11
kc0maz
Re: XOOPS Sites hacked...
  • 2007/8/25 23:36

  • kc0maz

  • Quite a regular

  • Posts: 216

  • Since: 2005/4/18


Check the Cache folder.

I found three files that look like they did not belong there. I renamed the files and I am back in business.

The file names were:

piCal_minical_cache_english.php
CVCC-bluehue^%0B^0B9^0B9E10B9%db%3Asystem_rss.html
xlanguage.php

I believe the one with the Theme name is the problem.
Some dream of success, while others wake up and work for it.
--unknown

12
kc0maz
Re: XOOPS Sites hacked...
  • 2007/8/25 23:55

  • kc0maz

  • Quite a regular

  • Posts: 216

  • Since: 2005/4/18


My bad.
check the Xlanguage.php file.

How many hacked web sites have the Xlanguage module installed?
Some dream of success, while others wake up and work for it.
--unknown

13
AndyM
Re: XOOPS Sites hacked...
  • 2007/8/26 18:53

  • AndyM

  • Quite a regular

  • Posts: 296

  • Since: 2003/8/31


So far, I still don't know exactly how the files were uploaded, which troubles me somewhat, but the PHP shell script that was placed in the cache dir on one site was used to attack other sites.

Okay, I had a think about things and a potential security enhancement is to put the following into a .htaccess file in the /cache and /templates_c directories:

<Limit GET>
order deny,allow
deny from all
#allow from .my.domain
</Limit>

<
Limit POST>
order deny,allow
deny from all
#allow from .my.domain
</Limit>


This will prevent anyone from loading any file from those dirs in their browser, if they know the file name, and also submitting via POST. This should (in theory) stop a script kiddie from using a script if they manage to upload it to those directories.

Obviously, it won't stop them if they know to look for the .htaccess file and are able delete/alter it, but it is an extra layer.

It would be better if you are able to put it in the virtualhost directive for your site in httpd.conf, for example

<virtualhost>

# other stuff here

<directory "/path/to/cache">
<
Limit GET>
order deny,allow
deny from all
#allow from .my.domain
</Limit>

<
Limit POST>
order deny,allow
deny from all
#allow from .my.domain
</Limit>
</
directory>
<
directory "/path/to/templates_c">
<
Limit GET>
order deny,allow
deny from all
#allow from .my.domain
</Limit>

<
Limit POST>
order deny,allow
deny from all
#allow from .my.domain
</Limit>
</
directory>
</
virtualhost>


Comments?

14
vaughan
Re: XOOPS Sites hacked...
  • 2007/8/26 18:58

  • vaughan

  • Friend of XOOPS

  • Posts: 680

  • Since: 2005/11/26


check if your server is running php under phpsuexec mode.

if it is, you can safely chmod those folders to 755 instead of 777 which will prevent that kind of malicious upload into word writable permissions.

it's probable that they found a way to upload without touching your XOOPS because the folders were 777

15
AndyM
Re: XOOPS Sites hacked...
  • 2007/8/26 20:12

  • AndyM

  • Quite a regular

  • Posts: 296

  • Since: 2003/8/31


Quote:

vaughan wrote:
check if your server is running php under phpsuexec mode.

if it is, you can safely chmod those folders to 755 instead of 777 which will prevent that kind of malicious upload into word writable permissions.

it's probable that they found a way to upload without touching your XOOPS because the folders were 777


It's not, yet.

I've scheduled the server for an upgrade to PHP5 soon, so I may enable it then. Seems though, that it will cause some problems that some people will have to fix.

16
vaughan
Re: XOOPS Sites hacked...
  • 2007/8/26 20:51

  • vaughan

  • Friend of XOOPS

  • Posts: 680

  • Since: 2005/11/26


the issues are negligible & easily solved with giving users enough notice to prepare for the change to suexec.

and the benefits of phpsuexec are better than having malicious scripts uploaded to 777 folders all the time. of course there are other benefits, and possibly some downsides, but imho i think the benefits outweigh all the bad points..

17
AndyM
Re: XOOPS Sites hacked...
  • 2007/8/26 21:16

  • AndyM

  • Quite a regular

  • Posts: 296

  • Since: 2003/8/31


Well, they have already been warned about potential problems with the move to PHP5, so I guess they can put up with any minor hassles from phpsuexec...

Login

Who's Online

64 user(s) are online (41 user(s) are browsing Support Forums)


Members: 0


Guests: 64


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Aug 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits