1
intmoves
Possible security problem !!!
  • 2004/5/21 17:27

  • intmoves

  • Just popping in

  • Posts: 13

  • Since: 2004/5/21


I am building a (dutch language) portal using XOOPS and I encountered a problem. Today I found that several of the PHP-scripts where compromised and selecting certain options on my xoops-based website gave me a error saying that a scripts was called that is not in the base-path of the server. The error also showed the (wrong) path and it doesn't exist on my own server. Apparently some command was inserted into the scripts to call a, possible malicious, script residing somewhere outside my own hosting server. Luckilly the server didn't allow the execution of the remote script but the xoops-installation was no longer useable as it was locking up into the same error (pertaining the strange path) almost on each function of the portal.

After replacing all the files in the modules-directory the problem went away. Just to be on the save side I also replaced the PHP-files in the website root-directory.

The problem is obvious: how can someone put code into the xoops-scripts that tries to execute malicious code. Does anyone has simmilar experiences and if so, is there a solution to this problem ?

2
Mithrandir
Re: Possible security problem !!!

Have you contacted your hosting company to hear if it was a problem at their end?

XOOPS is not guaranteed to be bug-free or impossible to hack through, but if your server does not have write access to php files, a php script cannot change the content of the files.

Check that only cache, templates_c and uploads folders are writable by the server.

3
intmoves
Re: Possible security problem !!!
  • 2004/5/21 18:25

  • intmoves

  • Just popping in

  • Posts: 13

  • Since: 2004/5/21


Thanks for the quick reply. I'm still working on the problem as it seems that the problem is in almost all the PHP-files. It certainly looks like something that is going on on the ISP's server (virus-like tmo).

Just for your information, here is the exact error I get (as it is still apearing while I'm re-testing my site):

Warning: Unknown(): open_basedir restriction in effect. File(/home/oakdome/cafe/lgf-reflog-searchv3.php) is not within the allowed path(s): (/home/webregio:/tmp) in Unknown on line 0

Warning: Unknown(/home/oakdome/cafe/lgf-reflog-searchv3.php): failed to open stream: Operation not permitted in Unknown on line 0

Warning: (null)(): Failed opening '/home/oakdome/cafe/lgf-reflog-searchv3.php' for inclusion (include_path='.:/usr/share/pear') in Unknown on line 0

Still investigating

4
intel352
Re: Possible security problem !!!
  • 2004/5/21 18:46

  • intel352

  • Module Developer

  • Posts: 824

  • Since: 2003/11/23


looks like php safemode is currently enabled, that causes problems for some scripts

have you tried using just the default theme to see if the errors still occur? also try deleted all cache, templates_c files to remove cached files, maybe it's an error in the cache somewhere

also, which home directory is yours? i see at least 2 mentioned

5
intmoves
Re: Possible security problem !!!
  • 2004/5/21 18:55

  • intmoves

  • Just popping in

  • Posts: 13

  • Since: 2004/5/21


I'm currently setting all PHP-files to 444 access as it seems that the server is changing them. After reinstalling all the module-files some where already compromised again. It might indeed be a problem with my ISP as one of my other websites had certain problems last week and that one is running on Geeklog so it might not be related to XOOPS at all.

As for the safemode setting, this site has been running without problems for a week now, the problems appeared today.
FYI, my homedir is home/webregio... the other one is the wrong one. Oh, and cache is disabled for all modules.

6
intel352
Re: Possible security problem !!!
  • 2004/5/21 19:26

  • intel352

  • Module Developer

  • Posts: 824

  • Since: 2003/11/23


cache is still used in templates_c for theme files, fyi (default function of XOOPS it seems)


check your raw http logs, see if anyone is touching your files from the outside somehow

btw, if someone has access to your files from within the server (i.e.- another user's account), it might not matter if you set it to 444, just a though

make sure you report this to your provider, it could be that other user directory is malicious or has written a script that is somehow affecting the whole server.. not sure of the possibilities

7
Mithrandir
Re: Possible security problem !!!

Quote:

bd_csmc wrote:
cache is still used in templates_c for theme files, fyi (default function of XOOPS it seems)

no - the _c in templates_c means "compiled" i.e. php code compiled from Smarty code.

8
intel352
Re: Possible security problem !!!
  • 2004/5/21 19:47

  • intel352

  • Module Developer

  • Posts: 824

  • Since: 2003/11/23


ah, sorry, i assumed it was a cache for files that smarty had processed (i guess that is a valid way of understanding it, since the files are saved in a folder for repeated use )


thanks for clarifying tho (and i have noticed that when modifying a theme, for immediate results you have to delete the themename^html file in templates_c, which is why i was saying he might want to delete files generated in templates_c, to make them regenerate fresh)

9
Mithrandir
Re: Possible security problem !!!

That, on the other hand, is true - but you get the same recompilation by enabling the "update module templates from themes/yourtheme folder" setting.

10
intmoves
Re: Possible security problem !!!
  • 2004/5/21 22:13

  • intmoves

  • Just popping in

  • Posts: 13

  • Since: 2004/5/21


OK guys, thanks for the support. I'm feeling quite welcome

I've contacted my ISP and they replied it has something to do with the PHP-version they are running. They also said it should be fixed for now (not sure what they actually did) and they will be upgrading to another PHP-version soon. Not sure yet what to make of it, but it will do for now.

Sorry for crying wolf.... just got a bit paranoid as I have seen all kinds of trouble last week with several of my sites.

One last question (for now): with Geeklog we have a visitor-stats plugin that shows what pages are being viewed by a certain visitor (based on IP-number). Is there something similar for XOOPS ?

Login

Who's Online

349 user(s) are online (289 user(s) are browsing Support Forums)


Members: 0


Guests: 349


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits