XOOPS 
Forum
Forum Index General Forums Community Support Modules Support Themes Support Development International Support Module Hack Reviews Theme Designer Talk
  1. Board index / 
  2. XOOPS Community Support forums / 
  3. XOOPS general usage questions 
  4.  / Site Hacked - index.php - urgent
Register
1
limecity
Site Hacked - index.php - urgent

  • 2009/6/16 10:18

  • limecity

  • Friend of XOOPS

  • Posts: 1602

  • Since: 2003/7/6 0


using XOOPS 2.32

iframx src="http://SPAM_host.cn:8080/ts/in.cgi?pepsi66" width=125 height=125 style="visibility: hidden"></iframx


the index.php was hacked over again. after recovery.

I am using these modules:

polls 1
news 1.44
newbb 3.08
shoutbox 4
am events 0.22
spotlight 2.1
smartsection 2.13
weblog 1.41
wf channel 1.06
mylinks 1.1
extcal 2.12
smartpartner 1.2
mastop_go2 1
guide 2.12
xcgal 2.03
mpmanager 2.5
extgallery 1.01
weblinks 1.9
liaise 1.26
addresses 1.72
protector 3.22


which is a bad module with security problem?

Edit by ghia: removed spam URL
http://www.mounthiking.com
all your hiking gears and gadgets

2
ghia
Re: Site Hacked - index.php - urgent

  • 2009/6/16 10:28

  • ghia

  • Community Support Member

  • Posts: 4953

  • Since: 2008/7/3 1


Please don't post SPAM domains!!!

At first site, I don't think there is a known module with security leaks. Some may require upgrades as eg News.
Is there a Spaw editor in use?
Did you install the Protector outside the webroot?
Could you see in the Apache logs how it has been done?
Did you change all your access passwords for eg FTP etc?
3
limecity
Re: Site Hacked - index.php - urgent

  • 2009/6/16 10:38

  • limecity

  • Friend of XOOPS

  • Posts: 1602

  • Since: 2003/7/6 0


sorry about the url thingy.

i don't have spaw editor in use.

i'll check on the protector

i'll get the apache logs from the web host

i change all my password yesterday and again today.

http://www.mounthiking.com
all your hiking gears and gadgets

4
limecity
Re: Site Hacked - index.php - urgent

  • 2009/6/16 10:46

  • limecity

  • Friend of XOOPS

  • Posts: 1602

  • Since: 2003/7/6 0


I have protector in both the modules folder and also in the xoops_lib
if i rename either one of them, I will get an error.
which I think both are in use? is it suppose to be that way?
http://www.mounthiking.com
all your hiking gears and gadgets

5
ghia
Re: Site Hacked - index.php - urgent

  • 2009/6/16 11:01

  • ghia

  • Community Support Member

  • Posts: 4953

  • Since: 2008/7/3 1


Spaw in use or not, if it is present you are vulnerable!

For the Protector module and its directories, see this and this (follow all links).
6
limecity
Re: Site Hacked - index.php - urgent

  • 2009/6/16 11:11

  • limecity

  • Friend of XOOPS

  • Posts: 1602

  • Since: 2003/7/6 0


Where would I usually find the spaw editor. which folder?
http://www.mounthiking.com
all your hiking gears and gadgets

7
ghia
Re: Site Hacked - index.php - urgent

  • 2009/6/16 12:21

  • ghia

  • Community Support Member

  • Posts: 4953

  • Since: 2008/7/3 1


It is very possible you don't have it. The folder is called spaw or spaweditor.

I wanted only to emphasize that having it, but not using it, doesn't protect you. If it is present, it has to be deleted.
8
limecity
Re: Site Hacked - index.php - urgent

  • 2009/6/16 12:46

  • limecity

  • Friend of XOOPS

  • Posts: 1602

  • Since: 2003/7/6 0


my protector seems to be installed securely.

I am very curious on how they hack the site and inject the index.php

http://www.mounthiking.com
all your hiking gears and gadgets

Login

Register now!  |  Lost Password?

Search

Advanced Search

Recent Posts

Who's Online

153 user(s) are online (99 user(s) are browsing Support Forums)

Members: 0

Guests: 153

more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Apr 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits