1
IShades
Version 2.2 Stable Hacked
  • 2005/10/17 15:17

  • IShades

  • Just popping in

  • Posts: 96

  • Since: 2004/2/20


DO NOT CLICK UNLESS YOU HAVE AN ANTIVIRUS INSTALLED!


So I log onto a site belonging to my client this mroning I was working on and low and behold it was hacked.

Warning: Following this link might throw some dangerous files at your browser ... so if you are not sure and well protected/updated stay away from this link.(edit by bender) w w w . g l u t m u s i c . c o m

It seems there was some form of embedded screen saver link there going to another site as well as some used gamecube advertisement. I tried to restore it but I feel I must erase everything and start over. I didnt touch it nor did my client. This is the second site that has been hacked in the same manner.

When I click on the site it gives me some form of weird error and my antivirus goes nuts. Has anyone had the same issue?

There is alos some weird language and a button that reads "Chitar para diablo" which I sure as heck didnt create. My permissions were all set accordingly and I am not a newb to xoops. So something is up and someone knows how to get in through some loop hole.

I am going to leave this as is, so you can see it and recreate it on another database.

[Moved to XOOPS general usage questions]
Immortal Shades MultiMedia- FLASHin SINCE FLASH 3
Email: info@immortalshades.com

2
Bender
Re: Version 2.2 Stable Hacked
  • 2005/10/17 15:41

  • Bender

  • Home away from home

  • Posts: 1899

  • Since: 2003/3/10


That website is now stuffing up browsercache with crap ... so maybe you want to fix it better? Could really hurt some people

Quote:
C:\DOKUMENTE UND EINSTELLUNGEN\******\ANWENDUNGSDATEN\OPERA\OPERA850\PROFILE\CACHE4\OPR014CI.HTM

Ist das Trojanische Pferd TR/Dldr.Sma.bit.2.A

=======================================================

17.10.2005,17:40:16 [WARNUNG] Enthält Signatur des HTML-Scriptvirus HTML/Exploit.Mhtml!
C:\DOKUMENTE UND EINSTELLUNGEN\*******\ANWENDUNGSDATEN\OPERA\OPERA850\PROFILE\CACHE4\OPR014CR.HTM
Sorry, this signature is experiencing technical difficulties. We will return you to the sheduled signature as soon as possible ...

3
IShades
Re: Version 2.2 Stable Hacked
  • 2005/10/17 15:43

  • IShades

  • Just popping in

  • Posts: 96

  • Since: 2004/2/20


Yeah exactly, how the heck did that happen and how should i clear that?

What I would truly love to know is how was it hacked, so if I do a re-install I dont get re-hacked again. I will close the site if you wish, I just wanted someone who knows to tell me how it could be possible.

There were only two accounts, mine and the owners and noone uses our boxes. Plus my machine is beyond secured!
Immortal Shades MultiMedia- FLASHin SINCE FLASH 3
Email: info@immortalshades.com

4
Herko
Re: Version 2.2 Stable Hacked
  • 2005/10/17 15:45

  • Herko

  • XOOPS is my life!

  • Posts: 4238

  • Since: 2002/2/4 1


make sure the templates_c folder is cleared!

We have more reports of this happening, it's actually a server config issue and all XOOPS is doing is needing a writable folder. Since many (shared) servers are configured to run on a single apache user, the folders need to be world writable, something XOOPS cannot do without (many many scripts have this defect, if you can call it that). This opens up the folder to ther ppl on the server tho, who can write malicious scripts like the ones you have trouble with into the templates_c folder, and misuse your site for other purposes. Your data, howver, is safe, so XOOPS security wasn't breached (if what I describe is what actually happened).

Herko

5
IShades
Re: Version 2.2 Stable Hacked
  • 2005/10/17 15:48

  • IShades

  • Just popping in

  • Posts: 96

  • Since: 2004/2/20


Okay thanks for the tip. I am going to simply delete the template_C folder and re-upload the latest files. I am also going to contact the server admins.

Alright I did as stated, so let me restore it. Hopefully that will clear the issue and remove any dangerous cache crap.
Immortal Shades MultiMedia- FLASHin SINCE FLASH 3
Email: info@immortalshades.com

6
Herko
Re: Version 2.2 Stable Hacked
  • 2005/10/17 15:52

  • Herko

  • XOOPS is my life!

  • Posts: 4238

  • Since: 2002/2/4 1


there don't have to be any files in templates_c, the system will regenerate (clean) new ones.

Herko

7
IShades
Re: Version 2.2 Stable Hacked
  • 2005/10/17 15:56

  • IShades

  • Just popping in

  • Posts: 96

  • Since: 2004/2/20


Once again Herko, You save the day!!! (Thank You!)
Now I know what to do if this issue ever arises again!
Immortal Shades MultiMedia- FLASHin SINCE FLASH 3
Email: info@immortalshades.com

8
LazyBadger
Re: Version 2.2 Stable Hacked

Quote:
Since many (shared) servers are configured to run on a single apache user, the folders need to be world writable

Lie or stupidity or the incompetence. Shame!
Quis custodiet ipsos custodes?

Webmaster of
XOOPS2.RU
XOOPS Modules Proving Ground
XOOPS Themes Exhibition

9
Herko
Re: Version 2.2 Stable Hacked
  • 2005/10/17 18:33

  • Herko

  • XOOPS is my life!

  • Posts: 4238

  • Since: 2002/2/4 1


OK, lazybadger, feel free to correct me if I'm wrong
Shame you pass up on that and just be *like* a grumpy old man mumbling about, accusing me of lying, ignorance and/or being incompetent without giving any kind of evidence of you being anything to the contrary.

The way it was explained to me by Skalpa in laymans terms as much as possible to make me understand it a bit, was this:

Many shared hosting providers do not run each account under a separate apache instance, but use the default 'apache' user and group created on initial install, and use a vhost for each website on that server. Apache runs under this special credentials for all those websites.
So where you need to give your application "write access" you need to give this "apache" user write access (generally it means: making the folder world-writable). If the owner had write access, it wouldn't mean anything to the "apache" user, and PHP wouldn't be able to write anything.
Now, what happens is that all the websites that run on the same shared server, run under this "apache" user... So where you give write access to apache, you're giving write access to EVERY malicious user sharing the same server.

Now, is this a XOOPS problem or not? I say no, because:
1) Smarty REQUIRES the possibility to write some files, so it can't be changed.
2) Even if we could change this, it would not change much: these server configurations are EXTREMELY unsafe.

The solution to this is to have each site run under a different apache user, using suexec. The problem is that all the "safe" solutions are less scalable, and are not that popular, especially with shared hosting servers.

So there you have it, the complete motivation for that single line you quoted. I hope it will help people deal with this problem and communicate it with their hosting providers. I know I will I'll be contacting Surpass Hosting about this problem and see if we can come to a good solution for all our XOOPS users hosted there...

Herko

10
studioC
Re: Version 2.2 Stable Hacked
  • 2005/10/17 19:35

  • studioC

  • Friend of XOOPS

  • Posts: 922

  • Since: 2003/12/7


perhaps i'm too stupid on this, but wouldn't this also effect eg. uploads dir which is chmod 777?

Michael

Login

Who's Online

484 user(s) are online (415 user(s) are browsing Support Forums)


Members: 0


Guests: 484


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits