1
theshepherd
New attack on my website
  • 2008/9/13 21:17

  • theshepherd

  • Just popping in

  • Posts: 5

  • Since: 2008/3/15


Hello everyone,

My website was attacked with a new homepage that is inscribed "miLwo ® m 0wnz You!" ...

The site is: http://www.gardmit.org

I recovered my database as well as the root / www

Is there a way to remedy this?

2
Yurdal
Re: New attack on my website
  • 2008/9/13 21:52

  • Yurdal

  • Friend of XOOPS

  • Posts: 386

  • Since: 2005/3/27


Please provide more information as:

1.Xoops version
2.Used Module(and the version numers of the modules)

Did you install the protector module? this very important

3
ghia
Re: New attack on my website
  • 2008/9/13 21:59

  • ghia

  • Community Support Member

  • Posts: 4953

  • Since: 2008/7/3 1


Have you still access to your website admin panel?
If possible, take a final backup of what is left.
Use this to identify the changes and the dates.
Gather all possible logfiles.
Change immediate all your passwords (site, MySQL, XOOPS).
Check if there are extra (admin) users made and delete them.
This applies to the admin panel and to XOOPS.
Erase your site and upload it from a known good backup.
If you didn't already do so, install Protector.
Check the versions of the core and of all modules and upgrade to the last versions.
Look in the logs (also ftp) for suspicious movements, match them with the dates of bad files.
Look up the IP's and block their NET with .htacces .
If the website is running again, change all your passwords again.

4
theshepherd
Re: New attack on my website
  • 2008/9/13 22:15

  • theshepherd

  • Just popping in

  • Posts: 5

  • Since: 2008/3/15


Xoops: frensh version: 2.0.18 fr
Modules: all modules are upgraded with their last version.

Resized Image

I inspected my index.php and i found this code:

<title>miLwo®m 0wnZ You !title>
<
body bgcolor="#000000"body
<
center>
<
meta http-equiv="Content-Type" content="text/html; charset=windows-1254">
<
meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-9">
<
meta http-equiv="content-language" content="TR">
<
br><br><br>
<
font face="Franklin Gothic Medium" color="#800000" size="6">miLwo®m 0wnZ You !
<
br><bR>
<
font face="Franklin Gothic Medium" color="#FFFFFF" size="6">Greetz BlondeGirl
<br><br>
<
img src="http://img378.imageshack.us/img378/1351/48221lv0.jpg"img>
<
br><br>
<
a href="http://www.h4cks.in/"><font face="Franklin Gothic Medium" color="#cccccc" size="4">h4cks.ina>

5
ghia
Re: New attack on my website
  • 2008/9/13 22:57

  • ghia

  • Community Support Member

  • Posts: 4953

  • Since: 2008/7/3 1


If you are sure no other files are changed, you could upload your original index.php.
Check and verify your database too.

Is the file manager shown from inside XOOPS?
Then I hope it is strictly reserved for the webmasters group? (Never the less, it is an additional security risk)

Check out your logs (also from protector) and match the dates to the dates of the changed files and try to figure out which modules were attacked and how access to your site was obtained. Try to follow IP's and browser signatures back in time for previous operations.

Ask also your host provider, it could also be, that not XOOPS is hacked, but the server (and vitualization) software, if the hoster is not up to date with his software. He has also a view to more logs and can maybe tell you something about the attack vector.

You are not alone: yexo.bplaced.net, moto-plaisir.fr
All german hosters/servers and the last one is also yours.

6
theshepherd
Re: New attack on my website
  • 2008/9/13 23:40

  • theshepherd

  • Just popping in

  • Posts: 5

  • Since: 2008/3/15


Thank's a lot ghia_.

I reupload the original index.php and it is working. I'll follow your advices and suggestions to see from where comes this attack.

Thank you very much

7
theshepherd
Re: New attack on my website
  • 2008/9/15 14:57

  • theshepherd

  • Just popping in

  • Posts: 5

  • Since: 2008/3/15


Analysis of the host:

1°- Pirates led the attack through the following scripts:

- /www/userdetail.php
- /modules/icontent/include/wysiwyg/spaw_control.class.php

2°- Malicious files have been downloaded to your site:

/www/images/views.php
/www/images/k.php
/www/language/french/mail_template/u.php
/www/language/french/mail_template/wait.php
/www/language/french/k.php
/www/language/french/questions.php
/www/language/french/verification.php
/www/language/french/verify.php
/www/modules/protector/mal.php
/www/modules/icontent/index.php
/www/modules/icontent/include/wysiwyg/spaw_control.class.php
/www/modules/icontent/include/wysiwyg/dialogs/config.php
/www/modules/icontent/include/wysiwyg/php.ini.php
/www/modules/icontent/include/wysiwyg/index.html
/www/modules/icontent/include/wysiwyg/config.php
/www/modules/icontent/include/config.php
/www/modules/icontent/inPages/Documentation_francaise_-_iContent_v4.0/images/phpinfo.php
/www/themes/phpkaox/style.php
/www/userdetail.php
/www/views.php

8
ghia
Re: New attack on my website
  • 2008/9/15 15:03

  • ghia

  • Community Support Member

  • Posts: 4953

  • Since: 2008/7/3 1


Yeah, the notorious SPAW editor.
No one should want this one on the system.

Login

Who's Online

425 user(s) are online (322 user(s) are browsing Support Forums)


Members: 0


Guests: 425


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits