1
limecity
URGENT Site hacked 2.0.18.2
  • 2008/12/30 6:42

  • limecity

  • Friend of XOOPS

  • Posts: 1602

  • Since: 2003/7/6 0


A hacker has send me a note telling me that my XOOPS site has been hacked.
and he had proven himself by loggin in with the different user accounts and making postings in the forum randomly.

He has all the user's passwords which I don't even know cause they're encrypted.

I am asking whether if its a possibility that the hacker has decrypt the user's password?

I don't see much point of upgrading now as hacker has breached the site in an extend.

please advise what I should do.
http://www.mounthiking.com
all your hiking gears and gadgets


2
stefan88
Re: URGENT Site hacked 2.0.18.2
  • 2008/12/30 9:13

  • stefan88

  • Community Support Member

  • Posts: 1086

  • Since: 2004/9/20


Hi,


Change your admin password. Check the Webmaster group for new members . Check other groups for new rights.

You may inform your hosting provider - the hacker may be getting access through the web server.

Ask for the logs - they may help find the security hole and be helpfull in court.

Maybe close the site and inform your users.

Check the files for changes. Clean caches...


What modules do you usea and what version? Do you have protector installed?
..

3
ghia
Re: URGENT Site hacked 2.0.18.2
  • 2008/12/30 10:23

  • ghia

  • Community Support Member

  • Posts: 4953

  • Since: 2008/7/3 1


Quote:
he had proven himself by loggin in with the different user accounts and making postings in the forum randomly.
If he has logged in as the user you can see it by looking to the last login date of the users. He did not create new users for that purpose?
Else he has cracked your database and added posts in the tables with the id of the users.
Check if there is an additional database user created.
Check the port for MySQL is closed.
Are the targeted users still able to login?
You have to find the attack vector (cause) in the logs, else all efforts like changing passwords are pointless.
Take a backup of your site and compare it with a previous one.
Install protector or upgrade it to the latest version.

Anyway, never pay anything:
- as it will encourage him by doing this to others.
- as you will be unsure if he will not redo the operation next month.
Even has this means you have to rebuild the site from scratch.

4
limecity
Re: URGENT Site hacked 2.0.18.2
  • 2008/12/30 15:01

  • limecity

  • Friend of XOOPS

  • Posts: 1602

  • Since: 2003/7/6 0


I have these module installed

myalbum-p 2.86
contact us 1.6
polls 1
news 1.44
newbb 1.15
multimenu 1.71
shoutbox 4
am events 0.22
spotlight 2.1
xoopmembers 1
smartsection 2.13
weblog 1.41
online history 2
icontent 4.5
wf channel 1.06
myiframe 1.4
mylinks 1.1
wordbook 1
extcal 2.12
smartpartner 1.2
social bookmarks 0.3
mastop go2 1
xcgal 2.03
tellafriend 1.03
sitemap 1.27
linktous 1.01
mp manager 2.5
extgallery 1.01
xm-memberstats 2
weblinks 1.9
liaise 1.26
happy linux framework 1.4
smartclient 1.02
addresses 1.72
protector 2.57
http://www.mounthiking.com
all your hiking gears and gadgets


5
limecity
Re: URGENT Site hacked 2.0.18.2
  • 2008/12/30 15:07

  • limecity

  • Friend of XOOPS

  • Posts: 1602

  • Since: 2003/7/6 0


Quote:

Anyway, never pay anything:
- as it will encourage him by doing this to others.
- as you will be unsure if he will not redo the operation next month.
Even has this means you have to rebuild the site from scratch.

[/quote]

I will do as advised. Thank you.

this msg was left by the hacker by using one of the user's account

Quote:

This is a message from the Anon Angel. This site has been hacked. All user IDs and passwords are known to me. I assure you that I mean to do no damage to the site. I have sent a message to the admins of the site, and will assist in fixing the problem as soon as possible. This message was just posted to inform everyone and let the admins know I wasn't kidding.
And 19GURL, i'm sorry but your username just happened to be first when all of them were arranged in alphabetical order :P

Cheers...
Anonymous Angel
http://www.mounthiking.com
all your hiking gears and gadgets


6
McDonald
Re: URGENT Site hacked 2.0.18.2
  • 2008/12/30 15:14

  • McDonald

  • Home away from home

  • Posts: 1072

  • Since: 2005/8/15


You might want to check if there are any updates available for some of your modules, because some have known vulnerabilities like these two:
- wordbook 1
- xm-memberstats 2
I am not sure about WF Channel 1.06 but I guess this version contains vulnerabilities.
If you have the Spaw editor installed (standalone or as part of a module) than get rid of it.
You also might consider to upgrade Protector to latest version (recommended!).


.::EDIT::.
You can use this list on Secunia website for known vulnerable modules:http://secunia.com/advisories/search/?search=xoops&sort_by=date

7
limecity
Re: URGENT Site hacked 2.0.18.2
  • 2008/12/31 1:37

  • limecity

  • Friend of XOOPS

  • Posts: 1602

  • Since: 2003/7/6 0


I am going to rebuild the site.

my most crucial module for the site would be the 5 years accumulation of forum postings and memberships.

Just wondering if I can reinstall XOOPS and import the database over?

any possibility that the hacker can implement a backdoor through those 2 ?

please advice what I need to look out on.
http://www.mounthiking.com
all your hiking gears and gadgets


8
ghia
Re: URGENT Site hacked 2.0.18.2
  • 2008/12/31 9:55

  • ghia

  • Community Support Member

  • Posts: 4953

  • Since: 2008/7/3 1


If the hacker has really decrypted some passwords, as he claims, then it is imperative that at least all users from groups with extended capabilities as the webmasters have their password changed.
You can send a new password for the users also by using the lost password function or this custom block.
But it is also needed that you can determine from the available logs which backdoor was used by the hacker. If it stays open, then all your efforts may be useless.

9
limecity
Re: URGENT Site hacked 2.0.18.2
  • 2008/12/31 14:53

  • limecity

  • Friend of XOOPS

  • Posts: 1602

  • Since: 2003/7/6 0


I wish to reset all the user's passwords
so the users can generate new ones to be send to their emails.

any way i can do that?

http://www.mounthiking.com
all your hiking gears and gadgets


Login

Who's Online

207 user(s) are online (97 user(s) are browsing Support Forums)


Members: 0


Guests: 207


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Mar 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits