This is just a notice to all users that besides actually reading the README files included with most apps and modules you need to protect any install and upgrade directories and files.

Usually you want to remove/delete any install or upgrade files after finishing your admin tasks. There is no garanty that those scripts won't cause major grief if run again by the crackers.

At least once per day I get attempts on my sites trying to run install and upgrade scripts (besides the usual crack attempts). Sometimes they point at modules I actually have and sometimes at modules I don't. Clearly the cracker vandals are XOOPS savy and trolling this site for victims. Sometimes they come in via links from xoops.org, directly, and from a google search for specific or generic XOOPS sites (they look for XOOPS sites, not your content).

So head's up, mind your admin tasks and cleanup after any installs and maintenance. It is also wise to setup robots.txt to prevent search engine indexing of modules that have no value being in the search indexes, but that is another topic.

Hrmm, no comments?

I had a few more attempts lately with at least one that I would have expected to be caught by the Protector (external script injection). The attempt just caused an error since that module was already safe.

Bottom line is that your site and all the modules need to be as safe as possible before relying on a script like Protector to save you.

edit-> There seems to be a database problem on the xoops.org site? Today it seems that a post takes much longer to complete. While watching the site on multiple screens I can see that the insert actually happened right away even though the final redirect screen took more than a minute to appear. This might explain all the double posts..

actually we are currently looking into a problem with sendmail on the server. Since each post triggers mail events, I think this to be the likely cause of the delay.

For a more on-topic post. I concur that leaving upgrade / install scripts as world-readable is a *Bad Idea*. If possible, I prefer to remove those scripts from the webserver altogether, but your recommended actions work well too.

can you be more specific. from the users point of view, what should we do? or it is something to be considered by developers?

After running any install or upgrade script for any module, and it is no longer needed, delete it from the web server.