1
sotrasjakk
Our site has been hacked
  • 2007/5/21 21:20

  • sotrasjakk

  • Just popping in

  • Posts: 13

  • Since: 2005/4/18


On three occations the last week, I have removed malware php-scripts from the "upload" folder. From what I can tell, one did perform a server system scanning, and another was simply sending spam emails.

Over the past few weeks I have seen some strange newly registered users (foreign users in an all-Norwegian site, designated for a small chess club where the content is mainly intended for our members, looks strange in my eyes). So I have made a few countermeasures - first I replaced all admin passwords to the Xoops-site as well as to the ftp-account. Besides all new registered users will have to be manually approved by admin, and I deleted these recent suspicious user accounts.

This evening another script had been uploaded, and now I CHMOD the upload folder to 444 (it was 777, I just want to see if this is an effective way to stop this - I know it reduces functionality). This time I also deleted those accounts that had been recently logged on, which I did not know who had registered. Unregistered users are only permitted to view the content of our site.

I don't think any of the original Xoops-scripts have been modified in any way.

But I wonder about one thing: How is it possible that php-scripts can be uploaded to this folder in the first place? According to my settings, only image files should be allowed to be uploaded. Is it possible to access the upload folder without being a registered user?

Thanks in advance.

Regards, Tom E.

2
BroHam
Re: Our site has been hacked
  • 2007/5/21 22:28

  • BroHam

  • Just popping in

  • Posts: 100

  • Since: 2007/3/31


Quote:
But I wonder about one thing: How is it possible that php-scripts can be uploaded to this folder in the first place? According to my settings, only image files should be allowed to be uploaded. Is it possible to access the upload folder without being a registered user?


I am curious, where are your users allowed to upload stuff on the site? Through modules? If so, which ones?
What settings are you talking about?
I don't claim to have answers for you, but I would like to understand your situation at least.
I don't know.

3
sotrasjakk
Re: Our site has been hacked
  • 2007/5/22 17:51

  • sotrasjakk

  • Just popping in

  • Posts: 13

  • Since: 2005/4/18


Quote:

I am curious, where are your users allowed to upload stuff on the site? Through modules? If so, which ones?
What settings are you talking about?
I don't claim to have answers for you, but I would like to understand your situation at least.


Users may upload image files from the "myalbum" module. In this module's admin section I have set that only image files may be uploaded.

The hackers still have access to our website. This afternoon I removed some malware scripts from the cache-folder. Like the uploads folder, its access attributes is set to 777. So it seems like the hackers "only" can use folders set this way.

In this case the hackers only have access to two folders now; cache and templates_c. How will it affect the website if I CHMOD these folders to 644?

Tom E.

4
JMorris
Re: Our site has been hacked
  • 2007/5/22 17:56

  • JMorris

  • XOOPS is my life!

  • Posts: 2722

  • Since: 2004/4/11


Quote:
In this case the hackers only have access to two folders now; cache and templates_c. How will it affect the website if I CHMOD these folders to 644?


You site will stop working. You'll get a WSOD.

Have your hosting provider do an audit on the server. It sounds like this is an issue of someone gaining access to the server.

Also, ask your hosting provider to enable suEXEC for Apache and PHP. This will allow you to chmod ALL folders to 755 and all files to 644

Folders must be, at least, readable and executable, hence the 755. If you chmod a folder 644, you won't be able to access it.

HTH
Insanity can be defined as "doing the same thing over and over and expecting different results."

Stupidity is not a crime. Therefore, you are free to go.

5
Cuidiu
Re: Our site has been hacked
  • 2007/5/22 18:00

  • Cuidiu

  • Quite a regular

  • Posts: 358

  • Since: 2006/4/23


Wouldn't Protector module prevent the upload of files like this to the upload directory? I was kind of counting on that...
[size=x-small]Working sites:
XOOPS 2.0.16 PHP 5.2.2, MySQL 5.0.24a-standard-log, Apache/2.0.54 (Unix)
XOOPS 2.2.4, PHP 4.3.10, MySQL 3.23.58, Apache/1.3.33 (Unix)[/size]

6
JMorris
Re: Our site has been hacked
  • 2007/5/22 18:12

  • JMorris

  • XOOPS is my life!

  • Posts: 2722

  • Since: 2004/4/11


Not if they are doing it from the command line. That's why your host needs to do an audit and setup suEXEC for you.

When folders are chmod 777 that means that anyone who has shell access to the server can write to that folder. Protector can't stop shell access. Nothing but a properly configured server can.

Hope that clarifies.
Insanity can be defined as "doing the same thing over and over and expecting different results."

Stupidity is not a crime. Therefore, you are free to go.

7
Cuidiu
Re: Our site has been hacked
  • 2007/5/22 19:19

  • Cuidiu

  • Quite a regular

  • Posts: 358

  • Since: 2006/4/23


Yes, very much so. Thank you!
Quote:

JMorris wrote:
Hope that clarifies.
[size=x-small]Working sites:
XOOPS 2.0.16 PHP 5.2.2, MySQL 5.0.24a-standard-log, Apache/2.0.54 (Unix)
XOOPS 2.2.4, PHP 4.3.10, MySQL 3.23.58, Apache/1.3.33 (Unix)[/size]

8
sotrasjakk
Re: Our site has been hacked
  • 2007/5/22 20:13

  • sotrasjakk

  • Just popping in

  • Posts: 13

  • Since: 2005/4/18


Thank you very much for your advice. I have notified the webhost with reference to this thread. Hopefully we will be able to stop these attacks.

Tom E.

Login

Who's Online

356 user(s) are online (283 user(s) are browsing Support Forums)


Members: 0


Guests: 356


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits