Hi all

Recently one of my sites which is still running 2.2.5 was hacked. Each php file had encrypted code added at the top of the file.
Every php file on my account was infected. The encrypted code was decoded by my provider and is as follows

My provider stated, "We checked the issue and we could see that the codes are added to use the default editor of XOOPS software that you are using."

Can anyone tell me what the added code does?

Just today another site which is running XOOPS 2.0.16 and OpenX was hacked. The hack added an encrypted code to the start of every php file in the following directories,
root, Cache, OpenX, CPG and Frameworks.

Can anyone direct me to a solution to stop this behavior? Is it true that the editor from even XOOPS 2.0.16 can be used to inject this kind of code into php files?

What procedures do I need to perform to troubleshoot and or prevent this issue?

Both sites are running on the same shared server. File permissions on the changed files were set to 755 and 644. Mainfile.php was not altered due to it being set to 444 I assume.

If I left out anything necessary to understand the situation please ask me to provide it.


Thanks for the help
Foz

If I remember correctly, older versions of fckeditor had a security risk.
I don't have a link right now, but you should updated to a newer version, or update your whole system to XOOPS 2.3.

First, you should not publicize hacking scripts!

Quote:Did he have additional data to support this claim? Or is he just jumping conclusions by seeing editor and default in the file path from the XOOPS part of your site in the decoded hack? BTW is FCKeditor your default XOOPS editor?

The referred file copper.php is a file that doesn't belong in the directory and is no part of the editor.
It has been induced there as part of the initial attack. Finding out how it came there will you learn more over the attack vector. All what is recently going on may be part of expoiting the hack.
Quote:That would be difficult without knowing what the copper.php file contains.

Quote:It contains the same, but tailored to the other site.

As you see in the file path a directory in your OpenX was used. You are running also other softwares as OpenX on your site(s), which can mean that your site(s) may contain other vulnerabilities than in the XOOPS system alone, which is relativly secure (or can be made to).

(I hope OpenX is not to open! (Sorry, couldn't resist!))
Quote:
Known attack vectors for XOOPS are the older Spaw editor and the contuedo module. To say more, you must make a list of all your installed XOOPS items (modules, frameworks, editors, ...) with their versions (see all xoops_version.php).
Quote:There are already a lot of threads with sound advice for the XOOPS part of your site. For the other parts, you should seek help on the support fora of the respective softwares such as from OpenX.
Quote:I don't believe that applies to his versions.

Hi Ghia_

Thank you for the detailed reply.


I did not ask my provider to provide support for his XOOPS editor entrance theory. Being a novice at this it never crossed my mind, but you are right , that question should be asked.

Using one of the links you posted, I changed my default XOOPS editor to tinyMCE instead of the XOOPS default. I assume it was originally FCK since I have never messed with the editors.

Unfortunately I had already restored the compromised files by the time I read your post asking what the copper.php file does. If this happens again I will make sure to follow up on that lead.

I did a cursory look at the OpenX site and did not find anything related to this hack..will continue to look.

Modules I am running on the 2.0.16 version are as follows:

WFDownload 3.2
pages 1.16
ads 3
Smartsection 2.13
Smartfaq 1.08
Liaise 1.26
Content 0.5
XHLD 3.07
Google Maps 0.83
Wordpress 2.05
protector 3.04
cbb 3.08
Xoops Tag 0.92
Smartclone 1
Happy Search 0.53
Happy Linux 1.4
Frameworks 1.22


Thanks Foz

Apart from the obvious updates for XOOPS and Protector, there is at first view nothing wrong with your module list.

Are you aware of this?
Quote:

I do not have "Allow PHP code in ads to be executed" enabled in my OpenX installation.

I found someone else with the exact issue running different software that uses similar editors.

http://www.tinyportal.net/index.php?topic=26106.0;all

I am still a bit confused. If the exploit is in FCK and I make another editor my default editor (tinymce) will that prevent the exploit through FCK?

Also from the link above it looks like tinymce may have a problem also?

Thanks again for all the help.

Foz

Quote:
No, if you use the editor or not makes no difference. as long as the files are on your system you are vulnerable.

The exploit uses the connectors. I don't know what the exact purpose is, but it seems you could upload files with it.
In the by the hackers used file config.php the following is stated:

Unfortunatly, in the editor distributed with XOOPS this was set to true as displayed above. I believe in the new 2.3.0 it is set to false.
I believe you might be safe if you upgrade FCKeditor to the latest version or set the setting to false.

As stated by tinyportal.net:
Quote:
The version of FCKeditor incorporated in 2.3.0 has to be checked if it complies with the latest official version.

If you are in doubt, remove the complete FCKeditor (all files in all (sub)directories)!

Quote:It might if it is an older version. I have asked the author to specify the affected version.

Hey, I was thinking the same as gaia, the least thing you wanna do is post what got hacked! Something similar had happened to me also with an old version from 2008 and I almost commited the same mistake as this.

As the guys mentioned the best thing to do is to look for updates and patch it ASAP!