XOOPS Defaced [Xoops 2.0 Bug Report] - XOOPS Web Application System

XOOPS

Forum

Forum Index General Forums Community Support Modules Support Themes Support Development International Support Module Hack Reviews Theme Designer Talk

1

XOOPS Defaced

2004/8/23 14:47
smdcom
Posts: 901
Since: 2004/4/27

Hi all, my sitehttp://www.xoopsmalaysia.org" has been deface please refer tohttp://www.zone-h.org/en/defacements/filter/filter_defacer=7crews/

i'm using XOOPS 2.0.7.1, but still they can defaced..

DEFACEMENT DETAILS
Date/time: 2004/08/23 13:25
Defacer: 7Crews
Domain:http://portal.xoopsmalaysia.org
Mirror: Display mirror
IP address: 203.81.38.130
System: Linux
Web server:
Attack method:
Extra information: mass defacement

please help...

how to prevent this problem?

2

Re: XOOPS Defaced

2004/8/23 15:57
tom
Friend of XOOPS
Posts: 1359
Since: 2002/9/21

Xoops was not defaced, that was your server, try contacting your hosts for advice, and notify them of a security hole some where, they should look into it.

3

Re: XOOPS Defaced

2004/8/23 16:14
smdcom
Posts: 901
Since: 2004/4/27

oh i see.. but other client site doesn't effect on the server... ? just this site only..

i already contact my hosting provider and notify them about this.. but they said nothing wrong with the site..

4

Re: XOOPS Defaced

2004/8/23 17:16
DonXoop
Posts: 1171
Since: 2003/11/27

Hard to say, do you know all the other sites on the server? Most common site crack is via the server (root) and not the html code on the site. But then again there are lots of ways to crack a poorly secured PHP site.

Have you looked at the server logs to find out what happened if they indeed came in through XOOPS itself or directly to your site (vs a rooted server)?

Xoops itself is pretty secure at the core if care is taken. 3rd party modules can pose a problem if they are sloppy or unprotected. I'm never comfortable with too many extras like stats and flashy topic unrelated content unless I make sure they can't be a conduit for crackers.

You need to find out what happened and fix it, they will be back. I get almost daily attempts at some kind of crack and they run the whole range of years old script kiddie nonsense to general server OS exploits to XOOPS specific attacks.

Logs, logs, logs. gots to look at the logs... if you can even trust the logs now. You can't trust the other files until you find out and fix.

5

Re: XOOPS Defaced

2004/8/23 18:07
DonXoop
Posts: 1171
Since: 2003/11/27

I just realized that it is listed as a "Mass Defacement". Look at the list of defacements for just this one IP. Even at least one Re-defacement. They will be back even with a secure xoops.

6

Re: XOOPS Defaced

2004/8/23 19:08
Mithrandir
XOOPS is my life!
Posts: 6320
Since: 2003/6/21

In general, what you can risk if your XOOPS is not safe (either through a non-discovered exploit or an unsafe 3rd party module) is a messed up database - either bogus data or data changed such as preferences, corrupted tables or changed passwords - or data deleted.

There is no way XOOPS can put e.g. a defacement index.html in ANY folder apart from cache, uploads and templates_c as these are the only folders, which are (or rather, which SHOULD be) writable by the server. And even then, it shouldn't be easy.

7

Re: XOOPS Defaced

2004/8/23 19:33
intel352
Module Developer
Posts: 824
Since: 2003/11/23

change your ftp password maybe.

8

Re: XOOPS Defaced

2004/8/24 2:54
smdcom
Posts: 901
Since: 2004/4/27

*************************************************

id;uname -a;uptime uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) Linux data1-sgstx.online-servers.biz 2.4.20-8smp #1 SMP Thu Mar 13 17:45:54 EST 2003 i686 i686 i386 GNU/Linux 16:30:45 up 3 days, 23:04, 5 users, load average: 1.53, 1.10, 1.26 Defaced by CyberWatch from 7Crewz Greetz to : Gorgom, HampasKelapa, Bad, M00n, kkbest, mAdam, backlab and All 7Crewz.

**************************************************

actually, i got this mesej... isn't server defacement or homepage defacement??

9

Re: XOOPS Defaced

2004/8/24 4:03
smdcom
Posts: 901
Since: 2004/4/27

and i'm using Symantec Alert Box Module & istats Module... are there doesn't safe??

Login

Username

Password

Remember me

Register now! | Lost Password?

Search

Advanced Search

Recent Posts

Re: Rebuilding and Updating a 20 years old Xoops Website from 2.0.18? to 2.5.11

3/16 2:02 Mamba
Rebuilding and Updating a 20 years old Xoops Website from 2.0.18? to 2.5.11

3/14 20:34 hnn_gerd
Re: NewBB v 5.1.0 b 6

3/7 12:07 Mamba
Re: NewBB v 5.1.0 b 6

2/23 2:57 Mamba
NewBB v 5.1.0 b 6

2/17 18:57 spierrard
Re: XOOPS 2.5.11 search user is not working

2/14 13:11 Mamba
Re: oledrion

2/14 11:29 Mamba
Re: oledrion

2/13 15:22 oswaldo
Re: oledrion

2/12 19:20 Mamba
Re: oledrion

2/12 16:02 oswaldo

Who's Online

84 user(s) are online (58 user(s) are browsing Support Forums)

Members: 0

Guests: 84

Donat-O-Meter

Stats
Goal:	$100.00
Due Date:	Apr 30
Gross Amount:	$0.00
Net Balance:	$0.00
Left to go:	$100.00

Latest GitHub Commits

{{ record.sha.slice(0, 7) }} - {{ record.commit.message | truncate }}

{{ record.commit.author.name }} {{ record.commit.author.date | formatDate }}