MikeShane wrote:
I'm afraid it is a XOOPS problem.
The attacks using this i frame injection is on Xoops, joomala, word press and other php driven sites. This means that there is something using php that the weakness is at. Thats why I'm looking for information on how they did it. One of the things id did was diable my protector so it was not accesable. I had a week old back up replacing the infected sites. The attack was only on two 2.3b XOOPS sites and one joomala site on same server. Nothing on html sites or an older XOOPS site that has not been updated yet.
It is the server that handles (interprets) php.
3 things to look at.
1. What user does the (apache) server run as?
2. What user owns the files on the server?
3. What are the file/folder permissions?
Answers should look like this:
1. server runs as a non privileged user (usually as apache).
2. Files and folders should be owned by the non privileged user the server is running as (in the above case apache).
3. Files should be 644 or -rw-r--r-- folders should be 755 drwxr-xr-x .