1
mendow
hacked xoops 2.0.13.2
  • 2006/7/18 11:52

  • mendow

  • Just popping in

  • Posts: 8

  • Since: 2005/2/10


So, the story.

It all had begun two days ago in the 2:00am.
Some SQL-injection was performed. So, site name and language were changed and links
to "hacked"-titled site were inserted. Also i can not change anything using administrative kit -
I see "OK" message but no changes are done.

The system version was 2.0.13.2.

I had restored it from backup. Pity for six day information but there is no choice -
site was hacked befory daily backup. Either account and database credentials were changed.

2:00 pm - site was hacked.

I had restored again and had applyed may (it seems) patch.

8:00 pm - site was hacked.

I had restored again. Had found new 2.0.14 version at .org and had upgraded site to this distributive.

2:00 am - site was hacked.

I had restored it using new installed version backup. Had found protector-module and had installed it.
Then i had change table prefix and had truned on all module protection. The protector had sweared only at
"register_globals on" and "fopen". If i use "register_globals off" administrative kit feels bad not mention
to the site. So i had to use "register_globals on" expression. Also i have no possibility to switch off "fopen"
cause all site users use it.

2:00 pm - site was hacked.

Restoring again. I had moved all this account sites to other account (i thought may be site was hacked throgh 'em).

8:00 pm - site was hacked.

I had suspended account. Waiting while they leave me.

But I think that it is not a wayout cause it is obviously that automatics is performing this attacks on shedulde.
However I saw other attacks - yesterday in the evening. They had hacked 3-4 times through 20-30 minutes.

Attack type is almost not changed but is morphing during to upgrades. It seems It became to be hard for them,
but it doesn't stop.


I need advise - what to do?

log file: hack.log

2
McNaz
Re: hacked xoops 2.0.13.2
  • 2006/7/18 12:58

  • McNaz

  • Just can't stay away

  • Posts: 574

  • Since: 2003/4/21


I see you have the myAds module. There was a known security vulnerability in this module a few weeks ago. Have you updated it?

3
davidl2
Re: hacked xoops 2.0.13.2
  • 2006/7/18 13:02

  • davidl2

  • XOOPS is my life!

  • Posts: 4843

  • Since: 2003/5/26


There are some details on the problem with this module - and some fixes - here

4
mendow
Re: hacked xoops 2.0.13.2
  • 2006/7/18 13:19

  • mendow

  • Just popping in

  • Posts: 8

  • Since: 2005/2/10


myAds off, does not help

5
zyspec
Re: hacked xoops 2.0.13.2
  • 2006/7/18 13:39

  • zyspec

  • Module Developer

  • Posts: 1095

  • Since: 2004/9/21


mendow,

Can you tell us what other modules you have loaded? Perhaps we can help identify another module that may be vulnerable.

You may want to verify your directory/file rights and clear all your caches after you restore.

The other thing to consider is that it may not be coming in through Xoops. Is this a shared server? Are there other scripts installed? Have all the operating system patches been applied?

6
davidl2
Re: hacked xoops 2.0.13.2
  • 2006/7/18 13:44

  • davidl2

  • XOOPS is my life!

  • Posts: 4843

  • Since: 2003/5/26


Turning off the module will not prevent any security risks.

Patching them, as in the thread I linked to, will help - or upgrading to the newer versions also mentioned in the thread.

(Obviously backup before you update!)

Login

Who's Online

384 user(s) are online (286 user(s) are browsing Support Forums)


Members: 0


Guests: 384


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits