1
salutipeles
My Xoops site is hacked by exploits which create iframes
  • 2009/10/7 11:26

  • salutipeles

  • Just popping in

  • Posts: 3

  • Since: 2009/10/7


Hi,
My site is hacked very often by exploits which use to edit my "index.php" files (among others) by adding an iframe to a malicious site. Sometimes they also create ".htaccess" files which redirect the site to these malicious websites.
After the first attack I cleaned the site, my hosting enterprise told me that my scripts allowed execution of malicious content, so I upgraded it to XOOPS 2.3.3, I thought that it would solve the problem... but it doesn't, my site is attacked again and again in a few days.

I still have to change my FTP password (I didn't buy the hosting and I have to contact the one who did), apart from that, what could I do to protect my site?

Thanks in advance!

2
ghia
Re: My Xoops site is hacked by exploits which create iframes
  • 2009/10/7 11:45

  • ghia

  • Community Support Member

  • Posts: 4953

  • Since: 2008/7/3 1


There is a module to check the index files and remove iframes from them, but as there are also other files involved it is best to use a full bakup to restore files.

You must find out how the hackers get access. Look into your Apache log files for that. Since the event repeated, the period to check is limited.

What modules do you have installed?

Some exploits may be, the SPAW editor, xoops_lib and xoops_data inside the webroot. Correct these immediatly if this should be the case.

It doesn't need to be the XOOPS core and modules that are the hackers' inroad. Other possibilities are not up to date server software (LAMP, panel) or malware (virus, key logger) on the users PC where the XOOPS site is managed from (passsword theft) .
Check also these areas.

3
salutipeles
Re: My Xoops site is hacked by exploits which create iframes
  • 2009/10/16 6:56

  • salutipeles

  • Just popping in

  • Posts: 3

  • Since: 2009/10/7


Thanks for your advice.
I realized that my xoops_data and xoops_lib were still inside the webroot, I fixed that but my site is attacked again and again and again, and it's really pissing me off.
I still haven't managed to change my FTP password though.
Where are the Apache log files stored?

4
ghia
Re: My Xoops site is hacked by exploits which create iframes
  • 2009/10/16 8:25

  • ghia

  • Community Support Member

  • Posts: 4953

  • Since: 2008/7/3 1


Quote:
I still haven't managed to change my FTP password though.
You should do this as the first thing.
Quote:
Where are the Apache log files stored?
Don't you have some site admin panel as eg cPanel or Plesk, or a file manager to see things like eg /var/log/httpd?
If your hoster does not provide such tools, you may think about shifting hoster.

Check also by verifying a backup with a known good one for altered files and files that are added and correct that. (For looking up altered files you can also use the file check (see release notes)).
The same for the database, remove all suspect records.
Check also all accounts (XOOPS, FTP, database, site login, ...) for added users and delete them. Change all passwords for your accounts on these and make it strong (min length = 8; upper- and lowercase letters, digits, if allowed: punctuation)


5
bjuti
Re: My Xoops site is hacked by exploits which create iframes
  • 2009/10/16 8:59

  • bjuti

  • Just can't stay away

  • Posts: 871

  • Since: 2009/1/7 2


Change your FTP password and check your computer for trojans and exploits. This is common problem and not so related to xoops.

6
wishcraft
Re: My Xoops site is hacked by exploits which create iframes

I have had that happen, you have been browsing sumo torrents to much, it has installed a virus, there is a couple that will edit all php and html files with iframes on your PC..

7
onasre
Re: My Xoops site is hacked by exploits which create iframes
  • 2009/10/16 17:26

  • onasre

  • Not too shy to talk

  • Posts: 150

  • Since: 2006/8/12


One thing People Forget , that your Computer maybe Got Hacked and your Computer Now is a nest for the Hacker . So in any time you going to download Fresh files of XOOPS and unzip them to start uploading they will get infected again ..

1-First thing you Must do . is Make sure you check your Computer from any Viresus, Spyware, adware

use AVira , AVG, Malwarebytes..
i prefer Avira to check my files for viruses and Malwarbytes to check for adware.

when all clean .

2- Change Passwords to your Site account, ftp, emails..

3- when done .. Log in to your ftp , clean every thing, Because you might have the virus Layin somewhere in the files .

4- Upload fresh Files of xoops.

5-Make sure No Folder Chmod 777 but folders inside Xoops_data and config folder inside xoops_lib

Make sure your mainfile.php chmod to 444

6-Make sure the Modules and third party Programs u use are up to date and no known bugs been reported.

7- Change your admin password at your XOOPS site.

8- The last thing is make sure if you have enabled uploading to your site to disable it as it could be the Hole to where u got hacked..


8
shakirataylo
Re: My Xoops site is hacked by exploits which create iframes

This is really helpful for me as I'm also facing the same problem. Thanks you guys for all the advice which I can find here.

9
bjuti
Re: My Xoops site is hacked by exploits which create iframes
  • 2009/11/9 10:27

  • bjuti

  • Just can't stay away

  • Posts: 871

  • Since: 2009/1/7 2


One more advice... Always have fresh backup of the site. At least just files, not the base. (but do backup of the base also!)

Almost every hosting have function in CPanel filebrowser to ZIP your entire dir. If it's not an option... copy files via ftp.

And keep it in archive (like zip), it's harder for trojan to add bad in it. Then you could just copy your archive content over infected files on server.

10
Peekay
Re: My Xoops site is hacked by exploits which create iframes
  • 2009/11/9 16:49

  • Peekay

  • XOOPS is my life!

  • Posts: 2335

  • Since: 2004/11/20


It's a good idea to keep user agents that identify themselves as Perl (or pycurl) off your server. Perl has perfectly valid applications, but sadly from our log, 100% of these requests are trying to access forbidden files, or install back doors by targetting files with known vulnerabilities, like the older spaw control class.

The UA can be cloaked, but it's surprising how many leave 'libwww-perl' in the string. We reduced intrusive traffic by thousands of requests simply by adding an htaccess file to the root directory containing:
SetEnvIfNoCase user-agent "^.*(libwww-perl|curl|pycurl).*" getout
<Limit GET POST>
 
Order Allow,Deny
 Allow from all
 Deny from env
=getout
Limit>

If your server supports MOD_REWRITE you can alternatively use that method to redirect the request, but the above should work on all Apache servers.

Of course the cloaked requests still get access, so we are currently testing The Perishable Press 4G Blacklist on a few XOOPS sites. This addition to htaccess (or httpd.conf) focuses on blocking illegal character use in the request rather than blocking user agents, which of course can be completely forged.

From the feedback, it appears that the content may need to be adjusted to suit certain applications (some Joomla users have had to remove a few blocked chars) but it looks really worthwhile.

HTH

Login

Who's Online

194 user(s) are online (139 user(s) are browsing Support Forums)


Members: 0


Guests: 194


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits