1
dizzymarkus
Open holes and hacked

Two times in three weeks someone or some people have hacked into my XOOPS site and actually uploaded files to my server. Phishing for Wachovia Bank info.

The first time they uloaded a folder named "module" -- I saw it that morning and thought that was wierd, that shouldnt be there -- off to work I went -- account was suspended by the time I got home.I removed the folder in question and they turned me back on.

The second time (3 weeks later and an account password change) whoever uploaded approx. 12 files to the "uploads" directory. Mostly php files and 2 text files -- again phishing for bank info. I searched all my files and folders for stuff that didnt belong. How are they getting in?

Is there any known holes or backdoors for people to get in ? I cannot access my raw logs as the unRAR as a msdos file and I cannot get it to open correcly.

So once to the main directory tree and once to the uploads directory. Thank for anyhelp given for this as its getting very frustrating.


Markus








www.ocqmc.com

2
irmtfan
Re: Open holes and hacked
  • 2007/6/1 3:22

  • irmtfan

  • Module Developer

  • Posts: 3419

  • Since: 2003/12/7


it seems a server side security issue to me.
also if you install "Protector" module it can help you to secure your site even if your server doesnt be secure enough.

3
dizzymarkus
Re: Open holes and hacked

I thought so also (SS issue) but as hosting goes lol they say there must be a hole or backdoor into the script. I have run this (xoops) for 3 years now with this addy and server with no problems. Thanks for the heads up on protector-- I will be looking inot it tonite.

Thank you ,
Markus

4
wtravel
Re: Open holes and hacked

Can you summarize which version of XOOPS you use and which modules are installed?

5
wtravel
Re: Open holes and hacked

It could be useful to add a .htaccess file in the uploads folder that makes sure only .jpg .gif and .zip files are accessible from the web. In order to upload a php file there must be either a leak in one of the modules or someone who has an account an the same server and knows how to exploit directories chmodded 777.

6
skenow
Re: Open holes and hacked
  • 2007/6/1 11:13

  • skenow

  • Home away from home

  • Posts: 993

  • Since: 2004/11/17


Quote:

dizzymarkus wrote:
I thought so also (SS issue) but as hosting goes lol they say there must be a hole or backdoor into the script. I have run this (xoops) for 3 years now with this addy and server with no problems. Thanks for the heads up on protector-- I will be looking inot it tonite.

Thank you ,
Markus


The web server logs will shed more light on this if they used http to gain access to your site. If they used ftp, your logs will not show anything

7
dizzymarkus
Re: Open holes and hacked

<QUOTE>
" Can you summarize which version of XOOPS you use and which modules are installed? "

Xoops Version ---- 2.0.16
pical
XOOPS stats
even news
XOOPS polls
xc gallery
my iframe
XOOPS links
tiny d
tiny content
content
classified ads (P'tites annonces)
xt conteudo
2 other instances of my iframe also
world weather

Thank you


Good idea on the htaccess -- I will add one tonite. Thank you

The web server logs are a nightmare :0( I go into my control panel and dload the raw access logs -- unRAR them and they unzip as a msdos application (looks like an exe icon but properities says "msdos application". Hosting says right click and choose notepad or wordpad -- no "open with" option for this when right clicking on the file. I am unsure what to do here with trying to view them.

Thanks greatly for all the responses. I have since changed chmod on the upload directory and informed the members it is temporaly disabled due to the fradulant activity.


Markus

8
McDonald
Re: Open holes and hacked
  • 2007/6/2 11:33

  • McDonald

  • Home away from home

  • Posts: 1072

  • Since: 2005/8/15


You should add Protector to your modules, this will give more security.

9
wtravel
Re: Open holes and hacked

xt conteudo is not safe for sure... it has security issues with its editor. It is best to uninstall it and remove it from your server.

Does anyone know of security issues with the other modules?

10
vaughan
Re: Open holes and hacked
  • 2007/6/2 11:43

  • vaughan

  • Friend of XOOPS

  • Posts: 680

  • Since: 2005/11/26


if your webserver is running under phpsuexec and is configured properly by the host, you should be able to use chmod 755 on all the folders that need write access (templates_c, uploads, cache & any folders in modules that need it).

I run my website with chmod 755 without problems because the scripts write to those folders using the assigned group/user id's for the account instead of running as user: nobody. in short, there's many things a web host can do to improve security for itself & it's clients.

Login

Who's Online

189 user(s) are online (103 user(s) are browsing Support Forums)


Members: 0


Guests: 189


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Mar 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits