to the "apache" user, and PHP wouldn't be able to write anything.
Now, what happens is that all the websites that run on the same shared server, run under this "apache" user... So where you give write access to apache, you're giving write access to EVERY malicious user sharing the same server.

And this is what happened. Users from the same server (not just anyone) misused your folder to spread their malicious codes.

Now, how to solve this:
Fire up your ftp engine, log in to your server and remove all the files from the templates_c/ folder.
Note: this will stop the current attack, not stop it from occurring again.

Now, is this a XOOPS problem or not? I say no, because:
1) Smarty REQUIRES the possibility to write some files, so it can't be changed.
2) Even if we could change this, it would not change much: these server configurations are EXTREMELY unsafe.

The solution to this is to have each site run under a different apache user, using suexec. The problem is that all the "safe" solutions are less scalable, and are not that popular, especially with shared hosting servers. So, you will have to contact your hosting provider and have them look into this problem.

EDIT: Carnuke~ please update your site to 2.0.13.2 ASAP

1 Comment(s)

The comments are owned by the author. We aren't responsible for their content.

System security update

carnuke Published 10/28/2005 17:05 Updated 10/28/2005 17:06 Home away from home Joined 11/05/2003 Comments 1955

Please update your XOOPS version to 2.0.13.2 ASAP.

Login

Username

Password

Remember me

Search

Advanced Search

Donat-O-Meter

Stats
Goal:	$100.00
Due Date:	Apr 30
Gross Amount:	$0.00
Net Balance:	$0.00
Left to go:	$100.00

Did you know ?

XOOPS is free software, but you can still make money with XOOPS.

More details...

Random question

Hi there, I'm a biginer of XOOPS. I've just installed Apache1.33, Php4.4, and MySQL4.1.14 on my PC running WindowsXP(SP2). I can see the localhost or 127.0.0.1
in the browser (IE). And I can see the localhost/index.php indicating index of/ module/news. Then, I can log in mysql with root and password, and I also checked mysqld alive. But I don't know why I can't
see XOOPS. Is anything wrong? I may have a problem on mySQL. Anybody knows how to configure mySQL with other way, please help. And about mySQL, I have another question. I can't see any icon of mySQL in systemtray. And I'm sure winmysql is running, but it dosen't give me any window. When I click it at mysql>bin, command pronpt pop itself up and then gone automatically. Is this proper way? Sorry, my message is long, but I really need your help. Thank you in advance.

Answer here!

Help! My site has been hacked and is sending all kinds of spyware and virusses!