My Site info: Dedicated Server

XOOPS Version: XOOPS 2.0.13.2 with the october patch
Module Name/Version: Articles .27 / Content .05 / ForumEx 1.24 / Templates cache Cleaner 1. / Contact Us 1. / RSSFit 1.1 / Downloads 1.1 / SiteMap 1.12 /
PHP Version: 4.4.1
MySQL Version: 4.0.25-standard
Web Server Software (Apache/IIS/Other): Apache/1.3.34 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 PHP/4.4.1 FrontPage/5.0.2.2635 mod_ssl/2.8.25 OpenSSL/0.9.7a

Theme you are using: Mambo Taste
Custom template: (No)

A full description of the issue: Today my sever was hacked and my sever company informed me that it was done through the xmlrc file. The hacker Uploaded a bost load of files to the root temp directory.

This has actually been an ongoing problem for the past few weeks. The first was a security problem with viewtopic (According to my Host) so the code was changed. The second and third times they could not tell me an exact point of entry. So after a ton of reading i found that php 4.3.9 has a security problem with globals.... So yesterday i upgraded my php to 4.4.1 and tested the code that my host says the hacker used to breck in and php caught it. So i was thinking i was fine. Then this afternoon it happened again.... but now the host tech guy says it was the xmlrpc file on my XOOPS site.

The other times it was hacked, the hacker uploaded file and did a DosAttack on another site. But this time many more files were uploaded and i caught it before anything else was done.

Sorry the post is long, but this is getting to be a big problem. If i could get some help i would be very greatful.

More information may be needed...

Do you have Protector module installed and activated?
* 2.54 is the latest
Are you using FrontPage extensions?
* disable or remove them if you are not
Have you changed ALL your passwords for your host account?
* this includes cpanel, ftp, FrontPage
Is your anonymous ftp setting buried somewhere you don't notice it?
* find it and disable it

The host (or your log files) should be able to tell you the origin IP of the attacks. Use your htaccess file to redirect them.

While I can't help you secure your server you may want to try this module for xoops. Xoops Protector

*I just down loaded Protector have not activated it yet
*Just Removed Frontpage extentions for that site but still need to do it for all other sites.
*Just disabled anonymous FTP for that site and also need to do for the other sites.
*In the process of changing passwords



Quote:

i have protector activated and working and have changed pass words.

You know, i really am not sure if my host knows what or how they hacked in. Earlier they sent me an email telling me it was the xmlrpc.php file on my XOOPS site. So then i posted here.

after i posted i thought it might be helpful to have the section of my log file to post. Well they send me a part of my log file for a wordpress site i have on the same server and they say this was the one.

The only thing they are doing is matching the time of the hack with the log file.

Is this how you would normally find this info?

Because i have a couple very busy sites on this server and i'm sure those sites had files accessed at the same time.

I have replied back with the discrepancy and i await a response from them.

Quote:
XOOPS was one of the first webapplications that closed the XMLRPC security hole in XOOPS 2.0.12a. That doesn't mean there are any security holes in XMLRPC that we don't know of tho. But XMLRPC is a 3rd party class, so it would definately not just be a XOOPS problem is it came from there with the fixed class in place. Your wordpress sites use XMLRPC too (see this post at the WP dev blog).

Comparing timestamps in logfiles is a way to get an idea of how the hacker gained entry to your server. If he has access to your server, he has access to all sites on your server.

Since both XOOPS and Wordpress claim to have the XMLRPC hole closed tight, and if you were running XOOPS over 2.0.12.a and Wordpress over 1.2, the chances that they gained access through the XMLRPC hole is slim. Maybe they left a backdoor the previous times (which is a bitch, because that means a full reinstall of the complete server, OS, sites, everything, if you want to be absolutely sure they're gone).

Herko

Quote:

These things are evil - I lost a dedicated server due to front page extensions not being disabled by the installer - and ended up with many gigs of very sick material being deposited

Not nice.

Quote:

Ya know, I didn't realize this.... I started out with frontpage a few years ago, but really i do most everything in notepad now.

One thing i can say is this has been a great learning experience.

If you are "dedicated" and i saw where you talked about files uploaded to your system - then I suggest you check your error log files, your accces log files, and at root if on Linux - run netstat and last to see what's going on. Also, do you have a firewall? One of the most prevalent attacks is a system not firewalled, and many many ports Listening and not blocked. THe various onzyou sites out there will use that avenue to gain a telnet session to a seemingly innocent port and begin what I like to term "wget attacks" Gasically working to move trojens and scripts to the temp directory of a site. After they have that control, they can, in some cases, appear to be logged in as root. Depending on the script, they may very well be root. There are just so many things to check...