Good day Everyone,
ONE of my many XOOPS sites has come under multiple automated attacks from a hacker user/group known as "r00t_system."
This post is meant to serve four purposes:
1. Report the Crack
2. Describe circumstances around the crack,
3. Request advice from super-geek-guru peers, and
4. Act as a reference in case others come accross the same problem.
The CrackAn automatically generated generic cracker brand:
"r00t System ownz you!
For references see:
Zone-H Digital Attacks Archive:http://www.zone-h.org/en/defacements/filter/filter_defacer=r00t_System/page=1Record of an E-Xoops Attack:http://www.modscentral.com/modules/newbb/viewtopic.php?topic_id=975&forum=1Crack CircumstancesServer:
- Some hybrid of both unix/linux + windows server run by Bell Canada.
Xoops System:
- XOOPS V.2.0.3 ~ with a number of PHP files modified by developers, though no serious hacks
Active Modules:
- Most Standard Mods...
- CJay2
- Agenda-X 1.1
- eCal 2.2
- OS Commerce .1
- Contact + .8
Inactive Modules:
- A few Standard Mods.
My Thoughts so far on the Solutiondisclaimer/context: I'm not a systems-level guru, I know how to code, I know databases, I can navigate linux... that's about it.
While I'd like to blame the bug simply on the fact that Bell Canada has Windows installed on their server (note: they claim they have Linux/Samba/Window setup that is "new and secure behind firewall after firewall...."), at this time I'm leaning more towards a PHP code vulnerability. As seen in the references given in "the Crack" section, this seems to be an automated attack, however, looking at the eXoops reference it looks like it's exploiting vulnerabilities of my old XOOPS PHP code.
What doesn't make sense to me is that there doesn't appear to be records of such hacks in XOOPS before (the one referred to is in eXoops). Here's the closest thread I could find to this one:
https://xoops.org/modules/newbb/viewtopic.php?topic_id=18824&forum=13#forumpost80232So, having said all that, here's my best guess so far:
Quote:
XOOPS MyTextSanitizer Filtering Bug Allows Remote Users to Conduct Cross-Site Scripting Attacks in many modules: News, newbb, private messages, signatures etc...
Date:
29 April 2003
Security Alert ID:
1006523
Added by:
HH
After the module glossary and gallery of xoops, another risk in MytextSanitizer has been found which permit some CSS injection in XOOPS versions 1.3.x to 2.x
This is just the function on XOOPS who filter spŽcial charact?rs or malicious scripts.
A remote user can bypass Sanitizer and conduct cross-site scripting attacks with a post in a topic in board (newbb) send malicious private message to admin, insert script in the news comment...
Example :
java script:alert%28document.cookie%29
with img tags
from:
http://hackerzhell.co.uk/exploits.php?sid=1006523That's what
chief 108 from the modscentral board pointed to in one of his posts...
So, I'm stumped at this point as to what to do. We changed all the server passwords and the site was re-hacked the next day. It's been hacked 7 times; once on a different server. I'm really thinking it's a vulnerability in one of my PHP docs, but I hate to start updating them all one-by-one without knowing for sure that the site may still be hacked when I finish (in a few months).
Any comments welcome.
Thanks,
Keith