1
kevcar
a phishing site has been uploaded to your
  • 2009/1/12 18:48

  • kevcar

  • Not too shy to talk

  • Posts: 127

  • Since: 2007/6/2 1


Received an email regarding this

Your 1&1 webspace has been attacked via a security leak in the software you
> installed. As a result of this attack, a phishing site has been uploaded to your
> 1&1 webspace. These sites are used to steal login information for eBay,
> PayPal, bank accounts etc. The site was to be found at:
>
> http:\\********\xoops_lib\modules\wachovia\index.htm
After having analyzed the attack and disabled the files related to the phishing
> site, we will unlock your webspace.
>
> The intrusion was processed via your script:
> ./xoops_lib/modules/protector/notification.php
>
>
> These files were used to upload the malicious content or send spam:
> ./themes/zetagenesis/img/questions.php
> ./themes/zetagenesis/img/verification2.php
> ./themes/zetagenesis/img/verification3.php
> ./themes/zetagenesis/img/verification.php
> ./themes/zetagenesis/img/verify.php
> ./themes/zetagenesis/img/wellsfargo.php
> ./themes/zetagenesis/img/wellsfargo-online.php
> ./uploads/tmx.php
> ./xoops_lib/modules/protector/library/HTMLPurifier/update.htm
> ./xoops_lib/modules/protector/library/HTMLPurifier/update.php
> ./xoops_lib/modules/protector/library/get.php
> ./xoops_lib/modules/protector/library/index.html
> ./xoops_lib/modules/protector/library/thankyou.htm
> ./xoops_lib/modules/protector/library/notes.txt
> ./xoops_lib/modules/protector/library/webpay/get.php
> ./xoops_lib/modules/protector/library/webpay/thankyou.htm
> ./xoops_lib/modules/protector/library/webpay/index.html
> ./xoops_lib/modules/protector/library/webpay/notes.txt
> ./xoops_lib/modules/protector/language/german/wuse.php
> ./xoops_lib/modules/protector/language/russian/gate.php
> ./xoops_lib/modules/protector/main/index.php
> ./xoops_lib/modules/protector/main/wellsfargo-online.php
> ./xoops_lib/modules/protector/main/questions.php
> ./xoops_lib/modules/protector/main/verification.php
> ./xoops_lib/modules/protector/main/verify.php
> ./xoops_lib/modules/protector/main/mail11[1]..php
> ./xoops_lib/modules/protector/wuse.php
> ./xoops_lib/modules/protector/code.php
> ./xoops_lib/modules/protector/admin_page.php
> ./xoops_lib/modules/protector/notification.php
> ./xoops_lib/modules/wachovia/index.htm
> ./xoops_lib/modules/wachovia/index2.htm
> ./xoops_lib/modules/wachovia/login2.php
> ./xoops_lib/modules/wachovia/wachovia.php
> ./xoops_lib/plain.php
>



2
noo-b
Re: a phishing site has been uploaded to your
  • 2009/1/12 22:35

  • noo-b

  • Just can't stay away

  • Posts: 456

  • Since: 2007/10/23


sorry to hear this..

i think this is related

https://xoops.org/modules/news/article.php?storyid=4601

1. make sure there's an index.html file in every folder with the following code inside:
<script>history.go(-1);</script>



2. put xoops_lib outside document root or put htaccess in xoops_lib

Quote:

order deny,allow
deny from all
I Love Xoops

3
Anonymous
Re: a phishing site has been uploaded to your
  • 2009/1/13 9:58

  • Anonymous

  • Posts: 0

  • Since:


Quote:
noo-b wrote:

2. put xoops_lib outside document root or put htaccess in xoops_lib


Good idea to rename the folder too (you'll need to change the reference to it in mainfile.php too).

4
kevcar
Re: a phishing site has been uploaded to your
  • 2009/1/23 18:25

  • kevcar

  • Not too shy to talk

  • Posts: 127

  • Since: 2007/6/2 1


Thanks for all the help, all infected files are now deleted.

Thanks Guys

5
Parafal
Re: a phishing site has been uploaded to your
  • 2009/1/23 19:54

  • Parafal

  • Just popping in

  • Posts: 98

  • Since: 2003/6/7 2


Quote:

noo-b wrote:
sorry to hear this..

i think this is related

https://xoops.org/modules/news/article.php?storyid=4601

1. make sure there's an index.html file in every folder with the following code inside:
<script>history.go(-1);</script>




Hi, just a question.

I can only put this code in a empty html file? that's it? Or I need to put another code like <body></body> etc?

And I must put this index.html file in every folder, no exceptions?

Thanks
-|Parafal|-

6
ghia
Re: a phishing site has been uploaded to your
  • 2009/1/23 22:45

  • ghia

  • Community Support Member

  • Posts: 4953

  • Since: 2008/7/3 1


Yes, only the text as showed. If you look around on your site, there should be plenty examples, which you can copy.
In principle, every directory should have this file.

You can also add this to your .htaccess:
Options All -Indexes


Read also some threads and articles for advice about hacked sites.

If files have been altered, change all your administration passwords on all levels (XOOPS admin, MySQL, site, FTP, ...).

Login

Username:
Password:

Lost Password? Register now!

Who's Online

55 user(s) are online (33 user(s) are browsing Support Forums)


Members: 0


Guests: 55


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: May 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits