21
tesolguy
Re: Pages Loading to the Bottom Problem?
  • 2008/8/15 1:05

  • tesolguy

  • Just popping in

  • Posts: 15

  • Since: 2008/8/4 2


I think I am making some headway. Thanks to all who posted.

Here is what I did in case anyone is in the same boat.

I went into the menu on my webhost and went to the SQL tool. I then searched my entire database for "uokill" which is part of the virus name. I selected the files where they were located, about 3 places, and edited them deleting the <iframe>. I could not see the virus in my custom blocks like some others. It was invisible. I had to go through the backend.

Unfortunately I now have this problem. I get the error message:

"This page cannot be displayed due to an internal error.
If you are the administrator of this site, please visit the XOOPS Troubleshooting Page for assistance."

I manually turned on debugging but get no error messages.

The only thing I did was change the password to my webhost and turn on something called "AnonFTP" by mistake, then turned it off. After I did those 2 things I got the error.

Any ideas on what to do next would be appreciated.

22
blondie10101
Re: Pages Loading to the Bottom Problem?

I found the attack in my logs and it seems to have been too easy.

It's as if the hacker didn't even need to login to be able to access admin.php. Is it possible to forge a cookie that would bypass authentication?

If that's the case, how do we fix it ASAP?

23
Mamba
Re: Pages Loading to the Bottom Problem?
  • 2008/8/15 9:05

  • Mamba

  • Moderator

  • Posts: 11366

  • Since: 2004/4/23


Quote:
It's as if the hacker didn't even need to login to be able to access admin.php. Is it possible to forge a cookie that would bypass authentication?

I don't think so. Please email your logs to: security [at] xoops.org and explain why do you think it was done via direct access to admin.php
Support XOOPS => DONATE
Use 2.5.10 | Docs | Modules | Bugs

24
mrjingles
Re: Pages Loading to the Bottom Problem?
  • 2008/8/17 20:51

  • mrjingles

  • Just popping in

  • Posts: 22

  • Since: 2004/11/10


Hi, I've just found this post after doing a Google search on "uokill.zh.od.ua" as this started to appear on my XOOPS site at www.paddysworld.co.uk .

Just wanted to let you know that I found the iframe embedded in a Custom Block I had created and also in the Footer meta tags on the XOOPS preferences. I removed them from these locations (they were 'cleverly?' disguised by having 20 blank lines above the entries) and it looks to have fixed the problem.

I am slightly concerned about how the iste was hacked and if anyone had any idea how I could troubleshoot how it occurred and what I can do to prevent re-occurrance?

Thanks for any help, and I hope this post may help you to fix your problem.

Paddy

Login

Who's Online

235 user(s) are online (149 user(s) are browsing Support Forums)


Members: 0


Guests: 235


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Mar 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits