11
m0nty
Re: Got hacked?
  • 2005/3/6 19:23

  • m0nty

  • XOOPS is my life!

  • Posts: 3337

  • Since: 2003/10/24


so where's the wake up call? bit hard to wake up to the fact when the hosting company that swears by the fact that XOOPS is insecure refuses to explain or inform the developers of exactly what vulnerabilities there are..

i stand by the logic that if someone says that some software is insecure then they should be able to adequately tell you why they say that (number 2 on what list?).. this to me entails that they are seasoned programmers who can spot those vulnerabilities and if they can spot them, then they should be able to fix them..

either that or they are reading something from an article elsewhere and actually have no facts to backup their claims..

all it looks like to me is that some unscrupulous individual or some1 unknowingly uploaded the iroffer server into your uploads (mydownloads or wf-downloads) module as a user submission and then somehow executed the fileserver, which to me seems more like a hosting providers configuration problem and nothin to do with xoops.. (altho i'd recommend only registered users to be able to upload) and be vigilante and review whats been uploaded occasionally.. ie.. check the actual submissions on your site and then compare those with the actual files that are uploaded by to the uploads folder yourself and checking them

12
hawkeyegop
Re: Got hacked?
  • 2005/3/6 19:32

  • hawkeyegop

  • Just popping in

  • Posts: 83

  • Since: 2004/9/18


I would never have thought to check any of those directories. The directory that was supposedly compromised was my wife's personal website, her blog, that I had converted to XOOPS about 2 months ago. Since that time we have both been so busy so I had inactivated her site and put password protection on all subdirectories of that site. Also, I don't think there was a download module even installed since my wife didn't have a need for that.

13
Mithrandir
Re: Got hacked?

It's weekend now and we are all busy people, so I can wait a bit longer.

Until I know more of what has caused this problem and why it is #2 on their list (and how that list is compiled, naturally) I won't say anything about their competence (or lack hereof)

I will merely state that we cannot discover everything and if XOOPS is such a big problem for hosting companies, they should contact us and tell us. We don't have the resources to make everything 100% airtight without help from others.

And just a note: MyDownloads does not support uploading and WF-Downloads uses an uploader class that denies all php, asp, perl, python and cgi files, so these modules cannot be used to upload a malicious script PHP to the server (unless there is a vulnerability in this area that noone has told us about)

14
alitan
Re: Got hacked?
  • 2005/3/6 20:53

  • alitan

  • Quite a regular

  • Posts: 399

  • Since: 2004/3/14


I don't really know what to tell these providers.
Xoops is now one of the safest Content management systems in the whole World Wide Web.
I feel sorry for someone who says XOOPS is Number two in our list, and he/she is so lazy that won't even tell developers about it! I know it is not their job, but if they need to have a better XOOPS for their customers they need to help the XOOPS developers!

15
hawkeyegop
Re: Got hacked?
  • 2005/3/6 21:04

  • hawkeyegop

  • Just popping in

  • Posts: 83

  • Since: 2004/9/18


Well, I'll tell you what I think now that I've been thinking about this:

1. Perhaps something was uploaded that shouldn't have been there. If so, maybe it was my fault, maybe it was theirs. I'm not sure *exactly* what happened because that account has been suspended and I can't access it to even look at it.

2. The support guy said:
Quote:
Xoops is one of those scripts that is hacked regularly. Probably #2 on our list of most highly exploitable scripts. I *wish* it weren't so popular so we could discontinue usage of it entirely.

I don't believe that. If that was the case they would not allow it to be installed, let alone offer automatic installation of it through Fantastico.

I guess I'll start looking around for a new host and see if they've had problems with XOOPS. I'm going to guess most of them say NO.

16
Mithrandir
Re: Got hacked?

Quote:
I guess I'll start looking around for a new host and see if they've had problems with XOOPS. I'm going to guess most of them say NO.

If they say yes, please direct them to me, too.

We are not claiming that XOOPS is 100% secure, but it should not to our knowledge be a vulnerable system. We cannot take the responsibility of third party code (modules, themes etc.) that may open up holes, but at least we can say that we will do what we can to close holes, once discovered. However, we cannot fix what we do not know exists.

17
alitan
Re: Got hacked?
  • 2005/3/6 23:15

  • alitan

  • Quite a regular

  • Posts: 399

  • Since: 2004/3/14


Another thing I was wondering was that, there is a chance that one of your users had uploaded an exploit,or a Trojan horse to your host using the xoopsavator system , what I mean is that he/she had uploaded an image simulated file to the system, then executed it!But the problem is that how s/he could execute it when the permissions are set to 644.
I must also mention that, yesterday someone tried to attack to my website. I had the latest version of protector, but still it didn't help much. In addition I lost 2 gigs of Bandwidth only in one day, which was unusual, and s/he used dat.dat file of xmemberstats block for this attack. I don't exactly remember if this file was set to 777 or 644. But if it was 644 and the attacker was successful in this, It is going to scare me!
I deleted this file immediately , so hopefully s/he can't do this again anymore!

18
hawkeyegop
Re: Got hacked?
  • 2005/3/6 23:21

  • hawkeyegop

  • Just popping in

  • Posts: 83

  • Since: 2004/9/18


I'm not sure how that would have happened. My wife used to have a WordPress blog but she wanted XOOPS because she wanted photo gallery modules and stuff. I transferred all of her posts to the news module, but then I never had time to finish installing all the modules that she wanted. She didn't want anybody to see it since it wasn't finished so I disabled XOOPS and set up password protection for the whole directory. There were NO registered users.

19
alitan
Re: Got hacked?
  • 2005/3/6 23:30

  • alitan

  • Quite a regular

  • Posts: 399

  • Since: 2004/3/14


Then htis is not your fault, it is your hosting providers fault that have set a non secure system, If there wasn't anyway to use the xoops, then the attacker had used another way to get in.

20
hawkeyegop
Re: Got hacked?
  • 2005/3/10 6:29

  • hawkeyegop

  • Just popping in

  • Posts: 83

  • Since: 2004/9/18


Well, as I said, I started shopping around for a new reseller (and I actually just signed up). I read some reviews for dependable resellers and narrowed my choices down to two.

I emailed both of them and said that my current host apparently has problems with XOOPS, and that I was looking around because I have about 15-20 XOOPS sites, and I wanted to know if they have ever had issues with XOOPS as well.

Both of them, and these are very large hosting companies, said that they have not had ANY problems with XOOPS. Come on, if my current host says XOOPS is #2 for exploiting, surely these other companies, which are just as big, would have had SOME problems right? ARgh, that really pisses me off.

Anyway, just wanted to let you guys know that the problem isn't XOOPS, it was my host. Not that you didn't already know that.

THanks everyone who responded.

Login

Who's Online

352 user(s) are online (220 user(s) are browsing Support Forums)


Members: 0


Guests: 352


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits