Hi all,

---Just dropping by for a second to issue an alert based on an experience I encountered this week---

I have had three of my sites hacked by very nasty people. All of the sites were running XOOPS 2.0.16 installed as it should be. One of the sites had 3 phishing sites embedded on it.

Most of the illegal activity was centered in the uploads directory although certain modules like bmsurvey were also violated. I have shut the sites down and will recreate them later.

For now I just want to let the community know they should closely examine their sites including looking for the following:

1. cmd.php
2. c99.php
3. uploads/newbb in each instance this directory as well as one labeled uploads/smartsection and uploads/smartpartner were converted into phishing sites
4. look for any directories where the privs are set to 000 (these seem to be an indication of problems)
5. If you run cpanel access File Manager and select each directory icon if you get a php download request, the file has been most likely compromised.

I hope this helps folks avoid the horrible week I've had trying to clean this mess up. Good luck!

...mark

Thanks for the heads-up, Mark. Any indication how they gained access to your sites?

Mark,

Just for clarification, were the directories that were compromised chmod 777 or are you using suEXEC?

Thanks for the heads up!

Hi all,

The dirs in question were 777 and phpSuExec was not running.

Obviously the dirs have been changed now... too little too late I guess.

Thank you Mark. Your clarification is appreciated.

To go into further detail here...

When a folder is chmod 777, that means that anyone who has a hosting account on that particular server can access that folder.

chmod broken down:
First bit = User
Second bit = Group
Third bit = World (everyone)

Therefore, with chmod 777 everyone on that server can write to that folder.

This is a clear example of why suEXEC should be implimented as it allows for chmod 755 permissions, which are much more secure.

Unfortunately, many hosts do not support suEXEC and you have to deal with such issues. What you can do to protect yourself is to experiment with the permissions, like chmod 775, and by using the capabilities of an .htaccess file to help protect you.

Remember, the only secure server is the one at the bottom of the ocean. Diligence and knowledge are the best defenses we have.

Good info - any suggestions on the directives in the htaccess file to compensate for not having suexec?

Thanks for the report, perhaps I'd better look into this thing!

Just noticed there is a XOOPSFAQ on PHPsuexec