1
rabideau
Serious 2.0.16 hack risk
  • 2007/6/9 23:15

  • rabideau

  • Home away from home

  • Posts: 1042

  • Since: 2003/4/25


Hi all,

---Just dropping by for a second to issue an alert based on an experience I encountered this week---

I have had three of my sites hacked by very nasty people. All of the sites were running XOOPS 2.0.16 installed as it should be. One of the sites had 3 phishing sites embedded on it.

Most of the illegal activity was centered in the uploads directory although certain modules like bmsurvey were also violated. I have shut the sites down and will recreate them later.

For now I just want to let the community know they should closely examine their sites including looking for the following:

1. cmd.php
2. c99.php
3. uploads/newbb in each instance this directory as well as one labeled uploads/smartsection and uploads/smartpartner were converted into phishing sites
4. look for any directories where the privs are set to 000 (these seem to be an indication of problems)
5. If you run cpanel access File Manager and select each directory icon if you get a php download request, the file has been most likely compromised.

I hope this helps folks avoid the horrible week I've had trying to clean this mess up. Good luck!

...mark
Pax vobiscum,
...mark

may the road rise to meet your feet!

http://treemagic.org

2
skenow
Re: Serious 2.0.16 hack risk
  • 2007/6/9 23:36

  • skenow

  • Home away from home

  • Posts: 993

  • Since: 2004/11/17


Thanks for the heads-up, Mark. Any indication how they gained access to your sites?

3
JMorris
Re: Serious 2.0.16 hack risk
  • 2007/6/10 0:13

  • JMorris

  • XOOPS is my life!

  • Posts: 2722

  • Since: 2004/4/11


Mark,

Just for clarification, were the directories that were compromised chmod 777 or are you using suEXEC?

Thanks for the heads up!
Insanity can be defined as "doing the same thing over and over and expecting different results."

Stupidity is not a crime. Therefore, you are free to go.

4
rabideau
Re: Serious 2.0.16 hack risk
  • 2007/6/10 0:50

  • rabideau

  • Home away from home

  • Posts: 1042

  • Since: 2003/4/25


Hi all,

The dirs in question were 777 and phpSuExec was not running.

Obviously the dirs have been changed now... too little too late I guess.
Pax vobiscum,
...mark

may the road rise to meet your feet!

http://treemagic.org

5
JMorris
Re: Serious 2.0.16 hack risk
  • 2007/6/10 3:31

  • JMorris

  • XOOPS is my life!

  • Posts: 2722

  • Since: 2004/4/11


Thank you Mark. Your clarification is appreciated.

To go into further detail here...

When a folder is chmod 777, that means that anyone who has a hosting account on that particular server can access that folder.

chmod broken down:
First bit = User
Second bit = Group
Third bit = World (everyone)

Therefore, with chmod 777 everyone on that server can write to that folder.

This is a clear example of why suEXEC should be implimented as it allows for chmod 755 permissions, which are much more secure.

Unfortunately, many hosts do not support suEXEC and you have to deal with such issues. What you can do to protect yourself is to experiment with the permissions, like chmod 775, and by using the capabilities of an .htaccess file to help protect you.

Remember, the only secure server is the one at the bottom of the ocean. Diligence and knowledge are the best defenses we have.
Insanity can be defined as "doing the same thing over and over and expecting different results."

Stupidity is not a crime. Therefore, you are free to go.

6
skenow
Re: Serious 2.0.16 hack risk
  • 2007/6/10 3:38

  • skenow

  • Home away from home

  • Posts: 993

  • Since: 2004/11/17


Good info - any suggestions on the directives in the htaccess file to compensate for not having suexec?

7
pAraN0iD
Re: Serious 2.0.16 hack risk
  • 2007/6/10 3:52

  • pAraN0iD

  • Just popping in

  • Posts: 24

  • Since: 2007/4/16


Thanks for the report, perhaps I'd better look into this thing!

Just noticed there is a XOOPSFAQ on PHPsuexec

Login

Who's Online

224 user(s) are online (125 user(s) are browsing Support Forums)


Members: 0


Guests: 224


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits