Re: Site Hacked, look at the script they used and help! [XOOPS general usage questions]

EDIT: Site messed up, help!

2007/8/25 13:08
MinnesotaW
Just popping in
Posts: 38
Since: 2007/1/22

Hi all...yeah...for some odd reason I had the incorrect permissions on my cache folder and I got hacked, here is the file they installed in cache to help shut the site down, and what exactly changed? (I'm good at kicking PHP tires but that's about all)

EDIT...

Helpful folks have pointed out the script is something created by xoops...excuse my noobieness to PHP

Re: Site Hacked, look at the script they used and help!

2007/8/25 15:07
MinnesotaW
Just popping in
Posts: 38
Since: 2007/1/22

Where I'm at right now...no modules "exist" according to clicking on the site.

Anyone? 53 views and no suggstions

Re: Site Hacked, look at the script they used and help!

2007/8/25 15:30
McDonald
Home away from home
Posts: 1072
Since: 2005/8/15

I don't think this script is a hack!

Normally there's a file called adminmenu.php placed in the cache folder on XOOPS 2.0.x websites.

This script is different per site because of the different modules users install.

Probably it's better to put the script back in your cache folder and check if any other files are modified.

Make in the mean time a backup of your database if possible.

Re: Site Hacked, look at the script they used and help!

2007/8/25 15:39
MinnesotaW
Just popping in
Posts: 38
Since: 2007/1/22

Quote:

McDonald wrote:
I don't think this script is a hack!

Normally there's a file called adminmenu.php placed in the cache folder on XOOPS 2.0.x websites.

This script is different per site because of the different modules users install.

Probably it's better to put the script back in your cache folder and check if any other files are modified.

Make in the mean time a backup of your database if possible.

Bummer...it's the only file in the entire directory with a date even close to today!

I think I'm hosed...backup the db isn't a problem and that I can do.

If you'd like to peek at this, http://www.vetteaction.com

Clicking on anything has a "this module not active" message, and for a while the entire site disappeared!

Re: Site Hacked, look at the script they used and help!

2007/8/25 15:39
skenow
Home away from home
Posts: 993
Since: 2004/11/17

That script does look valid, as McDonald says.

Can you access any part of your site? login at /user.php, register at /register.php, administration menu at /admin.php

Check your database, it may be the problem - module installation status is stored in the database. If files were missing, you would get 404 errors instead of not installed.

Christian Web Master Resources
New SimplyWiki release

Re: Site Hacked, look at the script they used and help!

2007/8/25 15:43
MinnesotaW
Just popping in
Posts: 38
Since: 2007/1/22

Quote:

skenow wrote:
That script does look valid, as McDonald says.

Can you access any part of your site? login at /user.php, register at /register.php, administration menu at /admin.php

Check your database, it may be the problem - module installation status is stored in the database. If files were missing, you would get 404 errors instead of not installed.

Right now I cannot access anything on the site, database seems all there, and the directory structure is still intact on the webserver.

When I attempted to get on this AM, the site looked normal, I tried to logon and it stated incorrect password...then the login block disappeared, then the news block disappeared (as I clicked around), then gallery, etc...

Re: Site Hacked, look at the script they used and help!

2007/8/25 15:53
skenow
Home away from home
Posts: 993
Since: 2004/11/17

The database may be there, but it does not sound like it is the way you left it - incorrect password = altered database; blocks missing and modules not installed = altered database, too.

I would:
1. change your database user/password immediately
2. determine if the root user for the database has a password and create one if it doesn't
3. determine if there is an anonymous user that can access the database and remove it if it does exist
4. remove any other database users
5. determine if phpmyadmin can access the db without entering a username/password - change it if it can
6. find your most recent database backup before the hack was noticed and be ready to restore it

Christian Web Master Resources
New SimplyWiki release

Re: Site Hacked, look at the script they used and help!

2007/8/25 15:55
McDonald
Home away from home
Posts: 1072
Since: 2005/8/15

Quote:

That script does look valid, as McDonald says.

On my testservers I have a script called adminmenu.php in the cache folders:

 $xoops_admin_menu_js = "function popUpL1() { 
shutdown(); 
popUp("L1",true); 
} 
function popUpL16() { 
shutdown(); 
popUp("L16",true); 
} 
function popUpL23() { 
shutdown(); 
popUp("L23",true); 
} 
function popUpL26() { 
shutdown(); 
popUp("L26",true); 
} 
function popUpL33() { 
shutdown(); 
popUp("L33",true); 
} 
function popUpL43() { 
shutdown(); 
popUp("L43",true); 
} 
function popUpL52() { 
shutdown(); 
popUp("L52",true); 
} 
function popUpL59() { 
shutdown(); 
popUp("L59",true); 
} 
function popUpL66() { 
shutdown(); 
popUp("L66",true); 
} 
function popUpL79() { 
shutdown(); 
popUp("L79",true); 
} 
function popUpL91() { 
shutdown(); 
popUp("L91",true); 
} 
function popUpL95() { 
shutdown(); 
popUp("L95",true); 
} 
function popUpL104() { 
shutdown(); 
popUp("L104",true); 
} 
function popUpL109() { 
shutdown(); 
popUp("L109",true); 
} 
function popUpL117() { 
shutdown(); 
popUp("L117",true); 
} 
function popUpL129() { 
shutdown(); 
popUp("L129",true); 
} 
function popUpL131() { 
shutdown(); 
popUp("L131",true); 
} 
function popUpL135() { 
shutdown(); 
popUp("L135",true); 
} 
"; 
$xoops_admin_menu_ml[1] = "setleft('L1',105); 
settop('L1',150); 
"; 
$xoops_admin_menu_ml[30] = "setleft('L16',105); 
settop('L16',165); 
"; 
$xoops_admin_menu_ml[39] = "setleft('L23',105); 
settop('L23',180); 
"; 
$xoops_admin_menu_ml[41] = "setleft('L26',105); 
settop('L26',195); 
"; 
$xoops_admin_menu_ml[42] = "setleft('L33',105); 
settop('L33',210); 
"; 
$xoops_admin_menu_ml[43] = "setleft('L43',105); 
settop('L43',225); 
"; 
$xoops_admin_menu_ml[45] = "setleft('L52',105); 
settop('L52',240); 
"; 
$xoops_admin_menu_ml[48] = "setleft('L59',105); 
settop('L59',255); 
"; 
$xoops_admin_menu_ml[51] = "setleft('L66',105); 
settop('L66',270); 
"; 
$xoops_admin_menu_ml[56] = "setleft('L79',105); 
settop('L79',285); 
"; 
$xoops_admin_menu_ml[68] = "setleft('L91',105); 
settop('L91',300); 
"; 
$xoops_admin_menu_ml[69] = "setleft('L95',105); 
settop('L95',315); 
"; 
$xoops_admin_menu_ml[70] = "setleft('L104',105); 
settop('L104',330); 
"; 
$xoops_admin_menu_ml[71] = "setleft('L109',105); 
settop('L109',345); 
"; 
$xoops_admin_menu_ml[72] = "setleft('L117',105); 
settop('L117',360); 
"; 
$xoops_admin_menu_ml[73] = "setleft('L129',105); 
settop('L129',375); 
"; 
$xoops_admin_menu_ml[74] = "setleft('L131',105); 
settop('L131',390); 
"; 
$xoops_admin_menu_ml[75] = "setleft('L135',105); 
settop('L135',405); 
"; 
$xoops_admin_menu_sd[1] = "popUp('L1',false); 
"; 
$xoops_admin_menu_sd[30] = "popUp('L16',false); 
"; 
$xoops_admin_menu_sd[39] = "popUp('L23',false); 
"; 
$xoops_admin_menu_sd[41] = "popUp('L26',false); 
"; 
$xoops_admin_menu_sd[42] = "popUp('L33',false); 
"; 
$xoops_admin_menu_sd[43] = "popUp('L43',false); 
"; 
$xoops_admin_menu_sd[45] = "popUp('L52',false); 
"; 
$xoops_admin_menu_sd[48] = "popUp('L59',false); 
"; 
$xoops_admin_menu_sd[51] = "popUp('L66',false); 
"; 
$xoops_admin_menu_sd[56] = "popUp('L79',false); 
"; 
$xoops_admin_menu_sd[68] = "popUp('L91',false); 
"; 
$xoops_admin_menu_sd[69] = "popUp('L95',false); 
"; 
$xoops_admin_menu_sd[70] = "popUp('L104',false); 
"; 
$xoops_admin_menu_sd[71] = "popUp('L109',false); 
"; 
$xoops_admin_menu_sd[72] = "popUp('L117',false); 
"; 
$xoops_admin_menu_sd[73] = "popUp('L129',false); 
"; 
$xoops_admin_menu_sd[74] = "popUp('L131',false); 
"; 
$xoops_admin_menu_sd[75] = "popUp('L135',false); 
"; 
$xoops_admin_menu_ft[1] = ".XOOPS_URL."/modules/system/admin.php' onmouseover='moveLayerY("L1", currentY,event) ; popUpL1();'>.XOOPS_URL."/modules/system/images/system_slogo.png' alt='' /> 
"; 
$xoops_admin_menu_ft[30] = ".XOOPS_URL."/modules/smartsection/admin/index.php' onmouseover='moveLayerY("L16", currentY,event) ; popUpL16();'>.XOOPS_URL."/modules/smartsection/images/module_logo.gif' alt='' /> 
"; 
$xoops_admin_menu_ft[39] = ".XOOPS_URL."/modules/marquee/admin/index.php' onmouseover='moveLayerY("L23", currentY,event) ; popUpL23();'>.XOOPS_URL."/modules/marquee/images/marquee_slogo.png' alt='' /> 
"; 
$xoops_admin_menu_ft[41] = ".XOOPS_URL."/modules/extcal/admin/index.php' onmouseover='moveLayerY("L26", currentY,event) ; popUpL26();'>.XOOPS_URL."/modules/extcal/images/extcal_logo.png' alt='' /> 
"; 
$xoops_admin_menu_ft[42] = ".XOOPS_URL."/modules/news/admin/index.php' onmouseover='moveLayerY("L33", currentY,event) ; popUpL33();'>.XOOPS_URL."/modules/news/images/news_slogo.png' alt='' /> 
"; 
$xoops_admin_menu_ft[43] = ".XOOPS_URL."/modules/ronssection/admin/index.php' onmouseover='moveLayerY("L43", currentY,event) ; popUpL43();'>.XOOPS_URL."/modules/ronssection/images/ronssection_slogo.png' alt='' /> 
"; 
$xoops_admin_menu_ft[45] = ".XOOPS_URL."/modules/tinyeditor/admin/index.php' onmouseover='moveLayerY("L52", currentY,event) ; popUpL52();'>.XOOPS_URL."/modules/tinyeditor/images/tinyeditor.png' alt='' /> 
"; 
$xoops_admin_menu_ft[48] = ".XOOPS_URL."/modules/smartprofile/admin/admin.php' onmouseover='moveLayerY("L59", currentY,event) ; popUpL59();'>.XOOPS_URL."/modules/smartprofile/images/module_logo.gif' alt='' /> 
"; 
$xoops_admin_menu_ft[51] = ".XOOPS_URL."/modules/article/admin/index.php' onmouseover='moveLayerY("L66", currentY,event) ; popUpL66();'>.XOOPS_URL."/modules/article/images/logo.png' alt='' /> 
"; 
$xoops_admin_menu_ft[56] = ".XOOPS_URL."/modules/wfdownloads/admin/index.php' onmouseover='moveLayerY("L79", currentY,event) ; popUpL79();'>.XOOPS_URL."/modules/wfdownloads/images/module_logo.gif' alt='' /> 
"; 
$xoops_admin_menu_ft[68] = ".XOOPS_URL."/modules/wfchannel/admin/index.php' onmouseover='moveLayerY("L91", currentY,event) ; popUpL91();'>.XOOPS_URL."/modules/wfchannel/images/wfs_channel_slogo.png' alt='' /> 
"; 
$xoops_admin_menu_ft[69] = ".XOOPS_URL."/modules/wflinks/admin/index.php' onmouseover='moveLayerY("L95", currentY,event) ; popUpL95();'>.XOOPS_URL."/modules/wflinks/images/wfl_slogo.gif' alt='' /> 
"; 
$xoops_admin_menu_ft[70] = ".XOOPS_URL."/modules/xoopscare/admin/index.php' onmouseover='moveLayerY("L104", currentY,event) ; popUpL104();'>.XOOPS_URL."/modules/xoopscare/images/xoopscare_logo.png' alt='' /> 
"; 
$xoops_admin_menu_ft[71] = ".XOOPS_URL."/modules/xoopsinfo/admin/index.php' onmouseover='moveLayerY("L109", currentY,event) ; popUpL109();'>.XOOPS_URL."/modules/xoopsinfo/images/xoopsinfo_slogo.png' alt='' /> 
"; 
$xoops_admin_menu_ft[72] = ".XOOPS_URL."/modules/wfsection/admin/allarticles.php' onmouseover='moveLayerY("L117", currentY,event) ; popUpL117();'>.XOOPS_URL."/modules/wfsection/images/wfs_slogo.gif' alt='' /> 
"; 
$xoops_admin_menu_ft[73] = ".XOOPS_URL."/modules/captcha/admin/index.php' onmouseover='moveLayerY("L129", currentY,event) ; popUpL129();'>.XOOPS_URL."/modules/captcha/images/captcha_slogo.png' alt='' /> 
"; 
$xoops_admin_menu_ft[74] = ".XOOPS_URL."/modules/smartobject/admin/index.php' onmouseover='moveLayerY("L131", currentY,event) ; popUpL131();'>.XOOPS_URL."/modules/smartobject/images/module_logo.gif' alt='' /> 
"; 
$xoops_admin_menu_ft[75] = ".XOOPS_URL."/modules/xoopstube/admin/index.php' onmouseover='moveLayerY("L135", currentY,event) ; popUpL135();'>.XOOPS_URL."/modules/xoopstube/images/xtube_slogo.gif' alt='' /> 
"; 
$xoops_admin_menu_dv = "System.XOOPS_URL."/images/pointer.gif' width='8' height='8' alt='' /> .XOOPS_URL."/modules/system/admin.php?fct=banners' onmouseover='popUpL1();'>Banners 
.XOOPS_URL."/images/pointer.gif' width='8' height='8' alt='' /> .XOOPS_URL."/modules/system/admin.php?fct=blocksadmin' onmouseover='popUpL1();'>Blocks 
.XOOPS_URL."/images/pointer.gif' width='8' height='8' alt='' /> .XOOPS_URL."/modules/system/admin.php?fct=groups' onmouseover='popUpL1();'>Groups 
.XOOPS_URL."/images/pointer.gif' width='8' height='8' alt='' /> .XOOPS_URL."/modules/system/admin.php?fct=images' onmouseover='popUpL1();'>Images 
.XOOPS_URL."/images/pointer.gif' width='8' height='8' alt='' /> .XOOPS_URL."/modules/system/admin.php?fct=modulesadmin' onmouseover='popUpL1();'>Modules 
.XOOPS_URL."/images/pointer.gif' width='8' height='8' alt='' /> .XOOPS_URL."/modules/system/admin.php?fct=preferences' onmouseover='popUpL1();'>Preferences 
.XOOPS_URL."/images/pointer.gif' width='8' height='8' alt='' /> .XOOPS_URL."/modules/system/admin.php?fct=smilies' onmouseover='popUpL1();'>Smilies 
.XOOPS_URL."/images/pointer.gif' width='8' height='8' alt='' /> .XOOPS_URL."/modules/system/admin.php?fct=userrank' onmouseover='popUpL1();'>User Ranks 
.XOOPS_URL."/images/pointer.gif' width='8' height='8' alt='' /> .XOOPS_URL."/modules/system/admin.php?fct=users' onmouseover='popUpL1();'>Edit User 
.XOOPS_URL."/images/pointer.gif' width='8' height='8' alt='' /> .XOOPS_URL."/modules/system/admin.php?fct=findusers' onmouseover='popUpL1();'>Find Users 
.XOOPS_URL."/images/pointer.gif' width='8' height='8' alt='' /> .XOOPS_URL."/modules/system/admin.php?fct=mailusers' onmouseover='popUpL1();'>Mail Users 
.XOOPS_URL."/images/pointer.gif' width='8' height='8' alt='' /> .XOOPS_URL."/modules/system/admin.php?fct=avatars' onmouseover='popUpL1();'>Avatars 
.XOOPS_URL."/images/pointer.gif' width='8' height='8' alt='' /> .XOOPS_URL."/modules/system/admin.php?fct=tplsets' onmouseover='popUpL1();'>Templates 
.XOOPS_URL."/images/pointer.gif' width='8' height='8' alt='' /> .XOOPS_URL."/modules/system/admin.php?fct=comments' onmouseover='popUpL1();'>Comments 
[Close]

.XOOPS_URL."/modules/system/images/system_slogo.png' alt='' />"._VERSION.": 1.02"._DESCRIPTION.": For administration of core settings of the site.

 
SmartSection.XOOPS_URL."/images/pointer.gif' width='8' height='8' alt='' /> .XOOPS_URL."/modules/smartsection/admin/index.php' onmouseover='popUpL16();'>Index 
.XOOPS_URL."/images/pointer.gif' width='8' height='8' alt='' /> .XOOPS_URL."/modules/smartsection/admin/category.php' onmouseover='popUpL16();'>Categories 
.XOOPS_URL."/images/pointer.gif' width='8' height='8' alt='' /> .XOOPS_URL."/modules/smartsection/admin/item.php' onmouseover='popUpL16();'>Articles 
.XOOPS_URL."/images/pointer.gif' width='8' height='8' alt='' /> .XOOPS_URL."/modules/smartsection/admin/permissions.php' onmouseover='popUpL16();'>Permissions 
.XOOPS_URL."/images/pointer.gif' width='8' height='8' alt='' /> .XOOPS_URL."/modules/smartsection/admin/mimetypes.php' onmouseover='popUpL16();'>Mimetypes 
.XOOPS_URL."/images/pointer.gif' width='8' height='8' alt='' /> .XOOPS_URL."/modules/system/admin.php?fct=preferences&op=showmod&mod=30' onmouseover='popUpL16();'>Preferences 
[Close]

.XOOPS_URL."/modules/smartsection/images/module_logo.gif' alt='' />"._VERSION.": 2.13"._DESCRIPTION.": Section Management System for your XOOPS Site

 
Marquee.XOOPS_URL."/images/pointer.gif' width='8' height='8' alt='' /> .XOOPS_URL."/modules/marquee/admin/index.php' onmouseover='popUpL23();'>Manage marquees 
.XOOPS_URL."/images/pointer.gif' width='8' height='8' alt='' /> .XOOPS_URL."/modules/system/admin.php?fct=preferences&op=showmod&mod=39' onmouseover='popUpL23();'>Preferences 
[Close]

Re: Site Hacked, look at the script they used and help!

2007/8/25 16:04
MinnesotaW
Just popping in
Posts: 38
Since: 2007/1/22

Quote:

skenow wrote:
The database may be there, but it does not sound like it is the way you left it - incorrect password = altered database; blocks missing and modules not installed = altered database, too.

I would:
1. change your database user/password immediately
2. determine if the root user for the database has a password and create one if it doesn't
3. determine if there is an anonymous user that can access the database and remove it if it does exist
4. remove any other database users
5. determine if phpmyadmin can access the db without entering a username/password - change it if it can
6. find your most recent database backup before the hack was noticed and be ready to restore it

1. Done
2. it does, always has
3. all tools my provider (Ipower) has for me I cannot see
4. only 1 db user, that's all I've ever had
5. phpmyadmin doesn't let you in without the valid userid/pwd...bogus or blank is rejected
6. yeah...I thought that might be the answer

Appreciate the suggestions, I'll let you know how it comes out.

Stats
Goal:	$100.00
Due Date:	Nov 30
Gross Amount:	$0.00
Net Balance:	$0.00
Left to go:	$100.00

EDIT: Site messed up, help!

Re: Site Hacked, look at the script they used and help!

Re: Site Hacked, look at the script they used and help!

Re: Site Hacked, look at the script they used and help!

Re: Site Hacked, look at the script they used and help!

Re: Site Hacked, look at the script they used and help!

Re: Site Hacked, look at the script they used and help!

Re: Site Hacked, look at the script they used and help!

Re: Site Hacked, look at the script they used and help!

Re: Site Hacked, look at the script they used and help!

Login

Search

Recent Posts

XOOPS MyMenus 1.54.0 Beta 10

Re: XOOPS MyMenus 1.54.0 Beta 7

Re: XOOPS MyMenus 1.54.0 Beta 7

Re: XOOPS MyMenus 1.54.0 Beta 7

Re: XOOPS MyMenus 1.54.0 Beta 7

Re: XOOPS MyMenus 1.54.0 Beta 7

Re: XOOPS MyMenus 1.54.0 Beta 7

Re: XOOPS MyMenus 1.54.0 Beta 7

Re: XOOPS MyMenus 1.54.0 Beta 7

Re: XOOPS MyMenus 1.54.0 Beta 7

Who's Online

Donat-O-Meter

Latest GitHub Commits

{{ record.sha.slice(0, 7) }} - {{ record.commit.message | truncate }}