1
irmtfan
xoops use python?
  • 2006/9/22 6:55

  • irmtfan

  • Module Developer

  • Posts: 3419

  • Since: 2003/12/7


after saw some 403 errors in my site i send a ticket about issue to server support and they reply this:

Quote:
Hello,

When we checked the log files, we found that the mod security rules set in the server were throwing errors and its because you were trying to upload/post something with "python".
[Wed Sep 20 12:32:11 2006] [error] [client XXXXX] mod_security: Access denied with code 403. Pattern match "python\\x20" at POST_PAYLOAD. [hostname "www.DOMAIN"] [uri "/modules/system/admin.php?fct=preferences"]

We have now disabled mod_security for the domains XXXX and YYYYYY.
If you have any further issues,please get back to us with the details,we shall check it out from our end.



is this from xoops?

2
bleu_
Re: xoops use python?
  • 2006/9/22 7:07

  • bleu_

  • Just popping in

  • Posts: 32

  • Since: 2006/8/1 2


I really don't think so

3
McNaz
Re: xoops use python?
  • 2006/9/22 8:33

  • McNaz

  • Just can't stay away

  • Posts: 574

  • Since: 2003/4/21


This is someone trying to hack your XOOPS but not succeeding. This is normal and best described as normal "background radiation" of the web (ie there are lots of script kiddies that have scripts that check websites for vulnerabilities).

If you server software is upto date as is your XOOPS then you have little to worry about.

4
Jan304
Re: xoops use python?
  • 2006/9/22 8:39

  • Jan304

  • Official Support Member

  • Posts: 520

  • Since: 2002/3/31


This sounds more like a hacker that is trying to use a (un)known leak in the system admin to upload a python script. Your server was behaving correctly by blocking it, it is strange however that you are experiencing this blockade...

Are you using the latest version of XOOPS? If not try to upgrade and see if that fixes it. Also check your templates_c, cache and uploads map for unknown files and delete if necessary...

Personally I don't think you are hacked because your site still works just fine .

@McNaz: I think I will have to learn to type faster
Oracle: I'd ask you to sit down, but, you're not going to anyway. And don't worry about the vase.
Neo: What vase?
[Neo turns to look for a vase, and as he does, he knocks over a vase of flowers, which shatters on the floor.]
Oracle: That vase.
Neo:...

5
irmtfan
Re: xoops use python?
  • 2006/9/22 8:56

  • irmtfan

  • Module Developer

  • Posts: 3419

  • Since: 2003/12/7


huum
i want to know what is the solution for that?
disable mod_security in the sever is not Dangerous?
i just have two account in my small dedicate server:
domain 1: xoops.ir with XOOPS 2.0.15
domain 2: jadoogaran.org with XOOPS 2.2.4

Protector is installed in both.

i saw forbidden page in preferences of xcgal in xoops.ir

also i see some forbidden pages in xfsection.

so you think someone try to POST some Malicious script?

6
irmtfan
Re: xoops use python?
  • 2006/10/3 17:19

  • irmtfan

  • Module Developer

  • Posts: 3419

  • Since: 2003/12/7


someone attack xoops.ir and removed me from webmaster group.
i back myself from database.
also i removed all other admins until i found the problem.

it is XOOPS 2.0.14 and protector is installed.

i now manage to upgrade to XOOPS 2.0.15 but it seems someone hi jacked my sessions.

how can i found it?

i just see these in protector logs about attacker:

82.99.232.94
Firefox/2.0Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20060918 Firefox/2.0 UPLOAD Attempt to upload icon2.php.

7
irmtfan
Re: xoops use python?
  • 2006/10/5 2:17

  • irmtfan

  • Module Developer

  • Posts: 3419

  • Since: 2003/12/7


server support back to me with this suspicious activitie in logs:

213.207.245.16 - - [03/Oct/2006:07:35:06 -0400] "GET /modules/system/style.css HTTP/1.1" 200 4317 "http://www.xoops.ir/modules/system/admin.php?fct=users&uid=57&op=modifyUser" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7"

so i want to know what this means?

8
McNaz
Re: xoops use python?
  • 2006/10/5 6:42

  • McNaz

  • Just can't stay away

  • Posts: 574

  • Since: 2003/4/21


Quote:
"http://www.xoops.ir/modules/system/admin.php?fct=users&uid=57&op=modifyUser"


This is the standard url to access the admin area that modifies a user (uid 57 in this case).

Since your log copy/paste is incomplete I cannot tell you more.

Quote:
213.207.245.16 - - [03/Oct/2006:07:35:06 -0400] "GET /modules/system/style.css HTTP/1.1" 200 4317


Complete.

Quote:
"http://www.xoops.ir/modules/system/admin.php?fct=users&uid=57&op=modifyUser" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7"


Incomplete as the GET/POST detail is missing and so is the IP address and time stamp.

Login

Who's Online

193 user(s) are online (114 user(s) are browsing Support Forums)


Members: 0


Guests: 193


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Mar 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits