Support Forums - All Posts - XOOPS Web Application System

1

Re: All back to normal. Thanks to all the people who help one way or another.

2004/1/16 19:00
GoFuYo
Just popping in
Posts: 8
Since: 2003/12/16

Just for updating:

Some defacements about My_eGallery are currently running now: So check your My_eGallery-configuration, if using it !

http://fuckru.net/modules/My_eGallery/public/symba.html

Date/time: 2004/01/16 19:43
Defacer: powHacK
Domain:http://fuckru.net/modules/My_eGallery/public/symba.html
Mirror: Display mirror
IP address: 61.77.57.224
System: Linux
Web server: Apache
Attack method:

Those sucxxxx idiots have nothing more to do, than trouble other peoples

2

Re: someone hack my site with fake page!!!!!!!!!!!!!!

2004/1/16 5:45
GoFuYo
Just popping in
Posts: 8
Since: 2003/12/16

At this point, i would say its hard to tell from here :(

If you try to get a 'connect' through you control-panel and you will get no connection towards your database, ftp is useless.

In this case i really would suggest to contact your hoster. Maybe he can get your data dumped for you !

3

Re: someone hack my site with fake page!!!!!!!!!!!!!!

2004/1/16 5:06
GoFuYo
Just popping in
Posts: 8
Since: 2003/12/16

What kind of account do you have ? Virtual hosted or your own server, with root access ?

Hmm, just seen it now, you seem to have root:
Can you reboot your system to a 'rescue system' ?
Or maybe you try this if you still have access-but no guarantee of course, because do not know your system, and you must LOOK where your files are located:

yourbash:~ # rcmysql stop

Starting MySQL service manually with parameter --skip-grant-tables --datadir=/var/lib/mysql :

yourbash:~ # mysqld --user=mysql --skip-networking --skip-grant-tables --datadir=/var/lib/mysql &

With mysqladmin you now set a new root password:

yourbash:~ # su - MySQL -c "mysqladmin --user root password 'YOURNEWPASSWORD'"

After this the password of user "root" is set for the MySQL-database to "YOURNEWPASSWORD".

Then restart your MySQL service:

yourbash:~ # rcmysql stop
yourbash:~ # rcmysql start

4

Re: someone hack my site with fake page!!!!!!!!!!!!!!

2004/1/16 5:04
GoFuYo
Just popping in
Posts: 8
Since: 2003/12/16

Yes, if you have an sysadmin and no root access, maybe there was a general 'prob' with the system conf. - look why are so BIG ISSUES about safe_mode for example etc. - too lazy yet to name it all.

But i've wriiten the 'Infection Group' just the minute a mail, because i'm really interested how they've achieved it, or what exploit they used.
But for me it seems to be, again, close to php-Nuke + Clones code exploits.
We will see what comes up to read on the sec. Boards

P.S: see the uids and ids of a currently hacked site:

uname -a; id

Linux ds217-115-141-113 2.4.10-4GB #1 Tue Sep 25 12:33:54 GMT 2001 i686 unknown

uid=0(root) gid=0(root) groups=0(root),1(bin),14(uucp),15(shadow),16(dialout),17(audio),65534(nogroup)

..cool =)~

5

Re: someone hack my site with fake page!!!!!!!!!!!!!!

2004/1/16 4:46
GoFuYo
Just popping in
Posts: 8
Since: 2003/12/16

Just posted this in the 'other' 'i got hacked and now' thread:

I would in case of such an event, not only delete the changed files. How do you know, btw. WHAT the HaCKorZ have EXACTLY done ?
Logfiles analyzed? Checked for RootKits? Checked SUIDs, IDs, checked Ports etc.? SYSADMIN or PROVIDER of your account informed ?

Most often the HaCKorZ leave themselves a backdoor, if possible and an autorooter used. This is one cause for these 'shame' Redefacements.

BTW. seems that these guys have 'nuked' again most php-Nukes's and clones. Maybe again some injections or exploit, but not gone so far yet.

Seehttp://www.zone-h.org/en/defacements and for these guys
http://www.zone-h.com/en/defacements/filter/filter_defacer=Ir4dex/ and after reupsetting their sites (the defaced ones) what you see php-Nuke.s and Clones ...

But i would normally take EXTREM care what's up with your account, maybe even reinstall. Call me paranoid :)

Just my 2cents.

6

Re: All back to normal. Thanks to all the people who help one way or another.

2004/1/16 4:37
GoFuYo
Just popping in
Posts: 8
Since: 2003/12/16

All normal again ? Are You sure ?

I would in case of such an event, not only delete the changed files. How do you know, btw. WHAT the HaCKorZ have EXACTLY done ?
Logfiles analyzed? Checked for RootKits? Checked SUIDs, IDs, checked Ports etc.?
Most often the HaCKorZ leave themselves a backdoor, if possible and an autorooter used. This is one cause for these 'shame' Redefacements.

BTW. seems that these guys have 'nuked' again most php-Nukes's and clones. Maybe again some injections or exploit, but not gone so far yet.

Seehttp://www.zone-h.org/en/defacements and for these guys
http://www.zone-h.com/en/defacements/filter/filter_defacer=Ir4dex/ and after reupsetting their sites (the defaced ones) what you see php-Nuke.s and Clones ...

But i would normally take EXTREM care what's up with your account, maybe even reinstall. Call me paranoid :)

Just my 2cents.

7

Re: FORUM security and moderation (mod request)

2004/1/11 14:53
GoFuYo
Just popping in
Posts: 8
Since: 2003/12/16

I think that's a great idea ! So together with a group functionality it would be a real 'shot'.
IP-banning is almost no longer an option, because most use dialups,just line down, up again - changed. And banning a whole block, would 'kick the normal' users coming from that ISP too.
So such a tool would be greatly appreciated !!

8

Re: PAYPAL MODULE

2004/1/11 14:46
GoFuYo
Just popping in
Posts: 8
Since: 2003/12/16

Interested too !

Stats
Goal:	$100.00
Due Date:	May 31
Gross Amount:	$0.00
Net Balance:	$0.00
Left to go:	$100.00

Forum Index

Re: All back to normal. Thanks to all the people who help one way or another.

Re: someone hack my site with fake page!!!!!!!!!!!!!!

Re: someone hack my site with fake page!!!!!!!!!!!!!!

Re: someone hack my site with fake page!!!!!!!!!!!!!!

Re: someone hack my site with fake page!!!!!!!!!!!!!!

Re: All back to normal. Thanks to all the people who help one way or another.

Re: FORUM security and moderation (mod request)

Re: PAYPAL MODULE

Login

Search

Recent Posts

Re: Rebuilding and Updating a 20 years old Xoops Website from 2.0.18? to 2.5.11

Rebuilding and Updating a 20 years old Xoops Website from 2.0.18? to 2.5.11

Re: NewBB v 5.1.0 b 6

Re: NewBB v 5.1.0 b 6

NewBB v 5.1.0 b 6

Re: XOOPS 2.5.11 search user is not working

Re: oledrion

Re: oledrion

Re: oledrion

Re: oledrion

Who's Online

Donat-O-Meter

Latest GitHub Commits

{{ record.sha.slice(0, 7) }} - {{ record.commit.message | truncate }}