Good day Everyone,

ONE of my many XOOPS sites has come under multiple automated attacks from a hacker user/group known as "r00t_system."

This post is meant to serve four purposes:

1. Report the Crack
2. Describe circumstances around the crack,
3. Request advice from super-geek-guru peers, and
4. Act as a reference in case others come accross the same problem.


The Crack

An automatically generated generic cracker brand:
"r00t System ownz you!

For references see:

Zone-H Digital Attacks Archive:
http://www.zone-h.org/en/defacements/filter/filter_defacer=r00t_System/page=1

Record of an E-Xoops Attack:
http://www.modscentral.com/modules/newbb/viewtopic.php?topic_id=975&forum=1


Crack Circumstances

Server:
- Some hybrid of both unix/linux + windows server run by Bell Canada.

Xoops System:
- XOOPS V.2.0.3 ~ with a number of PHP files modified by developers, though no serious hacks

Active Modules:
- Most Standard Mods...
- CJay2
- Agenda-X 1.1
- eCal 2.2
- OS Commerce .1
- Contact + .8

Inactive Modules:
- A few Standard Mods.


My Thoughts so far on the Solution

disclaimer/context: I'm not a systems-level guru, I know how to code, I know databases, I can navigate linux... that's about it.

While I'd like to blame the bug simply on the fact that Bell Canada has Windows installed on their server (note: they claim they have Linux/Samba/Window setup that is "new and secure behind firewall after firewall...."), at this time I'm leaning more towards a PHP code vulnerability. As seen in the references given in "the Crack" section, this seems to be an automated attack, however, looking at the eXoops reference it looks like it's exploiting vulnerabilities of my old XOOPS PHP code.

What doesn't make sense to me is that there doesn't appear to be records of such hacks in XOOPS before (the one referred to is in eXoops). Here's the closest thread I could find to this one:

https://xoops.org/modules/newbb/viewtopic.php?topic_id=18824&forum=13#forumpost80232

So, having said all that, here's my best guess so far:

Quote:
from:http://hackerzhell.co.uk/exploits.php?sid=1006523


That's what chief 108 from the modscentral board pointed to in one of his posts...

So, I'm stumped at this point as to what to do. We changed all the server passwords and the site was re-hacked the next day. It's been hacked 7 times; once on a different server. I'm really thinking it's a vulnerability in one of my PHP docs, but I hate to start updating them all one-by-one without knowing for sure that the site may still be hacked when I finish (in a few months).

Any comments welcome.

Thanks,
Keith

Probably not a bad idea for us to update the text sanitizer... a little more dynamic approach would be good, I think.

Anyone with a good idea for this is encouraged to submit it to the SourceForge Patches Tracker

Well, it could be a known vulnerability in AgendaX, and in XOOPS 2.0.3. We're getting ready to release XOOPS 2.0.8, and there have been many many bugfixes since then, so that's a good reason to upgrade your site to the latest versions of modules and core. I also note here the date of the security report you post, it's dated over a year ago...
Another thing could be that the server is using shared hosting, and that another account was compromised, and thus they use server holes to gain access to all sites on that server.

Herko

yes i would agree with herko..

updating will more than likely reduce the risk of it hapenning again.

agendaX 1.1 has already been documented with cross site script attacks and users were informed on this site & on the developers site to upgrade.. currently agendax is at V2.2 and that vulnerability is no longer there.

I aslo notice that you are running with register globals off. (You have to be to run the OS Commerce mod)

That is a big step back in security.

JMass

Ain't community great!

Thank you all for the advice... very appreciated.

The only thing I'm wondering is if Herko has an automated "You should upgrade" script working on these boards - I think this is the 5th or 6th post I've gotten that on from him . Serously though, apart from the looming agony of hours of version checking, I know these are wise words from the wise.

Hope no-one else finds themselves in my situation!

Keith

So I can de-activate the autoresponder-filter now?

Seriously tho, one of the things on the to-do list is an alert that lets you know if newer versions are available somewhere. Also on that list is a security alert notification system (try that with scrabble!) to let webmasters know there might be possible security issues, and that it would be prudent to upgrade asap, and take appropriate action. But how to do that, without alerting the whole script-kiddie community, we haven't completely figured out yet.

Security is high on the list. The 2.0.7 release has an advanced security fix that closes a vulnerability that is there in almost any php script. But we can't guarantee anything, as the hackers get more and more intelligent and innovative as well. They keep us sharp (which is their Higher Goal, or that's what they will tell you), but I'd much rather they'd join our dev teams and help us make the best system in the world even better, of course

Herko