1
AndyM
XOOPS Sites hacked...
  • 2007/8/25 20:29

  • AndyM

  • Quite a regular

  • Posts: 296

  • Since: 2003/8/31


I've had two of my XOOPS sites hacked where a PHP Shell script which replaces the adminmenu.php file (and other files) in the /cache dir.

Basically, you don't notice it until you try to log into the admin area, you will either get the shell script's output, or it will fail to load.

I've currently suspended the sites until I can check them over fully, but I thought I would post this here as a "heads up" to other users.

And before anyone says, yes they are using the latest 2.0.16 and XOOPS protector modules.

Perhaps some people could have a think about how this happened and think of a fix.

2
McDonald
Re: XOOPS Sites hacked...
  • 2007/8/25 21:01

  • McDonald

  • Home away from home

  • Posts: 1072

  • Since: 2005/8/15


See also this post.

3
sato-san
Re: XOOPS Sites hacked...
  • 2007/8/25 21:04

  • sato-san

  • Quite a regular

  • Posts: 224

  • Since: 2005/7/1 1


Do you have a LOG file from this attack?

And do you use /have the SPAW editor on your webspace?

4
McDonald
Re: XOOPS Sites hacked...
  • 2007/8/25 21:09

  • McDonald

  • Home away from home

  • Posts: 1072

  • Since: 2005/8/15


Bandit-X mentioned suspicious entries in his error log yesterday, see here.
He only forgot to mention what was so suspicious about the entries...

5
aph3x
Re: XOOPS Sites hacked...
  • 2007/8/25 21:34

  • aph3x

  • Theme Designer

  • Posts: 834

  • Since: 2004/12/26


Talked to Bandit yesterday a bit about this...he mentioned something about "script kiddies.. searching for the spaw editor"
Everything I'm not made me everything I am
The Themes

6
kc0maz
Re: XOOPS Sites hacked...
  • 2007/8/25 21:54

  • kc0maz

  • Quite a regular

  • Posts: 216

  • Since: 2005/4/18


What is the status of your database?
Some dream of success, while others wake up and work for it.
--unknown

7
AndyM
Re: XOOPS Sites hacked...
  • 2007/8/25 21:54

  • AndyM

  • Quite a regular

  • Posts: 296

  • Since: 2003/8/31


I've not had chance to look through the log file properly yet, but specific searches for adminmenu.php has only shown attempts to view it. Also, nothing for SPAW has cropped up.

The XP module log shows:
2007/8/25 19:24:17 Guests 88.243.132.66
Firefox/2.0.0.6Mozilla/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6 UPLOAD Attempt to upload r57.php.
2007/8/25 18:32:52 Guests 85.101.191.247
Firefox/2.0.0.6Mozilla/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6 UPLOAD Attempt to upload index.php.
2007/8/25 18:11:31 Guests 85.101.191.247
Firefox/2.0.0.6Mozilla/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6 UPLOAD Attempt to upload sdf.php.
2007/8/25 17:38:17 Guests 85.101.191.247
Firefox/2.0.0.6Mozilla/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6 UPLOAD Attempt to upload sdf.php.
2007/8/25 17:32:13 Guests 85.101.191.247
Firefox/2.0.0.6Mozilla/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6 UPLOAD Attempt to upload sdf.php.

Oh, it was done by the "TurkHackTeam"...

8
AndyM
Re: XOOPS Sites hacked...
  • 2007/8/25 21:57

  • AndyM

  • Quite a regular

  • Posts: 296

  • Since: 2003/8/31


Quote:

kc0maz wrote:
What is the status of your database?


So far, the DB seems untouched. I've been going through changing the table prefixes, and the password, etc. I'll audit it properly when I can.

9
kc0maz
Re: XOOPS Sites hacked...
  • 2007/8/25 23:02

  • kc0maz

  • Quite a regular

  • Posts: 216

  • Since: 2005/4/18


Quote:

2007/8/25 19:24:17 Guests 88.243.132.66
Firefox/2.0.0.6Mozilla/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6 UPLOAD Attempt to upload r57.php.
2007/8/25 18:32:52 Guests 85.101.191.247
Firefox/2.0.0.6Mozilla/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6 UPLOAD Attempt to upload index.php.
2007/8/25 18:11:31 Guests 85.101.191.247
Firefox/2.0.0.6Mozilla/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6 UPLOAD Attempt to upload sdf.php.

Oh, it was done by the "TurkHackTeam"...


I found these three in the "uploads" folder.

What did they do?

The TurkHackTeam... That wasn't very nice of them now was it.
Some dream of success, while others wake up and work for it.
--unknown

10
McDonald
Re: XOOPS Sites hacked...
  • 2007/8/25 23:07

  • McDonald

  • Home away from home

  • Posts: 1072

  • Since: 2005/8/15


Is it an idea to start blocking all IP's starting with 88.243 and 85.101 ?


Login

Who's Online

279 user(s) are online (208 user(s) are browsing Support Forums)


Members: 0


Guests: 279


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits