Subject:*
<
Name/Email:*
<
Message Icon:*
<
Select*
<
Message:*
<



Click the Preview to see the content in action.
Options:*
<
Confirmation Code*
<
5 - 3 = ?  
Input the result from the expression
Maximum attempts you can try: 10
*
<
   

Re: URGENT - PLEASE MY SITE IS HACKED TODAY Friday june 30
by peterr on 2006/7/1 12:27:45

Okay, thanks. No doubt the (CPanel) filemanager might even be 'safer', but even then, not for editing maybe.

I see the Invision Filemanger is no longer available for download, but is available from the Hotscripts site

Thanks
Re: URGENT - PLEASE MY SITE IS HACKED TODAY Friday june 30
by Bender on 2006/7/1 12:17:18

Looks like it isn“t.

If you really need a filemanager online i would create a subdomain and install Invision Filemanager into a directory there.

So its not even reachable from the original site domain.
Re: URGENT - PLEASE MY SITE IS HACKED TODAY Friday june 30
by peterr on 2006/7/1 11:19:37

Is the module "filemanager" safe ? I have read through this after seeing this entry in the web server logs

Quote:

85.100.214.203 - - [01/Jul/2006:09:27:26 +0000] "GET /modules/filemanager/admin/index.php?id=&action=deplacer&ordre=&sens=0&rep=&fic=rc57.php HTTP/1.1" 200 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
Re: URGENT - PLEASE MY SITE IS HACKED TODAY Friday june 30
by peterr on 2006/7/1 5:49:06

Just like to say thanks to everyone for helping with this. Also, to say that it is not any of the XOOPS "core" (2.0.14) that was the 'weak point', it was the myAds module.

No doubt a site is 'safer' by having the table names prefixed by another name, not the default. The rule would be to always use a table prefix name that is 'strong' or very hard to guess.

We don't know what else the person/s did, no doubt from log entries like:

Quote:

85.101.151.238 - - [30/Jun/2006:09:51:58 +0000] "POST /english/modules/filemanager/admin/index.php HTTP/1.1" 200 7575 "http://*****/modules/filemanager/admin/index.php?id=&ordre=&sens=0&action=editer&rep=modules/filemanager/admin&fic=modules/filemanager/admin/index.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"


they have replaced a few files. Is it only the "POST" entries that we need to examine (whilst they were logged into the admin section), or would we need to examine any "GET" log entries as well, considering it was a "GET" in the first place that allowed the SQL code injection ?

Most of the "offenders" are from Turkey, a block of IP's - 85.101.0.0 - 85.101.127.255, the full list .......

Quote:

222.124.136.33
222.253.18.55
62.248.24.85
81.214.225.115
85.100.168.229
85.100.215.168
85.101.137.31
85.101.148.162
85.101.151.238
85.101.244.121
85.101.40.167
85.101.67.58
85.104.183.117
85.104.209.105
85.104.87.202
85.106.167.236
85.108.252.2
85.108.51.164
85.195.123.22
85.96.68.128
85.98.3.75
85.99.4.167


They also loaded a file called 'rc57.php'; it is not there now though.

P
Re: URGENT - PLEASE MY SITE IS HACKED TODAY Friday june 30
by peterr on 2006/7/1 2:09:53

Fortunately, the raw access logs are now being archived. I had seen some attempts at SQL code injection a few days ago, and found this ...

Quote:

222.124.136.33 - - [30/Jun/2006:07:05:18 +0000] "GET /english/modules/myAds/annonces-p-f.php?op=ImprAnn&lid=-1+union+select+1,pass,uid,uname,5,6,7,8,9,10,11,12,13+from+xoops_users+limit+1,1/* HTTP/1.1" 200 1307 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4"


That IP is from Indonesia, but I guess IP's can be spoofed.

I'm a bit unsure what to look for, if someone can guide me there possibly. I assume if an SQL injection was possible though, the person would then have been able to login and gain admin access ??

Hmm, ...woops, I see that a "200" was returned from that log entry, that would imply a successful 'injection' ?

So, I guess uninstall the "myAds" module for staters.
*/

Who's Online

850 user(s) are online (634 user(s) are browsing Support Forums)


Members: 0


Guests: 850


more...

Donat-O-Meter

Stats
Goal: $15.00
Due Date: Jul 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $15.00
Make donations with PayPal!

Latest GitHub Commits