1
tonycharman
Xoops Hacked

Hi,
last night someone (Guide_Shen - Peruvians Rulez!) hacked my XOOPS site. I have managed to replace the mainfile.php and the index.php and the site operates ok. But logging in as admin gives the following screen and I am not sure what to do:

Resized Image

I did a google search on Peruvians Rulez! and there are a few other hacked sites, but no documentation on how to get it back. Any advice greatly recieved.

Tony

2
Northern
Re: Xoops Hacked
  • 2007/7/3 8:18

  • Northern

  • Just can't stay away

  • Posts: 420

  • Since: 2004/12/26


In most cases like this I would suggest saving your SQL.DB, images folder,and the modules folder, themes folder, then deleting the entire site and making a new site.
And just placing these files back into the places they need to go.
that should bring you site back to the pre-hack setting.

things to note.

you should invest in the protector module. <-- invest as in TIME not MONEY ( Its free )
also make sure your mainfile.php is CHMOD 666 <-- should be 444
and that you deleted your install.php file.


Edited for corrections, LOL

3
Anonymous
Re: Xoops Hacked
  • 2007/7/3 8:25

  • Anonymous

  • Posts: 0

  • Since:


Quote:
Northern wrote:

you should invest in the protector module.


"Invest" as in "time" rather than "cash"

Quote:
Northern wrote:

also make sure your mainfile.php is CHMOD 666


that's "444", dude..... "444"

4
Northern
Re: Xoops Hacked
  • 2007/7/3 8:28

  • Northern

  • Just can't stay away

  • Posts: 420

  • Since: 2004/12/26


Yes I stand corrected,

thanks,JAVesey

Its been a realy long day.
lol

5
cybersensei
Re: Xoops Hacked

ROFL.

Not as long as a day Tony's having. Good luck brah. Shout back or PM if you need more help.

Cheers.

6
BlueStocking
Xoops Hacked? Use your server file-dbbackup service!

Tony,
In my case and I believe most others, your site server makes a periodic backup. (files and database)

You can logon to your server and see if they have a file backup (zip) in your root directory. If so then just do a restore on that through your server. That should put you back to where you were before the breakin.

Good luck
https://xoops.org/modules/repository .. It is time to get involved - XOOPS.ORG

7
seventhseal
Re: Xoops Hacked? Use your server file-dbbackup service!

If you are on a shared service - then the problem is probably bigger than the really good suggestions for just locking down XOOPS.

If files were actually modified, then look in your httpd access_log file or equivalent on a windows server. Inside, do a search for any
wget
type commands. Those might shed light on what really happened. You can also look for any redirects to ftp sites.

The real problem on large shared systems is that unless most of the obvious ports are locked down, and any firewall or BFD (brute force detection) system is in place, you are vulnerable. It's not XOOPS - but your server.

Another place to check is your secure log. Find out what attempts to gain access happened. You'll probably see lots of ftp or ssh access against accounts that may or may not exist on your server. Again, not much you can do if on a shared server, but you can forward to the provider for support.

If possible, try to get the provider to install mod_security with the latest rules. This will take care of a lot of the access issues. Along with that, see if you can get them to force SSH only with version 2 DSA keys. These are easy to create and manage, and will at least allow you to lock out any password attempts. You could also try getting them to create a whitelist for ssh.

As you can see, there are many options. But I wouldn't assume off the bat that it's just because of XOOPS php code that you got hacked.

Good luck!
John Horne - a.k.a. - VelocityWebDev, Seventhseal, CreepingDeath
**********************************
VelocityWebDev Tech BLOG
VelocityWebHost Hosting and Design

8
tonycharman
Re: Xoops Hacked? Use your server file-dbbackup service!

Many thanks for the replies, sorry for the delay is getting back, I was sitting waiting for an email as I had checked "Notify me of new posts in this thread" - but none came.

Anyway, back to the problem. Here's where I am at:

I WAS using the Protector module! The only thing I can think of is that I did not set it up correctly?!

I have recieved the following email from my host:
Quote:
Dear Mr Tony Charman,

unfortunately we received a large number of complaints concerning Spam-Mails sent through your 1&1 Webspace (contractnumber: 8794217).

We have to bring to your attention that this kind of mass mailing is illegal and can be prosecuted.


I have changed mainfile.php to 444 (was on 644 - though I am not sure if this was since I overwrote it yesterday).

I have looked at my log file and have lots of the following entries:
2007/07/04-04:36:52 8.162068134.22652.1183516612 <= u40334275 Commandline=/usr/sbin/sendmail --i  ENV_Script=/the-weald/cms/pda.php ENV_Remote=41.205.186.90


I am going to have a look at that pda.php file and then decide where to go from there.

9
brash
Re: Xoops Hacked
  • 2007/7/4 7:37

  • brash

  • Friend of XOOPS

  • Posts: 2206

  • Since: 2003/4/10


The protector module aids in reducing the attack footprint for Xoops, so if you site has been attacked at some other level such as web server then it won't be of any help to you. As for your hacked admin screen, try deleting all files in your cache and template_c directories. However, before you do that I would suggest that you get a listing of all files on your site that have been created and/or modified in the last week or so. Apart from you cache, uploads and templates, not a great deal should change file wise on your site.
IT Headquarters
Innovative IT Solutions

10
Catzwolf
Re: Xoops Hacked? Use your server file-dbbackup service!
  • 2007/7/4 8:10

  • Catzwolf

  • Home away from home

  • Posts: 1392

  • Since: 2007/9/30


Can you tell us which version of XOOPS you are using, server, php and MySQL versions?

1. Change all your passwords at server lvl and Xoops.
2. Do as mentioned previous, delete all cache files and look in uploads for anything suspicious or that wasn't there previous and remove it.
3. Remove or rename pda.php for the time being.
4. Ask your webhosting for help in tracking down the issue and not let them threaten you over legal action. Remind them that they have a duty to help protect you and their customers from this type of attack.

Login

Who's Online

67 user(s) are online (38 user(s) are browsing Support Forums)


Members: 0


Guests: 67


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Jul 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits