My website has been hacked [Q and A] - XOOPS Web Application System

My website has been hacked

2006/5/9 20:27
anderssk
Quite a regular
Posts: 335
Since: 2006/3/21

Today I received an email from my host.
My website is being used for phising!!

It was a XOOPS version 2.2.3 and only for testing.
I have not talk with my provider yet but hope they are willing to investigate.
I did found some logs - and have ask the provider for the file loginz.php

It seams like they manage to upload loginz.php to uploads libary and then use it for avatar on a profile. (I remember the userregistration FunWebProducts - i deleted the user in april, and the user was never activated.)

222.124.181.xxx - - [19/Apr/2006:20:10:19 +0200] "GET /uploads/loginz.php HTTP/1.0" 200 1372 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en) Opera 8.50"
222.124.181.xxx - - [19/Apr/2006:20:10:21 +0200] "GET /favicon.ico HTTP/1.0" 200 5486 "http://degn-andersen.net/uploads/loginz.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en) Opera 8.50"
222.124.181.xxx - - [19/Apr/2006:20:11:42 +0200] "POST /uploads/loginz.php HTTP/1.0" 200 4277 "http://degn-andersen.net/uploads/loginz.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en) Opera 8.50"
81.196.42.xxx - - [20/Apr/2006:11:42:38 +0200] "GET / HTTP/1.1" 302 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts)"
81.196.42.xxx - - [20/Apr/2006:11:42:39 +0200] "GET /modules/news/ HTTP/1.1" 200 4428 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts)"
81.196.42.xxx - - [20/Apr/2006:11:42:39 +0200] "GET /xoops.css HTTP/1.1" 200 859 "http://www.degn-andersen.net/modules/news/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts)"
81.196.42.xxx - - [20/Apr/2006:11:42:39 +0200] "GET /themes/FreeFlo.org/style.css HTTP/1.1" 200 7261 "http://www.degn-andersen.net/modules/news/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts)"
81.196.42.xxx - - [20/Apr/2006:11:42:49 +0200] "GET /include/xoops.js HTTP/1.1" 200 13288 "http://www.degn-andersen.net/modules/news/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts)"
81.196.42.xxx - - [20/Apr/2006:11:42:50 +0200] "GET /themes/FreeFlo.org/banner.gif HTTP/1.1" 200 3901 "http://www.degn-andersen.net/modules/news/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts)"
81.196.42.xxx - - [20/Apr/2006:11:43:04 +0200] "GET /modules/profile/ HTTP/1.1" 302 5 "http://www.degn-andersen.net/modules/news/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts)"
81.196.42.xxx - - [20/Apr/2006:11:43:05 +0200] "GET /modules/profile/register.php HTTP/1.1" 200 6207 "http://www.degn-andersen.net/modules/news/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts)"
81.196.42.xxx - - [20/Apr/2006:11:43:05 +0200] "GET /xoops.css HTTP/1.1" 304 - "http://www.degn-andersen.net/modules/profile/register.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts)"
81.196.42.xxx - - [20/Apr/2006:11:45:01 +0200] "GET /templates_c HTTP/1.1" 301 327 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts)"
81.196.42.xxx - - [20/Apr/2006:11:45:01 +0200] "GET /templates_c/ HTTP/1.1" 403 962 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts)"
81.196.42.xxx - - [20/Apr/2006:11:46:49 +0200] "GET /templates_c/eBayISAPI.dll.SignIn.co.partnerId.pUserId.site0.pageType.bshowgif.UsingSSL.http.www.ebay.com.pp.pa2.errmsg.runame.ruparams.ruproduct.sid.favoritenav.confirm.ebxPageType.existingEmail.isCheckout.migrateVisitor HTTP/1.1" 301 536 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts)"
81.196.42.xxx - - [20/Apr/2006:11:46:49 +0200] "GET /templates_c/eBayISAPI.dll.SignIn.co.partnerId.pUserId.site0.pageType.bshowgif.UsingSSL.http.www.ebay.com.pp.pa2.errmsg.runame.ruparams.ruproduct.sid.favoritenav.confirm.ebxPageType.existingEmail.isCheckout.migrateVisitor/ HTTP/1.1" 200 12922 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts)"
81.196.42.xxx - - [20/Apr/2006:11:46:50 +0200] "GET /templates_c/eBayISAPI.dll.SignIn.co.partnerId.pUserId.site0.pageType.bshowgif.UsingSSL.http.www.ebay.com.pp.pa2.errmsg.runame.ruparams.ruproduct.sid.favoritenav.confirm.ebxPageType.existingEmail.isCheckout.migrateVisitor/signin_files/ebay-ns.css HTTP/1.1" 200 719 "http://degn-andersen.net/templates_c/eBayISAPI.dll.SignIn.co.partnerId.pUserId.site0.pageType.bshowgif.UsingSSL.http.www.ebay.com.pp.pa2.errmsg.runame.ruparams.ruproduct.sid.favoritenav.confirm.ebxPageType.existingEmail.isCheckout.migrateVisitor/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts)"
81.196.42.xxx - - [20/Apr/2006:11:47:00 +0200] "GET /templates_c/eBayISAPI.dll.SignIn.co.partnerId.pUserId.site0.pageType.bshowgif.UsingSSL.http.www.ebay.com.pp.pa2.errmsg.runame.ruparams.ruproduct.sid.favoritenav.confirm.ebxPageType.existingEmail.isCheckout.migrateVisitor/signin_files/ebaybody.js HTTP/1.1" 200 118784 "http://degn-andersen.net/templates_c/eBayISAPI.dll.SignIn.co.partnerId.pUserId.site0.pageType.bshowgif.UsingSSL.http.www.ebay.com.pp.pa2.errmsg.runame.ruparams.ruproduct.sid.favoritenav.confirm.ebxPageType.existingEmail.isCheckout.migrateVisitor/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts)"
86.104.204.xxx - - [20/Apr/2006:11:47:05 +0200] "GET /templates_c/eBayISAPI.dll.SignIn.co.partnerId.pUserId.site0.pageType.bshowgif.UsingSSL.http.www.ebay.com.pp.pa2.errmsg.runame.ruparams.ruproduct.sid.favoritenav.confirm.ebxPageType.existingEmail.isCheckout.migrateVisitor/ HTTP/1.1" 200 12922 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
86.104.204.xxx - - [20/Apr/2006:11:47:05 +0200] "GET /templates_c/eBayISAPI.dll.SignIn.co.partnerId.pUserId.site0.pageType.bshowgif.UsingSSL.http.www.ebay.com.pp.pa2.errmsg.runame.ruparams.ruproduct.sid.favoritenav.confirm.ebxPageType.existingEmail.isCheckout.migrateVisitor/signin_files/ebay-ns.css HTTP/1.1" 200 719 "http://degn-andersen.net/templates_c/eBayISAPI.dll.SignIn.co.partnerId.pUserId.site0.pageType.bshowgif.UsingSSL.http.www.ebay.com.pp.pa2.errmsg.runame.ruparams.ruproduct.sid.favoritenav.confirm.ebxPageType.existingEmail.isCheckout.migrateVisitor/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
81.196.42.xxx - - [20/Apr/2006:11:47:05 +0200] "GET /templates_c/eBayISAPI.dll.SignIn.co.partnerId.pUserId.site0.pageType.bshowgif.UsingSSL.http.www.ebay.com.pp.pa2.errmsg.runame.ruparams.ruproduct.sid.favoritenav.confirm.ebxPageType.existingEmail.isCheckout.migrateVisitor/signin_files/HeaderRegister_387x40.gif HTTP/1.1" 200 1219 "http://degn-andersen.net/templates_c/eBayISAPI.dll.SignIn.co.partnerId.pUserId.site0.pageType.bshowgif.UsingSSL.http.www.ebay.com.pp.pa2.errmsg.runame.ruparams.ruproduct.sid.favoritenav.confirm.ebxPageType.existingEmail.isCheckout.migrateVisitor/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts)"
81.196.42.xxx - - [20/Apr/2006:11:47:05 +0200] "GET /templates_c/eBayISAPI.dll.SignIn.co.partnerId.pUserId.site0.pageType.bshowgif.UsingSSL.http.www.ebay.com.pp.pa2.errmsg.runame.ruparams.ruproduct.sid.favoritenav.confirm.ebxPageType.existingEmail.isCheckout.migrateVisitor/signin_files/signinbody.js HTTP/1.1" 200 8192 "http://degn-andersen.net/templates_c/eBayISAPI.dll.SignIn.co.partnerId.pUserId.site0.pageType.bshowgif.UsingSSL.http.www.ebay.com.pp.pa2.errmsg.runame.ruparams.ruproduct.sid.favoritenav.confirm.ebxPageType.existingEmail.isCheckout.migrateVisitor/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts)"
86.104.204.xxx - - [20/Apr/2006:11:47:06 +0200] "GET /templates_c/eBayISAPI.dll.SignIn.co.partnerId.pUserId.site0.pageType.bshowgif.UsingSSL.http.www.ebay.com.pp.pa2.errmsg.runame.ruparams.ruproduct.sid.favoritenav.confirm.ebxPageType.existingEmail.isCheckout.migrateVisitor/signin_files/ebaybody.js HTTP/1.1" 200 118784 "http://degn-andersen.net/templates_c/eBayISAPI.dll.SignIn.co.partnerId.pUserId.site0.pageType.bshowgif.UsingSSL.http.www.ebay.com.pp.pa2.errmsg.runame.ruparams.ruproduct.sid.favoritenav.confirm.ebxPageType.existingEmail.isCheckout.migrateVisitor/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
81.196.42.xxx - - [20/Apr/2006:11:47:06 +0200] "GET /templates_c/eBayISAPI.dll.SignIn.co.partnerId.pUserId.site0.pageType.bshowgif.UsingSSL.http.www.ebay.com.pp.pa2.errmsg.runame.ruparams.ruproduct.sid.favoritenav.confirm.ebxPageType.existingEmail.isCheckout.migrateVisitor/signin_files/spacer.gif HTTP/1.1" 200 49 "http://degn-andersen.net/templates_c/eBayISAPI.dll.SignIn.co.partnerId.pUserId.site0.pageType.bshowgif.UsingSSL.http.www.ebay.com.pp.pa2.errmsg.runame.ruparams.ruproduct.sid.favoritenav.confirm.ebxPageType.existingEmail.isCheckout.migrateVisitor/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts)"
81.196.42.xxx - - [20/Apr/2006:11:47:06 +0200] "GET /templates_c/eBayISAPI.dll.SignIn.co.partnerId.pUserId.site0.pageType.bshowgif.UsingSSL.http.www.ebay.com.pp.pa2.errmsg.runame.ruparams.ruproduct.sid.favoritenav.confirm.ebxPageType.existingEmail.isCheckout.migrateVisitor/signin_files/leftLine_16x3.gif HTTP/1.1" 200 45 "http://degn-andersen.net/templates_c/eBayISAPI.dll.SignIn.co.partnerId.pUserId.site0.pageType.bshowgif.UsingSSL.http.www.ebay.com.pp.pa2.errmsg.runame.ruparams.ruproduct.sid.favoritenav.confirm.ebxPageType.existingEmail.isCheckout.migrateVisitor/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts)"
81.196.42.xxx - - [20/Apr/2006:11:47:06 +0200] "GET /templates_c/eBayISAPI.dll.SignIn.co.partnerId.pUserId.site0.pageType.bshowgif.UsingSSL.http.www.ebay.com.pp.pa2.errmsg.runame.ruparams.ruproduct.sid.favoritenav.confirm.ebxPageType.existingEmail.isCheckout.migrateVisitor/signin_files/iconlightbulb_16x16.gif HTTP/1.1" 200 173 "http://degn-andersen.net/templates_c/eBayISAPI.dll.SignIn.co.partnerId.pUserId.site0.pageType.bshowgif.UsingSSL.http.www.ebay.com.pp.pa2.errmsg.runame.ruparams.ruproduct.sid.favoritenav.confirm.ebxPageType.existingEmail.isCheckout.migrateVisitor/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts)"
81.196.42.xxx - - [20/Apr/2006:11:47:06 +0200] "GET /templates_c/eBayISAPI.dll.SignIn.co.partnerId.pUserId.site0.pageType.bshowgif.UsingSSL.http.www.ebay.com.pp.pa2.errmsg.runame.ruparams.ruproduct.sid.favoritenav.confirm.ebxPageType.existingEmail.isCheckout.migrateVisitor/signin_files/or_60x23.gif HTTP/1.1" 200 261 "http://degn-andersen.net/templates_c/eBayISAPI.dll.SignIn.co.partnerId.pUserId.site0.pageType.bshowgif.UsingSSL.http.www.ebay.com.pp.pa2.errmsg.runame.ruparams.ruproduct.sid.favoritenav.confirm.ebxPageType.existingEmail.isCheckout.migrateVisitor/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts)"
81.196.42.xxx - - [20/Apr/2006:11:47:06 +0200] "GET /templates_c/eBayISAPI.dll.SignIn.co.partnerId.pUserId.site0.pageType.bshowgif.UsingSSL.http.www.ebay.com.pp.pa2.errmsg.runame.ruparams.ruproduct.sid.favoritenav.confirm.ebxPageType.existingEmail.isCheckout.migrateVisitor/signin_files/s.gif HTTP/1.1" 200 49 "http://degn-andersen.net/templates_c/eBayISAPI.dll.SignIn.co.partnerId.pUserId.site0.pageType.bshowgif.UsingSSL.http.www.ebay.com.pp.pa2.errmsg.runame.ruparams.ruproduct.sid.favoritenav.confirm.ebxPageType.existingEmail.isCheckout.migrateVisitor/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts)"
81.196.42.xxx - - [20/Apr/2006:11:47:06 +0200] "GET /templates_c/eBayISAPI.dll.SignIn.co.partnerId.pUserId.site0.pageType.bshowgif.UsingSSL.http.www.ebay.com.pp.pa2.errmsg.runame.ruparams.ruproduct.sid.favoritenav.confirm.ebxPageType.existingEmail.isCheckout.migrateVisitor/signin_files/truste_button.gif HTTP/1.1" 200 765 "http://degn-andersen.net/templates_c/eBayISAPI.dll.SignIn.co.partnerId.pUserId.site0.pageType.bshowgif.UsingSSL.http.www.ebay.com.pp.pa2.errmsg.runame.ruparams.ruproduct.sid.favoritenav.confirm.ebxPageType.existingEmail.isCheckout.migrateVisitor/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts)"
81.196.42.xxx - - [20/Apr/2006:11:47:06 +0200] "GET /templates_c/eBayISAPI.dll.SignIn.co.partnerId.pUserId.site0.pageType.bshowgif.UsingSSL.http.www.ebay.com.pp.pa2.errmsg.runame.ruparams.ruproduct.sid.favoritenav.confirm.ebxPageType.existingEmail.isCheckout.migrateVisitor/signin_files/ebayfooter.js HTTP/1.1" 200 16384 "http://degn-andersen.net/templates_c/eBayISAPI.dll.SignIn.co.partnerId.pUserId.site0.pageType.bshowgif.UsingSSL.http.www.ebay.com.pp.pa2.errmsg.runame.ruparams.ruproduct.sid.favoritenav.confirm.ebxPageType.existingEmail.isCheckout.migrateVisitor/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts)"
86.104.204.xxx - - [20/Apr/2006:11:47:06 +0200] "GET /templates_c/eBayISAPI.dll.SignIn.co.partnerId.pUserId.site0.pageType.bshowgif.UsingSSL.http.www.ebay.com.pp.pa2.errmsg.runame.ruparams.ruproduct.sid.favoritenav.confirm.ebxPageType.existingEmail.isCheckout.migrateVisitor/signin_files/HeaderRegister_387x40.gif HTTP/1.1" 200 1219 "http://degn-andersen.net/templates_c/eBayISAPI.dll.SignIn.co.partnerId.pUserId.site0.pageType.bshowgif.UsingSSL.http.www.ebay.com.pp.pa2.errmsg.runame.ruparams.ruproduct.sid.favoritenav.confirm.ebxPageType.existingEmail.isCheckout.migrateVisitor/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"

Re: My website has been hacked

2006/5/24 12:42
anderssk
Quite a regular
Posts: 335
Since: 2006/3/21

Now the patch is online

https://xoops.org/modules/news/article.php?storyid=3112

Stats
Goal:	$100.00
Due Date:	Apr 30
Gross Amount:	$0.00
Net Balance:	$0.00
Left to go:	$100.00

My website has been hacked

Re: My website has been hacked

Login

Search

Recent Posts

Re: Rebuilding and Updating a 20 years old Xoops Website from 2.0.18? to 2.5.11

Rebuilding and Updating a 20 years old Xoops Website from 2.0.18? to 2.5.11

Re: NewBB v 5.1.0 b 6

Re: NewBB v 5.1.0 b 6

NewBB v 5.1.0 b 6

Re: XOOPS 2.5.11 search user is not working

Re: oledrion

Re: oledrion

Re: oledrion

Re: oledrion

Who's Online

Donat-O-Meter

Latest GitHub Commits

{{ record.sha.slice(0, 7) }} - {{ record.commit.message | truncate }}