XOOPS 
Forum
Forum Index General Forums Community Support Modules Support Themes Support Development International Support Module Hack Reviews Theme Designer Talk
  1. Board index / 
  2. XOOPS Community Support forums / 
  3. XOOPS general usage questions 
  4.  / Hacked twice today - help.
Register
1
dwhitten
Hacked twice today - help.

  • 2006/8/19 21:09

  • dwhitten

  • Just popping in

  • Posts: 54

  • Since: 2005/6/22


Hi guys,

http://www.horseshowsrus.ca was finally hacked. The first time I found the XSS refresh tags in the xoops_config table. I removed them and installed protector. I got hacked again.

Before I waste my time, what should I do? I am running 2.0.13.

Thanks,
Deb
2
zyspec
Re: Hacked twice today - help.

  • 2006/8/19 21:19

  • zyspec

  • Module Developer

  • Posts: 1095

  • Since: 2004/9/21


Here's what I think I'd do as a start:

1) Upgrade to 2.0.14. There were some security fixes in addition to other things.

2) Check directory and file rights to make sure they're what they should be.

3) Check the users in the database to make sure there isn't a user with administrator rights that you aren't expecting.

4) Check the forums for information on the modules you have installed to see if there are vulnerabilities that have been identified. You might want to post the modules you use here (along with their versions) so the community can help you do some of the research.

5) Check your web logs to see if you can see where the attack came from and ban the IP.

6) Contact your web host to see if they can help you identify how the attack occurred (to make sure it wasn't through the server instead of through Xoops).
3
Cuidiu
Re: Hacked twice today - help.

  • 2006/8/19 21:22

  • Cuidiu

  • Quite a regular

  • Posts: 358

  • Since: 2006/4/23


If you are using MyAds, you'll need to apply a security fix. I did a forum search for MyAds and hacked.

Let me see if I can find the security fix.

Edited to add: Try this link (that is - if it is MyAds that is causing a vulnerability).

C

Quote:

dwhitten wrote:
Hi guys,

http://www.horseshowsrus.ca was finally hacked. The first time I found the XSS refresh tags in the xoops_config table. I removed them and installed protector. I got hacked again.

Before I waste my time, what should I do? I am running 2.0.13.

Thanks,
Deb
[size=x-small]Working sites:
XOOPS 2.0.16 PHP 5.2.2, MySQL 5.0.24a-standard-log, Apache/2.0.54 (Unix)
XOOPS 2.2.4, PHP 4.3.10, MySQL 3.23.58, Apache/1.3.33 (Unix)[/size]
4
dwhitten
Re: Hacked twice today - help.

  • 2006/8/22 12:56

  • dwhitten

  • Just popping in

  • Posts: 54

  • Since: 2005/6/22


Thanks for the suggestions.

After the third time, I went through the myads code and put mysql_real_escape_string around every parameter involved in a database query. That seemed to have worked for 2 days.

Now today - hacked again for the 4th time.

I've just upgraded to XOOPS 2.0.14. I followed the directions here http://devteam.xoops.org/releases/xoops-2.0.14.html for the upgrade, but it said no upgrade was necessary. I guess copying over the htdocs files was all that was necessary?

Everything seems to work and the site is back on. Now I wait to see if I'll be hacked yet again. This is getting boring and I don't have time to go through every XOOPS module to check for holes. I'm now worried about my other sites which shall remain nameless...

Anything else I should do for next time? If there is a next time?

Deb
5
davidl2
Re: Hacked twice today - help.

  • 2006/8/22 12:59

  • davidl2

  • XOOPS is my life!

  • Posts: 4843

  • Since: 2003/5/26


Have you also installed Protector?

Definately worth doing.
6
Herko
Re: Hacked twice today - help.

  • 2006/8/22 13:27

  • Herko

  • XOOPS is my life!

  • Posts: 4238

  • Since: 2002/2/4 1


Ehm David:
Quote:
by dwhitten on 2006/8/19 23:09:53
I removed them and installed protector.

So she did that.

I's also notify the hosting provider, it may be a server vulnerability, for all we know. Then fixing up your XOOPS sites will help nothing.

Herko
7
dwhitten
Re: Hacked twice today - help.

  • 2006/8/22 20:25

  • dwhitten

  • Just popping in

  • Posts: 54

  • Since: 2005/6/22


So now is the 5th time. I've installed protector and upgraded xoops. I don't have time at the moment to notify the web host or look at the MySQL logs, but I will later.

God this is tiring.

Deb
8
dwhitten
Re: Hacked twice today - help.

  • 2006/8/22 20:26

  • dwhitten

  • Just popping in

  • Posts: 54

  • Since: 2005/6/22


Make that 6 times.
9
zyspec
Re: Hacked twice today - help.

  • 2006/8/22 20:28

  • zyspec

  • Module Developer

  • Posts: 1095

  • Since: 2004/9/21


How about posting a list of the modules you use (and their versions). We may be able to help you track it down.
10
Cuidiu
Re: Hacked twice today - help.

  • 2006/8/22 21:07

  • Cuidiu

  • Quite a regular

  • Posts: 358

  • Since: 2006/4/23


So sorry you are having such trouble, Deb. I wouldn't mind knowing what IP(s) this maniac is coming from if you get the chance to check your logs.
[size=x-small]Working sites:
XOOPS 2.0.16 PHP 5.2.2, MySQL 5.0.24a-standard-log, Apache/2.0.54 (Unix)
XOOPS 2.2.4, PHP 4.3.10, MySQL 3.23.58, Apache/1.3.33 (Unix)[/size]
(1) 2 3 »

Login

Register now!  |  Lost Password?

Search

Advanced Search

Recent Posts

Who's Online

286 user(s) are online (250 user(s) are browsing Support Forums)

Members: 0

Guests: 286

more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits