XOOPS 
Forum
Forum Index General Forums Community Support Modules Support Themes Support Development International Support Module Hack Reviews Theme Designer Talk
  1. Board index / 
  2. XOOPS Community Support forums / 
  3. XOOPS general usage questions 
  4.  / Hacked twice today - help.
Register
11
dwhitten
Re: Hacked twice today - help.

  • 2006/8/22 21:48

  • dwhitten

  • Just popping in

  • Posts: 54

  • Since: 2005/6/22


I'm going to try looking at the MySQL logs and a few other things. Will report back...

Deb
12
dwhitten
Re: Hacked twice today - help.

  • 2006/8/22 22:03

  • dwhitten

  • Just popping in

  • Posts: 54

  • Since: 2005/6/22


Modules installed:

myads - I edited all sql statements.
myalbum 2.84
newbb 3.04 (I believe this is cbb)
pical 0.76 (I customized it)
protector 2.57 - just installed a day or so ago
smartfaq 1.04
smartsection 1.05
xdirectory 1.10

Any ideas?

Deb
13
Tabasco
Re: Hacked twice today - help.

  • 2006/8/22 22:26

  • Tabasco

  • Quite a regular

  • Posts: 203

  • Since: 2003/12/26


If your site is being rear ended through your host, he has to fix it. Someone may have admin rights to your host.

On the front end. The less you have exposed (viewable) to non-registered users the better

Turn Register Globals off with a .htaccess file:

php_flag register_globals off

Change your admin password to at least 12 random numbers and letters. Do not use common words, there are dictionary hacks for that. Like this: mKk08JjjUR9a

Make sure all your modules are up to date.

Did you do what Protector suggested under the
Security Advisory tab?

You may have patched MyAds, but that doesn't mean it's not vulnerable.

You can also change registration, so it requires admin approval. You can then google the person that registers, username and email, and see if they are posting in hacking forums.
14
dwhitten
Re: Hacked twice today - help.

  • 2006/8/22 22:46

  • dwhitten

  • Just popping in

  • Posts: 54

  • Since: 2005/6/22


Hmmm, looks like they might have logged in:

85.103.231.97 - - [20/Aug/2006:07:33:48 -0400] "GET /showez/modules/myAds/myAds.jpg HTTP/1.1" 200 2990 "http://www.horseshowsrus.ca/showez/modul es/system/admin.php?fct=preferences" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6"

Ok, password change coming up...
15
Tabasco
Re: Hacked twice today - help.

  • 2006/8/22 22:50

  • Tabasco

  • Quite a regular

  • Posts: 203

  • Since: 2003/12/26


Quote:

dwhitten wrote:
Hmmm, looks like they might have logged in:

85.103.231.97 - - [20/Aug/2006:07:33:48 -0400] "GET /showez/modules/myAds/myAds.jpg HTTP/1.1" 200 2990 "http://www.horseshowsrus.ca/showez/modul es/system/admin.php?fct=preferences" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6"

Ok, password change coming up...


If thats the case, uninstall MyAds.

That is also a Turkish IP, and Turkey is currently a hotbed for hackershttp://www.zone-h.org/

Information related to '85.103.128.0 - 85.103.255.255'

inetnum: 85.103.128.0 - 85.103.255.255
netname: TurkTelekom
descr: Turk Telekom ADSL-alcatel
country: tr
admin-c: TTBA1-RIPE
tech-c: TTBA1-RIPE
status: ASSIGNED PA
mnt-by: as9121-mnt
source: RIPE # Filtered

role: TT Administrative Contact Role
address: Turk Telekom
address: Bilisim Aglari Dairesi
address: Aydinlikevler
address: 06103 ANKARA
phone: +90 312 313 1950
fax-no: +90 312 313 1949
e-mail: abuse@ttnet.net.tr
16
Cuidiu
Re: Hacked twice today - help.

  • 2006/8/22 22:54

  • Cuidiu

  • Quite a regular

  • Posts: 358

  • Since: 2006/4/23


I wonder if it's possible that they've found a way to get around the myAds fix...
Quote:

Tabasco wrote:
If thats the case, uninstall MyAds.
[size=x-small]Working sites:
XOOPS 2.0.16 PHP 5.2.2, MySQL 5.0.24a-standard-log, Apache/2.0.54 (Unix)
XOOPS 2.2.4, PHP 4.3.10, MySQL 3.23.58, Apache/1.3.33 (Unix)[/size]
17
Tabasco
Re: Hacked twice today - help.

  • 2006/8/22 22:59

  • Tabasco

  • Quite a regular

  • Posts: 203

  • Since: 2003/12/26


Quote:

Cuidiu wrote:
I wonder if it's possible that they've found a way to get around the myAds fix...
Quote:

Tabasco wrote:
If thats the case, uninstall MyAds.


Why else would would somebody from Turkey want to look at MyAds on a Canadian Horse Show Site?
18
Cuidiu
Re: Hacked twice today - help.

  • 2006/8/22 23:00

  • Cuidiu

  • Quite a regular

  • Posts: 358

  • Since: 2006/4/23


Yes...yes.. silly of me to ask, I know.
[size=x-small]Working sites:
XOOPS 2.0.16 PHP 5.2.2, MySQL 5.0.24a-standard-log, Apache/2.0.54 (Unix)
XOOPS 2.2.4, PHP 4.3.10, MySQL 3.23.58, Apache/1.3.33 (Unix)[/size]
19
dwhitten
Re: Hacked twice today - help.

  • 2006/8/22 23:03

  • dwhitten

  • Just popping in

  • Posts: 54

  • Since: 2005/6/22


Ok, I think I banned my own IP out of accessing the site!

How do I get back in? I put a list of banned IP's into protector. I guess I could edit the db table...

Do you think they logged in through myads or did they actually login as the admin?

Deb
20
dwhitten
Re: Hacked twice today - help.

  • 2006/8/22 23:11

  • dwhitten

  • Just popping in

  • Posts: 54

  • Since: 2005/6/22


Thanks to protector, that I didn't think was very useful... I found a suspicious IP. I then grepped through my log file and voila:

81.215.110.79 - - [22/Aug/2006:12:52:17 -0400] "GET /showez/modules/myAd s/annonces-p-f.php?op=ImprAnn&lid=-1+union+select+1,pass,uid,uname,5,6,7 ,8,9,10,11,12,13+from+xoops_users+limit+1/* HTTP/1.1" 200 1164 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6"

81.215.110.79 - - [22/Aug/2006:12:52:17 -0400] "GET /showez/themes/neoblue/style/style.css HTTP/1.1" 404 - "http://www.horseshowsrus.ca/showez/m odules/myAds/annonces-p-f.php?op=ImprAnn&lid=-1+union+select+1,pass,uid, uname,5,6,7,8,9,10,11,12,13+from+xoops_users+limit+1/*" "Mozilla/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6"

(I figured out where the ip bans were and got back into my XOOPS admin!)

I banned this IP. I have uninstalled myads.

This is a good lesson in sql injection!!!!

Thanks everyone for the help.

Deb
*/
« 1 (2) 3 »

Login

Register now!  |  Lost Password?

Search

Advanced Search

Recent Posts

Who's Online

246 user(s) are online (178 user(s) are browsing Support Forums)

Members: 0

Guests: 246

more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: May 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits