1
Brendahoisin
OK, now I'm officially scared.

My XOOPS site is a week old. I love it - it has that nice "professional" look. After a few teething problems and lots of help from here, it does what I want and it's easy to maintain.

A day ago hours ago, I logged into the site, clicked on the admin menu and the screen refreshed and the admin menu had gone. I logged in again and admin menu isn't there! I was confused and decided to request a new password, which XOOPS sent me. I logged in with this and the admin menu reappeared. It's as though the site didn't believe I'm admin.

Now, 24 hours later, it's happened again. Now, when I log in, I get the "Thank you for logging in..." message at the top of the screen for a fe seconds, but once the main page arrives, I'm still not logged in. But the scary thing is this. XOOPS sent me an email telling me that a password was requested (from my ISP) but later, there was another request to change my password from an ISP I didn't recognise - 66.249.67.91. What's going on?

And why do I always seem to have 3 or 4 users logged in? This site is a few days old and never been advertised! Right now, I can see 15 users logged in! 15!! The irony is, when I wanted traffic on my other sites I could never get it. So, (1) what causes the vanishing admin menu? (2) how can I stop it from happening again (3) who the hell are these users, anyway?

I have XOOPS 2.0.18 and, yes, I have Protector installed.

Is my XOOPS site really a magnet for hackers or am I just paranoid? Please help before I jettison the entire site as dangerous and unreliable.

*EDIT*
Typical - less than five mins after this post, I think I found out what was wrong. Seems like Xoom/admin only works if you use the original address of the site. I had the problems when I was using an address that only "pointed" to my site. (I can't remember the correct name for this redirect, but it means I can give my users a proper web site address) Once I used the original, more convaluted, one, all these symptoms disappeared (including the 15 phantom users). Still doesn't explain "me" requesting a password change from 66.249.67.91, though.

2
irmtfan
Re: OK, now I'm officially scared.
  • 2008/1/18 11:01

  • irmtfan

  • Module Developer

  • Posts: 3419

  • Since: 2003/12/7


that IP is a google bot. but i never heard a bot request password.

Quote:

Seems like Xoom/admin only works if you use the original address of the site. I had the problems when I was using an address that only "pointed" to my site.

do you mean a link with www and without it?
it seems you have another site in the domain before and robots still try to crawl it?

3
Brendahoisin
Re: OK, now I'm officially scared.

No, I mean my site is..
http://www.mygeneralpurposesite.com/myxoomsite/

and people can get to it by typing...

http://www.mysite.com

..which is just a domain owned by me but set to point to my general purpose site, which actually has several other of my (non-xoom) web sites on it. Whereas "http://www.mysite.com" is what they see in their browser's address bar. That way, I can switch my actual site address to another without changing any marketing material (as the "public" address remains unchanged). I thought this was common practice? I popped over to the people I bought the domain name from and they call it "Forwarding" or "Frame Redirect". Anyway, it's incompatible with Xoom admin.

Looks like it could just be an attack of the robot web crawlers, after all. (Wasn't that a '50's Sci-Fi film?)

4
Will_H
Re: OK, now I'm officially scared.
  • 2008/1/18 12:05

  • Will_H

  • Friend of XOOPS

  • Posts: 1786

  • Since: 2004/10/10


domain masking.

5
trabis
Re: OK, now I'm officially scared.
  • 2008/1/18 13:51

  • trabis

  • Core Developer

  • Posts: 2269

  • Since: 2006/9/1 1


Recently I had problems with one user claming she recieved passwords request that she did not done. I followed the IP to USA (my users are mostly form Portugal and Brazil). Then I googled that Ip and found some threads refering that IP to google. Latter she told me that her password was allways changing to the old password. Every day she changed passords and the next day she add to use the old one because the new would not work anymore. She even showned her last login date, it was about 3AM, and that means that someone logged in her account.
My conclusion:
It was not google but some hacker using a proxy that has access to her registered email and then request a password. Then the hacker deletes the request form her email account, logs into the site and change her password again (yes this is strange).
Wath I did:
Hacked XOOPS so it donĀ“t send new passwords to that user and provide that user a new password. No problems since that.

I took a month to do this cause I though that she was crazy or kidding me.

:)

6
irmtfan
Re: OK, now I'm officially scared.
  • 2008/1/18 14:02

  • irmtfan

  • Module Developer

  • Posts: 3419

  • Since: 2003/12/7


trabis,
if someone have access to the email (hack the email) i think changing the register email in profile can solve it.
also i check this IP via a reliable website:
http://www.whois.sc/66.249.67.91

Login

Who's Online

318 user(s) are online (268 user(s) are browsing Support Forums)


Members: 0


Guests: 318


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits