41
AndyM
Re: XOOPS Sites hacked...
  • 2007/8/26 18:53

  • AndyM

  • Quite a regular

  • Posts: 296

  • Since: 2003/8/31


So far, I still don't know exactly how the files were uploaded, which troubles me somewhat, but the PHP shell script that was placed in the cache dir on one site was used to attack other sites.

Okay, I had a think about things and a potential security enhancement is to put the following into a .htaccess file in the /cache and /templates_c directories:

<Limit GET>
order deny,allow
deny from all
#allow from .my.domain
</Limit>

<
Limit POST>
order deny,allow
deny from all
#allow from .my.domain
</Limit>


This will prevent anyone from loading any file from those dirs in their browser, if they know the file name, and also submitting via POST. This should (in theory) stop a script kiddie from using a script if they manage to upload it to those directories.

Obviously, it won't stop them if they know to look for the .htaccess file and are able delete/alter it, but it is an extra layer.

It would be better if you are able to put it in the virtualhost directive for your site in httpd.conf, for example

<virtualhost>

# other stuff here

<directory "/path/to/cache">
<
Limit GET>
order deny,allow
deny from all
#allow from .my.domain
</Limit>

<
Limit POST>
order deny,allow
deny from all
#allow from .my.domain
</Limit>
</
directory>
<
directory "/path/to/templates_c">
<
Limit GET>
order deny,allow
deny from all
#allow from .my.domain
</Limit>

<
Limit POST>
order deny,allow
deny from all
#allow from .my.domain
</Limit>
</
directory>
</
virtualhost>


Comments?



42
AndyM
Re: XOOPS Sites hacked...
  • 2007/8/25 21:57

  • AndyM

  • Quite a regular

  • Posts: 296

  • Since: 2003/8/31


Quote:

kc0maz wrote:
What is the status of your database?


So far, the DB seems untouched. I've been going through changing the table prefixes, and the password, etc. I'll audit it properly when I can.



43
AndyM
Re: XOOPS Sites hacked...
  • 2007/8/25 21:54

  • AndyM

  • Quite a regular

  • Posts: 296

  • Since: 2003/8/31


I've not had chance to look through the log file properly yet, but specific searches for adminmenu.php has only shown attempts to view it. Also, nothing for SPAW has cropped up.

The XP module log shows:
2007/8/25 19:24:17 Guests 88.243.132.66
Firefox/2.0.0.6Mozilla/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6 UPLOAD Attempt to upload r57.php.
2007/8/25 18:32:52 Guests 85.101.191.247
Firefox/2.0.0.6Mozilla/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6 UPLOAD Attempt to upload index.php.
2007/8/25 18:11:31 Guests 85.101.191.247
Firefox/2.0.0.6Mozilla/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6 UPLOAD Attempt to upload sdf.php.
2007/8/25 17:38:17 Guests 85.101.191.247
Firefox/2.0.0.6Mozilla/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6 UPLOAD Attempt to upload sdf.php.
2007/8/25 17:32:13 Guests 85.101.191.247
Firefox/2.0.0.6Mozilla/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6 UPLOAD Attempt to upload sdf.php.

Oh, it was done by the "TurkHackTeam"...



44
AndyM
XOOPS Sites hacked...
  • 2007/8/25 20:29

  • AndyM

  • Quite a regular

  • Posts: 296

  • Since: 2003/8/31


I've had two of my XOOPS sites hacked where a PHP Shell script which replaces the adminmenu.php file (and other files) in the /cache dir.

Basically, you don't notice it until you try to log into the admin area, you will either get the shell script's output, or it will fail to load.

I've currently suspended the sites until I can check them over fully, but I thought I would post this here as a "heads up" to other users.

And before anyone says, yes they are using the latest 2.0.16 and XOOPS protector modules.

Perhaps some people could have a think about how this happened and think of a fix.



45
AndyM
Re: [Module Request] "Car Garage" module (2)
  • 2007/7/17 19:34

  • AndyM

  • Quite a regular

  • Posts: 296

  • Since: 2003/8/31


I was going to code something like this for a web site of mine that I have had no time to bring to fruition.

I could do it, but I already have at least 3 other modules that I am trying to work on, so it's not going to happen as things are.



46
AndyM
Re: Can't get google analytics to pick up my tracking code on Xoops
  • 2007/7/3 23:07

  • AndyM

  • Quite a regular

  • Posts: 296

  • Since: 2003/8/31


You may have to go into the prefs and tell XOOPS to update changed templates, otherwise the new code won't be seen.



47
AndyM
Re: Why don't people host Xoops based sites?
  • 2007/6/15 22:57

  • AndyM

  • Quite a regular

  • Posts: 296

  • Since: 2003/8/31


While I prefer not to have any of the "n*ke" CMSs on the server (I have a real aversion to them), I currently allow anything, as long as it's legal, etc.

However, like everyone else, I do have in the T&Cs that I will disable scripts if needed, and I do tell customers ASAP and why. So far, in six years, I've only had to do this something like 3 times (that I can remember).

Says me, hoping this doesn't sound like a thinly veiled advertisement ;)



48
AndyM
Re: Problem with "articles"
  • 2007/6/4 19:44

  • AndyM

  • Quite a regular

  • Posts: 296

  • Since: 2003/8/31


Is there any reason why you are using such an old version?

The latest is v1.03 and is available here. That bug has since been fixed ages ago.

There has also been a security problem discovered since v0.17, so installing any version earlier than 1.03 is not recommended.



49
AndyM
Re: News module freezes on IE6, Ok on FF2.
  • 2007/5/16 14:01

  • AndyM

  • Quite a regular

  • Posts: 296

  • Since: 2003/8/31


It freezes IE7 as well - as it was okay until today, I'd hide all of today's news articles and reload the page. Then enable each one until it freezes again, so you know which one is the cause.

I get the feeling it's something to do with one of the articles, possibly an image.



50
AndyM
Re: 3 vuln's in xoops found!!! fix that
  • 2007/5/16 13:47

  • AndyM

  • Quite a regular

  • Posts: 296

  • Since: 2003/8/31


The exploits you posted are for various third party XOOPS modules, and not XOOPS itself. The XOOPS team are not responsible for these modules.

Also, you should always contact the module developer first to give them chance to fix the problem, before announcing the exploits to the public.




TopTop
« 1 2 3 4 (5) 6 7 8 ... 11 »



Login

Who's Online

50 user(s) are online (23 user(s) are browsing Support Forums)


Members: 0


Guests: 50


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Aug 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits