I am feverishly trying to find out where this jerk deposited all his files. They all appear to be through any directory that has permissions of 777.

If any of the XOOPS programmers would like to see these php files, please PM me and I will be glad to show you what was done.

Most sites are current versions of Xoops, a number of them run protector, and still they were compromised. Thirteen in total.

I am going to try adding the .htacces file recommended in another post - make sure everything is current and protector is current.

This person's actions brought down two sites today which I was able to restore. However, since the PHP programs he uploaded were encrypted, I don't know what they have been doing all day.

I just found these an hour ago when I was checking out a XOOPS site and the updated the theme.

Ugh!! Any other suggestions would help. The earliest version on one of these sites is 2.0.16 and that one has protector installed too.

Thanks!

Just a suggestion since it is on a private server. Make all files and folders in the web directory owned by the user the server runs as, for instance "chown -R apache:apache /your/web/dir. Once you have this you can use chmod 775 permissions instead of chmod 777 permissions. The latter is world writable, meaning anyone can write to the folders, 775 only allows the user and group owning the folder to write to it (in this case the server). Much more secure.

Will this work? Even though the server is dedicated, I host client sites - not just my own.

Yes, the only reason 777 is needed is if the server is misconfigured, and unfortunately quite a few are. But yes it will work and should not cause problems for your clients.

Each clients site should run with its own user and php.ini.
So you will never need 777 and a script of a user cannot write to another clients space.

Have a look at suPHP or suexec. Suhosin may give you additional security. If you are running apache, see mod_security2 also.