| Re: URGENT - PLEASE MY SITE IS HACKED TODAY Friday june 30 |
| by peterr on 2006/7/1 12:27:45 Okay, thanks. No doubt the (CPanel) filemanager might even be 'safer', but even then, not for editing maybe. I see the Invision Filemanger is no longer available for download, but is available from the Hotscripts site Thanks |
| Re: URGENT - PLEASE MY SITE IS HACKED TODAY Friday june 30 |
| by Bender on 2006/7/1 12:17:18 Looks like it isn“t. If you really need a filemanager online i would create a subdomain and install Invision Filemanager into a directory there. So its not even reachable from the original site domain. |
| Re: URGENT - PLEASE MY SITE IS HACKED TODAY Friday june 30 |
| by peterr on 2006/7/1 11:19:37 Is the module "filemanager" safe ? I have read through this after seeing this entry in the web server logs Quote:
|
| Re: URGENT - PLEASE MY SITE IS HACKED TODAY Friday june 30 |
| by peterr on 2006/7/1 5:49:06 Just like to say thanks to everyone for helping with this. Also, to say that it is not any of the XOOPS "core" (2.0.14) that was the 'weak point', it was the myAds module. No doubt a site is 'safer' by having the table names prefixed by another name, not the default. The rule would be to always use a table prefix name that is 'strong' or very hard to guess. We don't know what else the person/s did, no doubt from log entries like: Quote:
they have replaced a few files. Is it only the "POST" entries that we need to examine (whilst they were logged into the admin section), or would we need to examine any "GET" log entries as well, considering it was a "GET" in the first place that allowed the SQL code injection ? Most of the "offenders" are from Turkey, a block of IP's - 85.101.0.0 - 85.101.127.255, the full list ....... Quote:
They also loaded a file called 'rc57.php'; it is not there now though. P |
| Re: URGENT - PLEASE MY SITE IS HACKED TODAY Friday june 30 |
| by peterr on 2006/7/1 2:09:53 Fortunately, the raw access logs are now being archived. I had seen some attempts at SQL code injection a few days ago, and found this ... Quote:
That IP is from Indonesia, but I guess IP's can be spoofed. I'm a bit unsure what to look for, if someone can guide me there possibly. I assume if an SQL injection was possible though, the person would then have been able to login and gain admin access ?? Hmm, ...woops, I see that a "200" was returned from that log entry, that would imply a successful 'injection' ? So, I guess uninstall the "myAds" module for staters. */ |