Hi,
last night someone (Guide_Shen - Peruvians Rulez!) hacked my XOOPS site. I have managed to replace the mainfile.php and the index.php and the site operates ok. But logging in as admin gives the following screen and I am not sure what to do:



I did a google search on Peruvians Rulez! and there are a few other hacked sites, but no documentation on how to get it back. Any advice greatly recieved.

Tony

In most cases like this I would suggest saving your SQL.DB, images folder,and the modules folder, themes folder, then deleting the entire site and making a new site.
And just placing these files back into the places they need to go.
that should bring you site back to the pre-hack setting.

things to note.

you should invest in the protector module. <-- invest as in TIME not MONEY ( Its free )
also make sure your mainfile.php is CHMOD 666 <-- should be 444
and that you deleted your install.php file.


Edited for corrections, LOL

Quote:

"Invest" as in "time" rather than "cash"

Quote:

that's "444", dude..... "444"

Yes I stand corrected,

thanks,JAVesey

Its been a realy long day.
lol

ROFL.

Not as long as a day Tony's having. Good luck brah. Shout back or PM if you need more help.

Cheers.

Tony,
In my case and I believe most others, your site server makes a periodic backup. (files and database)

You can logon to your server and see if they have a file backup (zip) in your root directory. If so then just do a restore on that through your server. That should put you back to where you were before the breakin.

Good luck

If you are on a shared service - then the problem is probably bigger than the really good suggestions for just locking down XOOPS.

If files were actually modified, then look in your httpd access_log file or equivalent on a windows server. Inside, do a search for any type commands. Those might shed light on what really happened. You can also look for any redirects to ftp sites.

The real problem on large shared systems is that unless most of the obvious ports are locked down, and any firewall or BFD (brute force detection) system is in place, you are vulnerable. It's not XOOPS - but your server.

Another place to check is your secure log. Find out what attempts to gain access happened. You'll probably see lots of ftp or ssh access against accounts that may or may not exist on your server. Again, not much you can do if on a shared server, but you can forward to the provider for support.

If possible, try to get the provider to install mod_security with the latest rules. This will take care of a lot of the access issues. Along with that, see if you can get them to force SSH only with version 2 DSA keys. These are easy to create and manage, and will at least allow you to lock out any password attempts. You could also try getting them to create a whitelist for ssh.

As you can see, there are many options. But I wouldn't assume off the bat that it's just because of XOOPS php code that you got hacked.

Good luck!

Many thanks for the replies, sorry for the delay is getting back, I was sitting waiting for an email as I had checked "Notify me of new posts in this thread" - but none came.

Anyway, back to the problem. Here's where I am at:

I WAS using the Protector module! The only thing I can think of is that I did not set it up correctly?!

I have recieved the following email from my host:
Quote:

I have changed mainfile.php to 444 (was on 644 - though I am not sure if this was since I overwrote it yesterday).

I have looked at my log file and have lots of the following entries:

I am going to have a look at that pda.php file and then decide where to go from there.

The protector module aids in reducing the attack footprint for Xoops, so if you site has been attacked at some other level such as web server then it won't be of any help to you. As for your hacked admin screen, try deleting all files in your cache and template_c directories. However, before you do that I would suggest that you get a listing of all files on your site that have been created and/or modified in the last week or so. Apart from you cache, uploads and templates, not a great deal should change file wise on your site.

Can you tell us which version of XOOPS you are using, server, php and MySQL versions?

1. Change all your passwords at server lvl and Xoops.
2. Do as mentioned previous, delete all cache files and look in uploads for anything suspicious or that wasn't there previous and remove it.
3. Remove or rename pda.php for the time being.
4. Ask your webhosting for help in tracking down the issue and not let them threaten you over legal action. Remind them that they have a duty to help protect you and their customers from this type of attack.