Ain't community great!

Thank you all for the advice... very appreciated.

The only thing I'm wondering is if Herko has an automated "You should upgrade" script working on these boards - I think this is the 5th or 6th post I've gotten that on from him . Serously though, apart from the looming agony of hours of version checking, I know these are wise words from the wise.

Hope no-one else finds themselves in my situation!

Keith

Good day Everyone,

ONE of my many XOOPS sites has come under multiple automated attacks from a hacker user/group known as "r00t_system."

This post is meant to serve four purposes:

1. Report the Crack
2. Describe circumstances around the crack,
3. Request advice from super-geek-guru peers, and
4. Act as a reference in case others come accross the same problem.


The Crack

An automatically generated generic cracker brand:
"r00t System ownz you!

For references see:

Zone-H Digital Attacks Archive:
http://www.zone-h.org/en/defacements/filter/filter_defacer=r00t_System/page=1

Record of an E-Xoops Attack:
http://www.modscentral.com/modules/newbb/viewtopic.php?topic_id=975&forum=1


Crack Circumstances

Server:
- Some hybrid of both unix/linux + windows server run by Bell Canada.

Xoops System:
- XOOPS V.2.0.3 ~ with a number of PHP files modified by developers, though no serious hacks

Active Modules:
- Most Standard Mods...
- CJay2
- Agenda-X 1.1
- eCal 2.2
- OS Commerce .1
- Contact + .8

Inactive Modules:
- A few Standard Mods.


My Thoughts so far on the Solution

disclaimer/context: I'm not a systems-level guru, I know how to code, I know databases, I can navigate linux... that's about it.

While I'd like to blame the bug simply on the fact that Bell Canada has Windows installed on their server (note: they claim they have Linux/Samba/Window setup that is "new and secure behind firewall after firewall...."), at this time I'm leaning more towards a PHP code vulnerability. As seen in the references given in "the Crack" section, this seems to be an automated attack, however, looking at the eXoops reference it looks like it's exploiting vulnerabilities of my old XOOPS PHP code.

What doesn't make sense to me is that there doesn't appear to be records of such hacks in XOOPS before (the one referred to is in eXoops). Here's the closest thread I could find to this one:

https://xoops.org/modules/newbb/viewtopic.php?topic_id=18824&forum=13#forumpost80232

So, having said all that, here's my best guess so far:

Quote:
from:http://hackerzhell.co.uk/exploits.php?sid=1006523


That's what chief 108 from the modscentral board pointed to in one of his posts...

So, I'm stumped at this point as to what to do. We changed all the server passwords and the site was re-hacked the next day. It's been hacked 7 times; once on a different server. I'm really thinking it's a vulnerability in one of my PHP docs, but I hate to start updating them all one-by-one without knowing for sure that the site may still be hacked when I finish (in a few months).

Any comments welcome.

Thanks,
Keith

I got it working; I had to hack it a bit to meet my particular needs. Particularly, I needed to filter out system-generated notification emails.

Hopefully the link provided will work... reply again if you still have difficulties and I might lend you some code.

Keith

Thanks tl, a version of this solution worked:

Report:

- all template sets seemed to have messed up ids
- templates still showed properly on the page
- I cloned my active template set, and set the cloned set as primary
- the cloned template set worked properly on the template MGR

Hi there, I have this problem too. Just appeared out-of-the-blue on one of my sites.

Specifically: After 8 months of smooth running, we got hacked. As far as I can see, the hacker only took out the index.php and put on a dumb index.html.

After replacing the index, the problem appeared.

We noticed that a particular block on the front page of the site is blank - odd... especially since turning on php or smarty debug shows no errors. So, is it a problem with templates? All the other templates (both in this module and in other modules) appear fine.

So, I think: "this must be a bug in the block." Without direction from page errors; I go to the template manager. Here's the real problem:

I can navigate into the templates/module listing for any of my template sets, but when I select an individual template file to edit (again, from any of the template sets), I get the error referred to by migoe:

Selected template (ID: $id) does not exist

I have no clue what's going on; any leads you can offer would be great.

Thanks,
Keith

Sorry, careless. Looks nice!

WOW. I'm impressed. What's your site?

Do you have attachements working with PMs? I don't mean any harm, but in plaintext 80 MB is equivalant to 160 copies of 20,000 Leagues Under the Sea:

http://www.gutenberg.net/etext/164

... that's a LOT of PMs!

Thank you very much Topet, I will do this.

I appreciate.
Keith

Any progress on getting a sent message page? I have a client who wants me to implement this NOW, so... while I don't mind re-inventing the wheel (it's an easy enough page), I'd perfer to get on the bandwagon with 'Skalpa.'

Look forward to hearing back.

Keith