I'd be interested in knowing what sats modules you tried.

Here's the problem, and very few really understand how this all works...If this person is spoofing, you will have a hard time with IP's. Protector is not good enough for that, and although you might be able to find a range of IP's by looking at your access logs, you may not be able to block him specifically.

So, what to do? Well, one thing is to actually look at those logs on your server and figure out what posts are associated with what IP addresses. If you have control over your server, you could install the mod-security module and set up filters. However, my bet is if you study the access logs, you will find a trend. If nothing else, you will find what IP addresses he likes to spoof. Unfortunately, there are no real reliance on the IP coming in.

I only have an interest because I like to actually find these folks and sell them out to everyone. I've done it many times!

XEN is great technology - not quite enterprise ready, but for what a majority of us all do, very good. The downside to XEN vs. say VMWare is that you must understand the details of virtualization. My company has done an extensive research project with both. The one and only reason we are waiting on XEN is to get better kernal support for RedHat (Fedora 5 I think) and SLES (on the same page). We do large scale enterprise computing with the financial industry, so enterprise class is very important.

We will eventually do XEN. With the Microsoft deal, and VMWare deal, things look very good. Besides, IBM is backing XEN and now looks to move Z9 (mainframe) VM functionality to XEN. XEN is much more like a true hypervisor (IBM pSeries) then any other hypervisor out there. VPS (PLESK hybrids) are not. A true hypervisor will allow you to manage your hardware infrastructure as resource. Whether I have 1 physical or 5 physical, it's hardware resource. So a hypervisor just manages the resources to run all virtuals.

Anyway, to answer your question, go to XENSource.comXEN Source.

The first place I started was DNSReport and you have minor issues - nothing to worry about.

So, the next question I would have is - if you are accessing your site from home - and you mean the site works as expected only from home, then I still would question the DNS servers. If youare saying that the site is turned off, except from home - you may have cookie issues in your browser. Clean them all out.

If you are saying the site does not resolve when warnings are turned off, that's a DNS issue, but probably unrelated to the warnings being on or off.

Those warnings are easy to fix, I have done that with my version of XOOPS I run. I would expect thost things to be cleaned up as new versions come out.

Without seeing the actual way your site works first hand, I am shooting in the dark.

First off - move hosts. If they aren't giving you control, there are things going on outside of your control. VelocityWebHost - my company, gives you full PLESK control - no Virtuozzo!

Second - if you are getting bounced mails, it may be a relay on your mail server. You'd need to look at the headers of the bounced message. I doubt it's from XOOPS.

Third - if you are worried about the Contact Us page exploit - Here's the real SPAM killer for Contact - XOOPS 2.0.13.x or for XOOPS 2.2.x

If you want to find out if you are a relay and your host won't tell you much, just plug in your shared IP to dnsstuff under the Spam database lookup - that will tell you if there is any real damage. Godd luck!

More than likely it is the css and color definitions for the block display. IE is not fully CSS compliant. So, when using a lot of cutomization through CSS, you have to do a lot of tweaking to get it just right. Also, if color names are used opposed to color hex values, you can have trouble there as well. Rest assured, it has nothing to do with XOOPS and has everything to do with IE.

As an example, go look at the XOOPS devteam website in Firefox, then with IE. In Firefox, it looks prety normal. In IE, the XOOPS graphic is not diplayed correctly (color issues and transparency issues) and the text in the main portion of the page is about a 1/3 the way down the page.

yep - that's the way virtual hosting works. You have to be familiar with the way apache/tomcat works, but it can be done. If you want a simple way of configuring, I beleive there are versions of WebMin that would do the trick for you. The real challenge you may have is the MAC O/S - don't know it's limitations. I'm sure there are ways to do it though. Do a gogole search on MAC virtual hosting and see what comes up.

Tell them to send you the proof - otherwise, you have no way of knowing what hole they are referring to. The problem here is this, they know that it happened, and maybe it acutally happened. Within the hosting environment, that means they either have some foms of trip wire running, mod_security, or snort. So, they should have the specific POST payload driven to execute.

More than likely - and I am taking a big guess - they uploaded something to the /tmp directory of the server. /tmp could be anything, so it's an example here. They then tried to execute the script. Since they (hosting company) saw it come through that specific file, they saw the specific command.

Here's what bothers me, and I am a PLESK reseller, it sounds to me that they DON'T have all of the security measures in place, and that the script was executed - probably a mailer of some sort. If youare on a Virtuosso (VPS) environment, it may also be a problem where the "script-kiddies" know the script is already on the physical server, and they are just trying to exploit it through a known PHP script that may give access to the /tmp directory.

This is probably more than you need to know, but it always bugs me that "hosting" companies tell you there was a problem, but give no proof or details...good luck!

Next time you see this, or if it is a lot, just do a trace route from your location to xoops.org

My bet is, it's not the XOOPS server - as this doesn't happen to me as you explain. However, when you see the items counting down in the browser, it is usually a congested line.

HERE

and

HERE

I don't want to teach hacking - but here's a clue.

Most "script-kiddies" do not use your form. They know what the payload looks like, and send the HTTP transaction through some other type of script (php maybe) or programatically to get the data sent.

What it really comes down to is two fold. Any developer developing a form should do as much checking as possible. For the most part, this would require something like javascript to do real-time. Then, when validating post data, you must be able to validate each field for "real" values and be able to stop processing when errors are found.

Another key to hacking any form is understanding that the php processor can be overloaded. So, if you see someone hit your site many many times within the same minute, that is what they are trying to do. Cause an overflow.

As you examine the POST payload I sent you, pay attention to the hex codes included and inserted between command functions. Anything that slips through testing will trigger your phpmailer to do exactly as told.

Another example is taking the payload I gave you, and converting all characters to chr() type hex codes.

Ultimately, these types of form injections are harmless unless your code is really bad at validation. Most of these scripts that are run are posted on the onzyou type sites. Sometimes theya re way out of date. Be aware, once they find a hole, they will start picking to ultimately rootkit your box and own you! Good luck, it's a great learning experience, but nothing more.