Hi..a while back I had my site hacked & locked out of my admin account, but I was able to regain entry through the database. Then I upgraded to 2.0.6 and changed webhosts (but not for that reason). I also .htaccesse'd the /system/ directory. I thought my problems were over, but recently someone's been deleting posts, changing my info ect. Are there any known vulnerabilities for XOOPS 2.0.6? I am on a shared hosting account, Running the News, Newbb, Mydownloads, Mylinks, Contact Us, myAlbum 1.1.3, quotes & polls modules. Thanks for the help,


-Andrewski

This is a rare bird indeed. Some common questions before the community elaborates further; if I may.

Are you on a shared computer?
Is it possible that someone who has access to your computer might be playing around with things they shouldn't? Kids, brother or sister etc. Also, stored password in your FTP client can allow others access to your entire site. Shared computer requires extra strong vigilance on your part in terms of locking down and securing your applications, files and web access points.

Are you using a common password?
Is your password unique in that it is not one of your standard catch-all passwords that you use for everything else?

Have you deleted your install/upgrade files and folders?
It is very important to delete this scripts, as anyone who can access these can gain access to your XOOPS system.

Have you set your permissions correctly?
Make sure that your files are chmoded correctly during bash installs, through SSH or through your FTP client.

Are you the only webmaster user in the webmaster group?
Be sure that you are the only person with this special kind of group access. Create specific groups for your web management needs if you need more then one person to maintain your site.

These are but just a few of the very common things I can think of. Cookies are not an issue from my point of view, but delete them anyhow. Also, if you have enabled the autologin feature for your site, I strongly recommend disabling it. This would have required un-commenting code in specific core files, so it's not something that is automatic and you would know if you enabled this less secure, but freely available feature.

I'm not asking these questions because I think that you are new to your environment. In order to maintain this post I am trying to help in avoiding possible questions from others in the community that may seem alarmist due to knee jerk reactions.

Your situation is nearly unheard of with Xoops, and common security related issues are almost immediately remedied when spotted. It's possible that you may have stumbled upon something based on a rare set of server configuration circumstances.

More advanced users in the community may ask what sort of specs your site/webhost is running on, such as mySQL version, PHP info, server environment, etc etc, so have that ready when asked so that we may all benefit from this experience.

Once all possibillities that XOOPS being at fault has been eliminated, it may neccessary to contact your Webhost for server logs. Speaking of which, go through your own RAW FTP/Web logs and compare the times and IP addresses. If your site is at risk, your webhost could be at risk as well and it may be prudent to keep them in the loop if needed so that they may take the proper steps neccesary to secure their servers.

This post is for the benefit of everyone, so what ever information we all gleam from this is important and worthy of reading.

My computer is used only by me, and whenver I'm away from it it's secured (at least enough to keep my family off). My password is unique, and uses both upper/lowercase words & numbers. I've deleted all the install/upgrade files, and set my mainfile.php to 444. (not sure if there's any other files that need to be changed). I'm the only administrator, I do have a special moderator group but they only have admin access to the forum (and I know & trust them). Also, I've recently scanned my computer with spy sweeper and kaspersky antivirus. Any other questions I'll be happy to try and answer.

It might be that your hosting is flawed. Visithttp://www.gimpster.com/wiki/PhpShell, upload its files (change the default password) and try a simple command like "ls /" (linux version of "dir c:\"). If you get anything else than your account's root, it probably means that people are able to read and edit any of your .php files with server privileges (i.e., it would not be possible to delete you mainfile.php because it's 444, but it would be possible to read it's sourcee).