1
bnations
Admin Hash exposed
  • 2007/9/2 0:34

  • bnations

  • Just popping in

  • Posts: 7

  • Since: 2007/3/30


I recently was searching my website on google & yahoo and found some Chezk/Russian hacking websites are posting a MD5 hash with from what I can translate belongs to the admin account of my site (xoops 2.0.16). I have changed the password.

How did this happen? Who else has had this problem? Is there a way to stop this?

Thanks

2
pAraN0iD
Re: Admin Hash exposed
  • 2007/9/2 0:51

  • pAraN0iD

  • Just popping in

  • Posts: 24

  • Since: 2007/4/16


Backup your site before anything happens to it!

If they have your admin hash it implies that someone probably had access to your database. I suggest that you change your database (MySQL) password (and all others, FTP, hosting account etc) immediately using *strong* passwords).

I also suggest you install the Protector module, and make sure you implement all the security enhances it provides (especially in this case change the prefix of your database tables. It has a function to let you do this).

Another possibility is that your database server is busted. Or that there's a crook in your hosting company. The list goes on and on :(

Check the permissions of your mainfile.php as well, read only. (Probably this was not the way, but doesn't hurt to check it).

What modules are you running? Are they the latest versions? You might want to check there have been no security patches for your modules lately.

3
skenow
Re: Admin Hash exposed
  • 2007/9/2 1:41

  • skenow

  • Home away from home

  • Posts: 993

  • Since: 2004/11/17


And, it is always best to delete the admin user created during installation (uid=1) after creating a new user and adding them to the admin group, preferably after adding several other users so the uid is harder to hack by brute force.

Note to developers: a random uid is something to consider adding to the core - from what I understand and have observed in my own logs, many hackers have sql injection scripts that attempt to determine the password of uid=1 of XOOPS sites.

4
bnations
Re: Admin Hash exposed
  • 2007/9/2 6:03

  • bnations

  • Just popping in

  • Posts: 7

  • Since: 2007/3/30


I have done the following:
Changed DB passwords, hosting account passwords, admin password, ftp password, turned the site off, but now obviously the site cant even connect to the DB for administration. So what are the critical files I need to update for the DB password so I can connect again?

5
tic174
Re: Admin Hash exposed
  • 2007/9/2 6:13

  • tic174

  • Just popping in

  • Posts: 11

  • Since: 2003/12/9


I think its just the mainfile.php you`l need 2 update.
And just this line:-
define('XOOPS_DB_PASS', '');


6
bnations
Re: Admin Hash exposed
  • 2007/9/2 17:03

  • bnations

  • Just popping in

  • Posts: 7

  • Since: 2007/3/30


Ok, I have pretty much locked down everything. Now how do I stop this from happening again? On the site where I found my hash there was a list of about 12 XOOPS site's admin hashes so Im assuming there is a vulnerability in XOOPS somewhere.

7
skenow
Re: Admin Hash exposed
  • 2007/9/2 18:27

  • skenow

  • Home away from home

  • Posts: 993

  • Since: 2004/11/17


Latest version of Protector - get it installed and crank the settings down as far as you can, back them off later if they cause problems.

Other security tips collected in Securing Your XOOPS Web Site with additional references at the end of the article

8
zyspec
Re: Admin Hash exposed
  • 2007/9/2 18:46

  • zyspec

  • Module Developer

  • Posts: 1095

  • Since: 2004/9/21


Quote:
On the site where I found my hash there was a list of about 12 XOOPS site's admin hashes so Im assuming there is a vulnerability in XOOPS somewhere.
Not necessarily in the core though.

Which modules (and versions) do you have installed?

9
bnations
Re: Admin Hash exposed
  • 2007/9/3 21:23

  • bnations

  • Just popping in

  • Posts: 7

  • Since: 2007/3/30


These are the active modules I have installed:
System 1.02
Reviews 2.19
News 1.4
Flash Games 1
Shoutbox 3.2
Classifieds 3
Forum 3.05

These are the inactive modules:
Webshow 0.53
Mastop publish 1
Page wrap 1.01
Userpage 1.21
Content 0.5

I also would like to delete the Admin user, I already have another webmaster account I would like to use instead. Edit user keeps telling me I cant delete 'admin'....

10
peterr
Re: Admin Hash exposed
  • 2007/9/5 7:18

  • peterr

  • Just can't stay away

  • Posts: 518

  • Since: 2004/8/5 9


Quote:

bnations wrote:
.... , but now obviously the site cant even connect to the DB for administration.


I found using the following in .htaccess (in addition to turning the site off), in the event of a hack or attempted hack ..

Order Deny,Allow
Deny from all
Allow from my
.ip.add.res


It let's you do everything, and no-one else can access your site, assuming your IP is static.
NO to the Microsoft Office format as an ISO standard.
Sign the petition

Login

Who's Online

355 user(s) are online (296 user(s) are browsing Support Forums)


Members: 0


Guests: 355


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits