21
ipwgc
Re: URGENT - PLEASE MY SITE IS HACKED TODAY Friday june 30
  • 2006/6/30 16:46

  • ipwgc

  • Quite a regular

  • Posts: 216

  • Since: 2005/8/13


Quote:

zyspec wrote:
It appears most of the database is 'complete'. I can get to all of the "normal" screens (user.php, edituser.php, newbb forum, etc). It appears they may have either replaced your index.php file (or perhaps deleted it) or replaced the contents of mainfile.php.



Hi zyspec, I change the index.php and was solved the problem. The portal returned to the normality, thank you, thank you

QUESTION: That I should make so that this doesn't happen again?

David

22
ipwgc
Re: URGENT - PLEASE MY SITE IS HACKED TODAY Friday june 30
  • 2006/6/30 17:12

  • ipwgc

  • Quite a regular

  • Posts: 216

  • Since: 2005/8/13


The hacked took the administrator
When I try to login this message appears "Incorrect Login!"
If I request a new password this message appears "Sorry, no corresponding user info was found."

How I do to login to the general administrator through the portal. here http://www.ipwgc.com/english/user.php

David

23
davidl2
Re: URGENT - PLEASE MY SITE IS HACKED TODAY Friday june 30
  • 2006/6/30 17:12

  • davidl2

  • XOOPS is my life!

  • Posts: 4843

  • Since: 2003/5/26


My own site has just been hacked as well - so I can certainly sympathise with your problems

Protector - from GiJoe - is a module many people recommend... i'll be using it myself if I can recover my site

24
Peekay
Re: URGENT - PLEASE MY SITE IS HACKED TODAY Friday june 30
  • 2006/6/30 17:13

  • Peekay

  • XOOPS is my life!

  • Posts: 2335

  • Since: 2004/11/20


If you are on a shared server, it *may* have been nothing to do with your XOOPS installation. There have been several 'worms' that gain access through vulnerable applications, then trawl through the entire web server overwriting index.htm and index.php files. The phpBB exploit discussed in this thread is an example.

Of course, any modules with a known vulnerability should be un-installed (which is why I think a FAQ here would save a lot of people a lot of grief).

You'll find a lot of info in the FAQ about security.
A thread is for life. Not just for Christmas.

25
Bender
Re: URGENT - PLEASE MY SITE IS HACKED TODAY Friday june 30
  • 2006/6/30 19:35

  • Bender

  • Home away from home

  • Posts: 1899

  • Since: 2003/3/10


Quote:

ipwgc wrote:
The hacked took the administrator
When I try to login this message appears "Incorrect Login!"
If I request a new password this message appears "Sorry, no corresponding user info was found."

How I do to login to the general administrator through the portal. here http://www.ipwgc.com/english/user.php

David



Have a look into your database with phpMyAdmin.

Check the table xoops_users:
- Does the user with the uid 1 still exist?

If yes you can change your password following this faq item: How can i reset the administrator password?

If no and the uid 1 was completely deleted you can recreate the user with this query executed in phpMyAdmin:

INSERT INTO `xoops_usersVALUES (1'''username''your@email.adress''http://localhost/''blank.gif'1151696485''''''1'''''''''8001705594d6c97f71faee1f5522ed31'0075'default'0.01151696491'thread'010''''''0);


Please change the username and email adress accordingly. Using this querrie your password is replace_me.
(assuming your table names start by default with xoops_. If not you have to change that of course.


However if they messed with your database i would still think about using a back (if exists).
Sorry, this signature is experiencing technical difficulties. We will return you to the sheduled signature as soon as possible ...

26
ipwgc
Re: URGENT - PLEASE MY SITE IS HACKED TODAY Friday june 30
  • 2006/6/30 20:26

  • ipwgc

  • Quite a regular

  • Posts: 216

  • Since: 2005/8/13


Hi Bender,
I fallow all your instruction and it working Now.

I can login on the admin seccion and I find this
Name: mad_hacker1
Email: mad_hacker1@hotmail.com
Location: Turkey


Also the same hacked page was under the fallowing modules.
modules/filemanager
modules/blocksadmin

Definably I deleted the pages

I'm going to install the "protect module" you can help me to install properly?
Prease send me a private message whit your email address
Thank

David

27
ipwgc
Re: URGENT - PLEASE MY SITE IS HACKED TODAY Friday june 30
  • 2006/6/30 21:03

  • ipwgc

  • Quite a regular

  • Posts: 216

  • Since: 2005/8/13


Quote:

davidl2 wrote:
My own site has just been hacked as well - so I can certainly sympathise with your problems

Protector - from GiJoe - is a module many people recommend... i'll be using it myself if I can recover my site


Hi, David12
I finish to install the modulate protector version 2.56

I use this modulate a while ago, but I delete it because it left many white pages.
I need that somebody helps me to configure it correctly,
Do you know how to make it?


Sheers,
David

28
peterr
Re: URGENT - PLEASE MY SITE IS HACKED TODAY Friday june 30
  • 2006/7/1 1:48

  • peterr

  • Just can't stay away

  • Posts: 518

  • Since: 2004/8/5 9


Quote:

Bender wrote:
Stop saying you need solutions when you don´t want to provide answers.


I can understand your frustration, but please remember David's native language is Spanish, so we tend to think everyone can understand 'English questions'.

I have been trying to help David recently. Someone put a very nasty avatar on his site, we removed it, they did it again. We don't know how, because the raw access logs are not kept. I have changed the log config so that they are now archived.

The same problem exists here (basically), we cannot start to find out "how" the person did it, without the raw access logs, for the exact moment/time that the hack was done.

I see though, that the site is looking okay now. I will contact David, and check that the logs are now being archived.

Thanks,

P
NO to the Microsoft Office format as an ISO standard.
Sign the petition

29
peterr
Re: URGENT - PLEASE MY SITE IS HACKED TODAY Friday june 30
  • 2006/7/1 2:09

  • peterr

  • Just can't stay away

  • Posts: 518

  • Since: 2004/8/5 9


Fortunately, the raw access logs are now being archived. I had seen some attempts at SQL code injection a few days ago, and found this ...

Quote:

222.124.136.33 - - [30/Jun/2006:07:05:18 +0000] "GET /english/modules/myAds/annonces-p-f.php?op=ImprAnn&lid=-1+union+select+1,pass,uid,uname,5,6,7,8,9,10,11,12,13+from+xoops_users+limit+1,1/* HTTP/1.1" 200 1307 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4"


That IP is from Indonesia, but I guess IP's can be spoofed.

I'm a bit unsure what to look for, if someone can guide me there possibly. I assume if an SQL injection was possible though, the person would then have been able to login and gain admin access ??

Hmm, ...woops, I see that a "200" was returned from that log entry, that would imply a successful 'injection' ?

So, I guess uninstall the "myAds" module for staters.
*/
NO to the Microsoft Office format as an ISO standard.
Sign the petition

30
peterr
Re: URGENT - PLEASE MY SITE IS HACKED TODAY Friday june 30
  • 2006/7/1 5:49

  • peterr

  • Just can't stay away

  • Posts: 518

  • Since: 2004/8/5 9


Just like to say thanks to everyone for helping with this. Also, to say that it is not any of the XOOPS "core" (2.0.14) that was the 'weak point', it was the myAds module.

No doubt a site is 'safer' by having the table names prefixed by another name, not the default. The rule would be to always use a table prefix name that is 'strong' or very hard to guess.

We don't know what else the person/s did, no doubt from log entries like:

Quote:

85.101.151.238 - - [30/Jun/2006:09:51:58 +0000] "POST /english/modules/filemanager/admin/index.php HTTP/1.1" 200 7575 "http://*****/modules/filemanager/admin/index.php?id=&ordre=&sens=0&action=editer&rep=modules/filemanager/admin&fic=modules/filemanager/admin/index.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"


they have replaced a few files. Is it only the "POST" entries that we need to examine (whilst they were logged into the admin section), or would we need to examine any "GET" log entries as well, considering it was a "GET" in the first place that allowed the SQL code injection ?

Most of the "offenders" are from Turkey, a block of IP's - 85.101.0.0 - 85.101.127.255, the full list .......

Quote:

222.124.136.33
222.253.18.55
62.248.24.85
81.214.225.115
85.100.168.229
85.100.215.168
85.101.137.31
85.101.148.162
85.101.151.238
85.101.244.121
85.101.40.167
85.101.67.58
85.104.183.117
85.104.209.105
85.104.87.202
85.106.167.236
85.108.252.2
85.108.51.164
85.195.123.22
85.96.68.128
85.98.3.75
85.99.4.167


They also loaded a file called 'rc57.php'; it is not there now though.

P
NO to the Microsoft Office format as an ISO standard.
Sign the petition

Login

Who's Online

158 user(s) are online (109 user(s) are browsing Support Forums)


Members: 0


Guests: 158


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Dec 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits