1
hawkeyegop
Got hacked?

I'm a hosting reseller and got an email from my hosting company tonight:

Quote:
Subject: Directory /home/mack/public_html/kate/ disabled and will not be re-enabled.

Request Details:
Your account appears to have been compromised and the following directory disabled.

/home/mack/public_html/kate/

It was engaged in malicious activity that nearly crashed the server. We will not re-enable this directory.. and we do need you to look into this on your side as well. As we need to be assured this wont happen again. Failure to get back to us will result in the account being suspended.

Below is an example of two of the processes your account was running...

nobody 30143 0.0 0.0 4148 1048 ? S 19:28 0:00 sh -c cd /home/mack/public_html/kate/uploads/iroffer1.3.b10/upload;cp * /home/mack/public_h
nobody 13402 1.7 0.0 3468 456 ? D 19:28 0:22 cp [AnimeDVD_Raws]_Argento_Soma_01_[91B8801F].avi [AnimeDVD_Raws]_Argento_Soma_2.avi [ANJ].


I emailed back asking for more information because I have no idea what any of that means. This was the response:

Quote:
It looks like one of the scripts on your website have been compromised/hacked and the attackers were using the kate folder to store malicious applications and using it as a world writable download space.


I replied back and said that the only script I had in that directory was XOOPS and that I choose it because it was more secure than most other CMS's. This was the response:

Quote:
Xoops is one of those scripts that is hacked regularly. Probably #2 on our list of most highly exploitable scripts. I *wish* it weren't so popular so we could discontinue usage of it entirely.


I can't remember right off hand but I am 99% positive that I had installed 2.0.9.2 based on the date that was released, because I installed it sometime in January.

Certainly what this guy is telling me isn't true is it, that XOOPS is highly exploitable? I hope not because if this happens again they are deleting my account and all of those under me, which is about 25 sites. At least 10 of them are running XOOPS

2
tommyZ
Re: Got hacked?
  • 2005/3/4 6:59

  • tommyZ

  • Friend of XOOPS

  • Posts: 89

  • Since: 2005/1/4 1


Hey there,

i am no expert in XOOPS security and such, but it seems that your account got hacked using some AwStats exploit that affects, AwStats ver 6.2 and below

AwStats is a cgi-bin script that comes built-in with cpanel.

AWStats is a free powerful and feature tool that generates advanced web, streaming, ftp or mail server statistics, graphically

I am looking into disabling this script but since it is built-in cpanel, this might be tricky.


here is the advisory

http://www.k-otik.com/english/advisories/2005/0032

3
LazyBadger
Re: Got hacked?

It short - your hosting supports are stupid brain-damaged idiots!
I know. I have to say it in more "politcorrect" form, but... can't resist.

Silghtly more deep:

1)I see something strange in this path

/home/mack/public_html/kate/uploads/iroffer1.3.b10/upload

(from there "iroffer1.3.b10/upload" appeared in standard UPLOAD dir ???)

2) Shell commands executed under httpd account rights is bad sign, but - it can be result of
any compromised site on this physical host.

Can you show (here or me privately) result of
"ls - laR /home/mack/public_html/kate/uploads"

3) Consider any .avi as "malicious applications" is delirium, but you must check folder's permissions for UPLOAD (and even if you use WF|MyDownloads - disable write access for httpd in this tree branch... as temporary solution... and monitor folder status some time... Delete all content, ask hoster re-enable dir and contol it

4) Sentence "Xoops is one of those scripts that is hacked regularly" is simply big lie! You can (have) to ask hoster about documented and confirmed facts. If they can mix PHPNuke (one big security hole) and XOOPS - my apologies to boss of such support-man

"Probably #2 on our list of most highly exploitable scripts." Ha ... I can create any own private list... which will be useless scrap, if it will not have good basis

Finita la comedia

I think, host was hacked over any other site on this host (hole was found in phpBB some time ago, 2.13 was released for fixing it)... But can't be sure for 100%.
explore unusual (?) activity in UPLOAD dir, claim separate inverstigation on other hosts... (I don't know yet expoloits for XOOPS, which allow shell access to attacker), protect your sites with Protector (while I see in your case another type of attack)

4
plucky
Re: Got hacked?
  • 2005/3/4 8:48

  • plucky

  • Just popping in

  • Posts: 2

  • Since: 2003/8/28


Someone have install a fileserver for IRC call iroffer into your webserver! Your can find detail information about iroffer in http://iroffer.org/.

May be your webserver PHP isn't running in "Safe Mode", so someone can upload tools like phpshell(http://www.gimpster.com/php-shell/) into the uploads dir and execute arbitrary shell-commands or browse the filesystem on your remote webserver.

Is not XOOPS problem!

5
Mithrandir
Re: Got hacked?

Quote:
Xoops is one of those scripts that is hacked regularly. Probably #2 on our list of most highly exploitable scripts. I *wish* it weren't so popular so we could discontinue usage of it entirely.


Please ask them to contact me (mithrandir at xoops.org) and Onokazu (onokazu at XOOPS org) with a report of which parts of XOOPS are vulnerable and in what way and we will get the holes fixed. Thanks.

6
hawkeyegop
Re: Got hacked?
  • 2005/3/4 13:59

  • hawkeyegop

  • Just popping in

  • Posts: 83

  • Since: 2004/9/18


OK, thanks for all the responses so far. I wish I could post more info about specific settings for this directory but it is disabled so I can't get into it to look at anything.

Also, mithrandir, I asked them if someone there would email you regarding the "vulnerabilities". Hopefully they do.

7
Mithrandir
Re: Got hacked?

Quote:
Also, mithrandir, I asked them if someone there would email you regarding the "vulnerabilities". Hopefully they do.

Thanks.

It can really get my blood boiling, when someone speaks badly of XOOPS without substantiating it through facts.

If there are facts of vulnerabilities and holes, we want to know, so we can fix them. Keeping the knowledge to oneself and just complain that XOOPS is vulnerable helps noone.

8
hawkeyegop
Re: Got hacked?
  • 2005/3/4 16:33

  • hawkeyegop

  • Just popping in

  • Posts: 83

  • Since: 2004/9/18


Something tells me they won't contact you. Something also tells me that they don't know what they're talking about. I'm sure something happened, but I'm not sure it was XOOPS.

On another note, their support sucks. I have had great experiences since I have been with them, as far as server loads/hardly any downtime, etc, but when you have a question and need an answer, it takes forever. And apparently now we know that they don't always know what they're talking about.

9
hawkeyegop
Re: Got hacked?
  • 2005/3/6 18:27

  • hawkeyegop

  • Just popping in

  • Posts: 83

  • Since: 2004/9/18


Mith, have you gotten an email yet? I got this response back from them:

Quote:
If he's not aware of the problems with xoops.. then he definitely needs a wake up call. I"ll have to shoot him a e-mail.

10
Mithrandir
Re: Got hacked?

Nope, not seen anything

Login

Who's Online

294 user(s) are online (216 user(s) are browsing Support Forums)


Members: 0


Guests: 294


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits