1
MikeShane
stopping hackers
  • 2009/4/22 11:50

  • MikeShane

  • Community Support Member

  • Posts: 144

  • Since: 2008/1/5 2


OK I just cleaned all of the i frame index injections off my server and changed all my passwords how do I keep the hackers from injecting my index pages again? How did they do it? any help?
It is a php hack
Musicians for musicians entertaining the world, what starts as a dream can live in reality!

2
trabis
Re: stopping hackers
  • 2009/4/22 12:38

  • trabis

  • Core Developer

  • Posts: 2269

  • Since: 2006/9/1 1


Keep your PC clean of virus, trojan, etc. Use trustable ftp programs.

3
ghia
Re: stopping hackers
  • 2009/4/22 13:10

  • ghia

  • Community Support Member

  • Posts: 4953

  • Since: 2008/7/3 1


Check your Apache logs for suspect access patterns in order to identify a security weakness of a module. Look also in the Protector logs. Follow the trails by IP number, date and time and browser signature. Loading the logs in a spreadsheet gives you the ability to easy sort on this.

But as I said before the modified index hacking is in general a server access security breach (on your local PC (where you do the admin of the site)) by malware or a server wide breach due to eg older server software) and not likely a XOOPS problem.

4
MikeShane
Re: stopping hackers
  • 2009/4/22 19:54

  • MikeShane

  • Community Support Member

  • Posts: 144

  • Since: 2008/1/5 2


I'm afraid it is a XOOPS problem.
The attacks using this i frame injection is on Xoops, joomala, word press and other php driven sites. This means that there is something using php that the weakness is at. Thats why I'm looking for information on how they did it. One of the things id did was diable my protector so it was not accesable. I had a week old back up replacing the infected sites. The attack was only on two 2.3b XOOPS sites and one joomala site on same server. Nothing on html sites or an older XOOPS site that has not been updated yet.
Musicians for musicians entertaining the world, what starts as a dream can live in reality!

5
Runeher
Re: stopping hackers
  • 2009/4/22 23:41

  • Runeher

  • Module Developer

  • Posts: 825

  • Since: 2008/1/24


Did you do any work on the sites lately, perhaps with some free or "free" software? There can be lots of "extra features" with ie. torrent downloads...

6
jdseymour
Re: stopping hackers

Quote:

MikeShane wrote:
I'm afraid it is a XOOPS problem.
The attacks using this i frame injection is on Xoops, joomala, word press and other php driven sites. This means that there is something using php that the weakness is at. Thats why I'm looking for information on how they did it. One of the things id did was diable my protector so it was not accesable. I had a week old back up replacing the infected sites. The attack was only on two 2.3b XOOPS sites and one joomala site on same server. Nothing on html sites or an older XOOPS site that has not been updated yet.


It is the server that handles (interprets) php.

3 things to look at.

1. What user does the (apache) server run as?
2. What user owns the files on the server?
3. What are the file/folder permissions?

Answers should look like this:

1. server runs as a non privileged user (usually as apache).
2. Files and folders should be owned by the non privileged user the server is running as (in the above case apache).
3. Files should be 644 or -rw-r--r-- folders should be 755 drwxr-xr-x .

7
ghia
Re: stopping hackers
  • 2009/4/24 7:19

  • ghia

  • Community Support Member

  • Posts: 4953

  • Since: 2008/7/3 1


Quote:
I'm afraid it is a XOOPS problem.
As also a Joomla site is affected, the problem is not specific XOOPS, but that the hacker is targetting php files.

Login

Who's Online

332 user(s) are online (258 user(s) are browsing Support Forums)


Members: 0


Guests: 332


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits